All Products
Search

This Product

    Security Center:Overview of CSPM

    Document Center

    Security Center:Overview of CSPM

    Last Updated:Dec 19, 2024

    Configuration errors or improper operations of cloud services can lead to attacks. The cloud security posture management (CSPM) feature provided by Security Center helps detect configuration issues and security risks across multiple dimensions, reducing risks associated with configuration errors and bolstering cloud service security. This topic outlines the CSPM feature and its billing methods.

    Feature overview

    Check the configurations of cloud services

    Security Center allows you to check whether risks and errors exist in the configurations of your cloud services from the following dimensions: cloud infrastructure entitlements management (CIEM), security risk management, and compliance risk management. The check results are classified and displayed by risk level to help you understand the configuration risks of your cloud services.

    Check dimensions

    The following table describes the dimensions from which you can check the configurations of your cloud services.

    Important

    For specific check items, refer to Risk Governance > CSPM page in the Security Center console.

    Dimension

    Check Item

    Description

    CIEM

    AWS Identity and Access Management: IAM identity authentication and IAM permission management.

    • CIEM is a service that integrates cloud security assessment and authorization management to manage the permissions to use and access cloud platforms.

    • Security Center manages identities and permissions on cloud platforms based on CIEM. You can check whether issues exist, such as excessive permissions and password expiration. This helps identify and resolve issues related to permission management at the earliest opportunity and improve the security and reliability of cloud platforms.

    Tencent Cloud Identity and Access Management: CAM identity authentication, and CAM permission management.

    Alibaba Cloud Identity and Access Management: RAM identity authentication, IDaaS, and RAM permission management.

    Security risk management

    Alibaba Cloud Best Practices for Security: security, NoSQL database, storage, elastic computing, relational database, data warehouse, container and middleware, network, big data, DevOps and administration, and database management tools.

    • Best security practices are security measures and solutions that are accumulated by cloud service providers over the years to maximize the security of your data and business.

    • Security Center checks the security configurations, code vulnerabilities, and logging configurations of business systems and identifies potential configuration errors on cloud platforms based on the best security practices of different cloud service providers. This helps maximize the security of your data and business.

    AWS Best Practices for Security: computing, database, analytics, storage, networking and content delivery, and container.

    Azure Best Practices for Security: network, computing, container, storage, database, security, and monitor.

    Tencent Cloud Best Practices for Security: network, relational database, NoSQL database, storage, container and middleware, big data, security, and computing.

    Compliance risk management

    Internationally agreed Best Practices for Security: Alibaba Cloud platform baseline, and AWS platform baseline.

    • The internationally agreed best practices for security are security standards for defending IT systems and data against cyberattacks.

    • Security Center comprehensively checks and manages the compliance risks of cloud platforms and identifies weak configurations that do not meet the security standards. This helps handle the weak configurations at the earliest opportunity and maximize the security of your data and business.

    PCI Data Security Standard: Alibaba Cloud PCI DSS.

    • PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that companies handling credit card information maintain a secure environment. It covers information security management systems, network security, physical security, data encryption, and sets comprehensive security baselines.

    • Security Center offers a range of threat detection services based on PCI DSS, supporting the detection, assessment, and management of network security configurations, potential vulnerabilities, access control measures, log audit tracking, encrypted transmission, and malware protection. This helps enterprises meet PCI DSS requirements and protect payment card information.

    MLPS 2.0 Standard: Alibaba Cloud MLPS level 3.

    • Since December 1, 2019, the "Information Security Technology - Baseline for Classified Protection of Cybersecurity" (GB/T 22239-2019) has been officially implemented. Implementing this classified protection framework is a fundamental obligation for every enterprise and organization.

    • Security Center provides compliance check features for classified protection, supporting comprehensive security detection of network configurations, host vulnerability management, and data management. This helps you quickly, efficiently, and continuously implement the classified protection framework of cybersecurity, enhancing the protection of your business on the cloud.

    ISO International Standard: Alibaba Cloud ISO 27001.

    • ISO 27001 is a global standard for information security management. Enterprises that achieve ISO 27001 certification are recognized for their ability to provide secure and reliable information services, with their information security systems being acknowledged by international authoritative organizations.

