At Turbot, we talk a lot about the need for continuous compliance. Whether a small business or a large enterprise, more and more companies are entering into regulated industries, or have the need to adhere to particular governance models like HIPAA, PCI, NIST, GxP, CIS, or others. So, what is the difference between being compliant, and being continuously compliant? It’s a matter of what happens after an audit.
“Left uncontrolled, cloud environments inevitably spin into unmanageable complexity and have unique security needs that legacy security protection solutions do not address.” - Gartner1
So many businesses pass compliance audits with flying colors, only to have a data breach a few months later. Or, when massive reconciliation projects occur to validate and standardize configuration, and immediately begin to drift from that standard when a new employee joins the team. Compliance is a point-in-time evaluation where drift can later alter that status (sometimes without knowledge). Continuous compliance is the ability to know you’re always operating correctly, regardless of whether or not someone is looking.
“To assess and manage the security posture of the cloud control plane, a market is emerging for cloud security posture management (CSPM), previously called CISPA” - Gartner1
Cloud Security Posture Management is a revision to a previous category of tools called Cloud Infrastructure Security Posture Assessment (CISPA) tools, as new tools are moving from reporting only to being able to take action. These tools have the ability to offer this ongoing verification, and corrective actions to ensure that there is never any drift. Turbot is firmly seated at the forefront of this arena, automating operations, security, networking, and compliance with real-time guardrails since its creation in 2014.
Example CSPM providers include Turbot, Alert Logic, and CloudCheckr. In addition to these partners, we feel that nearly all of the products listed offer complimentary offerings to Turbot’s preventive controls, detective controls, and automated corrective actions. Utilizing these products in addition to Turbot allows you to build upon the extensive set of features that Turbot offers.
Ultimately, the measure of a good tool is the ability to offer CSPM functionality. It’s not enough to report on problems and expect a person to go and fix the issue. Great CSPM products, like Turbot, have the ability to automate corrective actions, and ensure continuous compliance - even when no one is looking.
Required Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.