Companies must address security weaknesses in their networked applications as well as non-IT-controlled ones, and CAASM may finally provide a solution.
Gartner’s Hype Cycle for network security has identified Cyber Asset Attack Surface Management (CAASM) as an emerging technology. It could help companies and enterprises reduce vulnerability without reducing the visibility of cyber assets.
We’ve spilled so much ink talking about how Covid-19 disrupted the normal and accelerated digital transformation at a breakneck speed. We won’t stop now. With this acceleration comes increased scrutiny from threat actors ready to exploit weaknesses in hastily put together roll-outs.
Covid-19 pushed organizations towards rapid digitization. The other option? Catastrophic business interruption. So businesses expanded customer-facing APIs and doubled down on engagement applications designed to rearrange the economy’s normal operations into something that would work for pandemic lockdowns.
Cybersecurity for this increase is not easy. Companies needed to walk a razor-thin line between making their companies available to customers and employees now working from home and locking down weaknesses. Responding to this pressure, companies enacted Zero Trust Architecture and saw a further maturing of Network Access Control. The response also spurred a newer area of focus.
Moving up the hype cycle: Cyber Asset Attack Surface Management
CAASM makes cyber assets more visible for companies. It allows an organization to gather external and internal assets through API integration. It queries them and then remediates vulnerability gaps while providing better security control.
Companies are paying attention because it moves beyond the containerized approach to security and provides broad visibility to everything a company manages in its network. It reduces the threat of human error by reducing manual collection processes and shifts companies forward from less comprehensive in-house solutions.
CAASM can fill in gaps due to missing or outdated information and provide visibility into a company’s security tool coverage. It improves security hygiene by ensuring that all security measures work across the environment.
Gartner identifies the following drivers for CAASM adoption:
- Companies have full visibility into all digital assets for the first time, allowing for better security coverage. Companies see gaps and ensure remediated security steps throughout the environment.
- Companies also significantly reduce the time and effort going into audit compliance. CAASM reduces laborious manual retrieval systems and unites all assets across a single environment. When audits happen, no one has to go looking for missing information.
- It consolidates all assets into a platform with a single, normalized view. All teams have access to this view, including any stakeholders responsible for the security or who could benefit from such a consolidated view and query capability.
- Companies can finally accomplish bringing third party and shadow IT systems into the fold. CAASM experiences less resistance than other solutions and could offer vital control back to IT.
See Also: Continuous Intelligence Insights
Some obstacles to full adoption remain
CAASM is on Gartner’s “on the rise” list for good reason. It’s experiencing increasing maturity, but still, some obstacles remain to its full market saturation.
Resistance to more tools
Some companies might look at CAASM and see their existing tools. The cost and time to adoption may seem excessive for networks with adjacent processes and tools that accomplish similar things.
Companies must understand the driver behind CAASM. The single viewpoint for all applications and APIs, including those out of IT control, offers the potential to remediate weaknesses and reduce human error.
Large asset stores
When these products are licensed under “assets consumed,” they could prove cost-prohibitive to large enterprises with millions of assets. This will be a significant challenge to companies offering these services moving forward.
However, as the field matures, we could see more cost-effective solutions that consider the weight of accessing assets in these sheer numbers.
Current scalability and tools remain limited
Because it’s so new, companies may have challenges scaling CAASM and finding tools that integrate with it. Integration teams may also block access.
The good news is that being on Gartner’s hype cycle provides incentives for companies to address both of these challenges. Businesses looking to adopt these measures can keep an eye out for emerging resources as the cycle moves forward.
Working through CAASM challenges
Companies looking to invest in this new technology should determine their primary goals to help direct investments. For example, companies may decide that achieving visibility into all assets is the primary target of spending. Others may conclude that greater automation ability is the final goal. Those clear directives can help ease the adoption of any new technology.
Companies can also do themselves a huge favor and inventory all APIs currently in use to ensure that their chosen CAASM provider can access each. Organizations can ensure they have all the required accounts and access points before beginning to alleviate frustrating integration delays.
And speaking of taking inventory, companies can extend that inventory to any vendors currently in-contract. They can inquire about vendors’ plans for future CAASM integration capabilities to determine if a roadmap exists.
More than anything, extending usage beyond IT security teams—anyone involved in compliance, management, or system administration—could be key to a company’s full adoption. CAASM isn’t meant to stay within the narrow confines of core IT teams. It works because it offers visibility and feedback to all stakeholders for a company’s digital assets.
Although Gartner identifies a less than 1% adoption rate at the current moment, this emerging solution could be the next big thing in cybersecurity. Companies must address security weaknesses in their networked applications as well as non-IT-controlled ones, and CAASM may finally provide a solution.