    • Security Center offers ISO 27001 compliance checks, which assess whether enterprise asset systems align with ISO 27001 certification requirements in areas such as asset management, access control, cryptography, and operational security. This process aids in conducting comprehensive risk assessments of enterprise information assets, identifying potential security threats and vulnerabilities, and providing risk management recommendations to help enterprises attain ISO 27001 certification.

    Supported cloud services

    Security Center allows you to add cloud services provided by Alibaba Cloud and third-party cloud service providers such as Tencent Cloud, Azure, and Amazon Web Services (AWS). You can view the supported cloud services in the Security Center console. For more information, see Add cloud services.

    Assess risk levels

    The CSPM feature primarily classifies risks based on their severity and application scenarios.

    Risk Level

    Description

    Fixing suggestion

    High-risk

    High-risk items include issues that significantly elevate the risk of intrusion or data exposure. These may involve exposed management ports and critical services, origin server bypass, credential leakage, unauthorized access, authentication bypass, and privileged accounts that are not disabled.

    Immediate remediation is recommended.

    Medium-risk

    These items, while not classified as high-risk, are important for improving data security as they address potential configuration weaknesses that could be exploited.

    Timely remediation is recommended, or handle according to specific conditions.

    Low-risk

    Check items that are not classified as medium-risk or high-risk, such as log audits and security governance reminders.

    These can generally be ignored, but fixes should be implemented if required for reasons like compliance.

    Fix configuration risks in cloud services

    Security Center provides optimization suggestions and solutions for each risk item to help you better manage cloud resources and ensure operational security.

    • Manual fixing: Confirm the risk impact on the cloud services by reviewing the threat impact and solutions from the check results before performing remediation.

    • One-click fixing: Security Center offers a feature that allows for one-click remediation of over 100 check items. This enables easy configuration corrections for relevant cloud service instances through the Security Center console.

      In the Security Center console, you can view the check items that can be quickly fixed in the Security Center console. For more information, see Step 3: View check results.

      Note that each time a risk of an instance is fixed, it consumes one of the remaining quota for CSPM.

    Billing

    Billing rules

    You are charged for the CSPM feature based on the quota for each check item performed on each cloud service instance. The billing formula is: CSPM fee = Unit price × Quota.

    • Unit price: Unit prices vary on billing methods. For more information, see Billing methods.

    • Quota: The total number of scans, verifications, and successful fixes for each check item performed on each cloud service instance.

      Quota = scan count + verification count + successful fix count.

      A cloud service instance refers to the instance of a specific application or network device, such as an Object Storage Service (OSS) bucket or an Elastic Compute Service (ECS) security group.

      How to view the number of cloud service instances

      You can choose Assets > Cloud Product in the left-side navigation pane of the Security Center console and view the number of cloud service instances within your Alibaba Cloud account. .

      image.png

      Once CSPM is enabled, the system calculates the number of scan times each time you run a configuration check.

      Total scan count of each scan task = total number of scanned instances × Number of selected check items.

      For instance, if you have a total of 10 cloud services, with each service having 15 instances, and you select five check items in a scan task (each instance is scanned for five check items), the total scan count for the scan task would be calculated as follows:

      10 (cloud services) × 15 (instances per service) × 5 (check items per instance) = 750 total scans.

    Billing methods

    The CSPM feature supports the subscription and pay-as-you-go billing methods. A free version of the feature is also provided. The free version supports only specific check items, whereas the paid version supports all check items.

    Important

    • An Alibaba Cloud account can only select one billing method at a time.

      For example, if you have activated a subscription for CSPM feature, you must wait until the service expires or downgrade and disable the feature before you can switch to pay-as-you-go mode. For more information, see Switch from subscription to pay-as-you-go section of this topic.

    • For both subscription and pay-as-you-go billing methods, the billing logic remains consistent across the Antivirus, Advanced, Enterprise, and Ultimate editions.

    • After you purchase the CSPM feature based on the pay-as-you-go or subscription billing method, you can use all check items, including the free and billable check items. In this case, take note of the following items when you run a CSPM check:

      • You are not charged for the free check items that only involve scans and verifications, which do not consume the quota for CSPM that you purchase. You are charged for the free check items that involve successful fixes of risks, which consume the quota.

