Cloud Security Posture Management

Cloud Security Posture Management

Cloud Security Posture Management is Generally Available.

Cloud Security Posture Management is not currently available in US1-FED, US3, or EU.

Overview

Datadog Cloud Security Posture Management (CSPM) makes it easier to assess and visualize the current and historic security posture of your cloud environment, automate audit evidence collection, and catch misconfigurations that leave your organization vulnerable to attacks.

Assess the configuration of your cloud resources, such as security groups, storage buckets, load balancers, and databases against configuration rules. Use the Datadog Agent to review local configuration information from servers, containers, and Kubernetes clusters against Datadog’s OOTB security posture rules.

View your cloud security posture at a high level with the Posture Management page, and drill into the details of findings and analyze historical configurations with Findings.

Glossary

  • Security posture score: Percentage of your environment that satisfies all of your active Datadog’s OOTB rules. Formula: (# of evaluation:pass findings) / (total # of findings). Datadog then weighs this formula by severity: low severity rules have a weighting of “1” and critical severity rules have a weighting of “5”. This means critical severity rules impact scores five times more than low severity rules to put greater emphasis on the rules that pose greater security risk. The score is also normalized to treat all all resource types and resource volumes the same (for example, 500 failing containers are weighted the same as three failing S3 buckets in the computed score). This normalization factor allows scores to be comparable across your cloud accounts, without the risk they are heavily skewed if one account has more containers, or another has fewer storage buckets.

  • Requirement: A group of controls representing a single technical or operational topic, such as Access Management or Networking. The regulatory framework PCI DSS, for example, has 12 requirements.

  • Control: A specific recommendation for how technology, people, and processes should be managed; typically based on a regulation or industry standard.

  • Resource: A configurable entity that needs to be continuously scanned for adherence with one or more controls. Examples of AWS instance resources include hosts, containers, security groups, users, and customer-managed IAM policies.

  • Rule: A rule evaluates the configuration of a resource to validate an element related to one or more controls. Rules may map to multiple controls, requirements, and frameworks.
  • Findings: A finding is the primary primitive for a rule evaluation against a resource. Every time a resource is evaluated against a rule, a finding is generated with a Pass or Fail status.

  • Framework: A collection of requirements that map to an industry benchmark or regulatory standard.

Get started