Once the most critical findings have been identified, remediation should become the priority. CSPM tools commonly provide written, step-by-step remediation advice to support customers with activities such as reconfiguring resources, implementing additional network controls, removing unnecessary permissions, or patching workloads.
This more manual approach is suited to production workspaces, where remediation should typically only take place through updates to an organisation’s infrastructure as code (IaC) templates. This ensures that security improvements apply consistently to all future deployments and helps minimise the risk of unexpected changes to critical live workloads.
In addition, many tools now also offer automated capabilities designed to resolve certain types of finding in place. This reactive approach is more suited to development workspaces, where platform guardrails for deployments are often less strict. It allows organisations to support experimentation, while still maintaining a baseline level of platform security (by applying ad-hoc fixes to resources and configurations after they’ve been deployed).
We’ve found that the best CSPM tools:
- explain how organisations can reduce the risks associated with each finding, ideally in the context of the customer’s individual use of the cloud
- consider wider platform context when suggesting improvements (for example, to suggest a suitable workspace-level control rather than multiple ad-hoc fixes for common problems)
- encourage remediation through changes to an organisation’s IaC templates or platform-level controls, rather than applying reactive fixes to deployed resources