      • You are charged for the billable check items based on the number of times that each check item is used to scan each cloud service instance.

    Free usage

    You can use specific check items to scan and verify cloud service instances for an unlimited number of times free of charge. If you need to fix the risks, you should purchase the CSPM feature based on the pay-as-you-go or subscription billing method.

    Important

    You can choose Risk Governance > CSPM in the left-side navigation pane of the Security Center console to view the supported free check items.

    • If you have not purchased the CSPM feature based on the pay-as-you-go or subscription billing method and have not purchased a quota for the feature, you can use more than 70 check items that are provided by the feature free of charge.

    • The number of check items that you can use free of charge varies based on the edition of Security Center. If you enable the CSPM feature before July 07, 2023, you can use the following number of check items free of charge until your subscription to Security Center expires. If you renew the subscription before Security Center expires, you can continue to use the check items free of charge.

      • Basic and Anti-virus: more than 70

      • Advanced: more than 90

      • Enterprise and Ultimate: more than 250

    More check items will be provided by the CSPM feature. If you want to use more check items, you can purchase the CSPM feature based on the pay-as-you-go or subscription billing method. For more information, see the Authorization and purchase section of this topic. After you purchase the feature, you can use all check items. The historical scan data is retained. You can view all check items and select check items for a configuration check.

    Subscription

    • Formula: Unit price × Scan Quota for Cloud Security Posture Management × Subscription duration (the subscription duration of Security Center).

      Scan Quota for Cloud Security Posture Management

      Price (USD/time)

      0~100,000

      0.0009

      100,001~500,000

      0.00069

      Greater than 500,000

      0.000625

    • Offset rule: You must purchase a quota for CSPM of at least 15,000 with increments of 55,000. Each time you run a configuration check, the remaining quota is consumed based on the number of scan, verification, and fix times.

      Note

      If the remaining quota is insufficient to offset the fee of a configuration check, the check items that cannot be covered by the quota are not used to scan, verify, and fix instances in the configuration check. You can view the scan results to check the details of the configuration check.

    Pay-as-you-go

    • Formula: Unit price × Quota for CSPM (the total number of scans, verifications, and successful fixes on the current day).

      You are charged based on the consumed quota for CSPM in the tiered pricing mode by calendar day.

      Consumed quota for CSPM

      Price (USD/time)

      0~100,000

      0.0009

      100,001~500,000

      0.0007

      Greater than 500,000

      0.00045

    • For more information about how to view the bills of the CSPM feature, see Billing details.

    Authorization and purchase

    When you use the CSPM feature for the first time, you must authorize Security Center to access cloud resources.

    1. Authorize Security Center to access cloud resources.

      1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

      2. In the left-side navigation pane, choose Risk Governance > CSPM.

      3. On the CSPM page, click Authorize Now. The first time you use the CSPM feature, you must perform this operation.

        After the authorization is complete, a service-linked role named AliyunServiceRoleForSasCspm is created for Security Center to access and modify the resources of cloud services within the current account. Then, you can use the CSPM feature to check the following configurations of your cloud services: identity authentication, network access control, data security, log audit, and basic protection. This helps you reinforce security configurations and reduce risks that are caused by configuration errors in your cloud services. For more information about the AliyunServiceRoleForSasCspm service-linked role, see Service-linked roles for Security Center.

    2. Select a billing method to purchase the feature.

      Pay-as-you-go

      1. After the authorization is complete, click Activate Now on the CSPM page.

      2. In the dialog box that appears, read and select Security Center (Pay-as-you-go) Terms of Service and click Activate Now.

      After you purchase the CSPM feature, you can view the quota that is consumed by configuration checks on the CSPM > Configuration Check tab.

      Disable the pay-as-you-go billing method

      To disable the pay-as-you-go billing method for the CSPM feature, find Used Quota and click Suspended.

      Note

      You can enable the subscription billing method only after you disable the pay-as-you-go billing method.

      Subscription

      Visit the Security Center buy page and configure the Scan Quota for Cloud Security Posture Management and Duration parameters. For more information, see Purchase Security Center.

      Note

      We recommend that you purchase a quota that is 20 times the number of cloud service instances. If the quota is insufficient, you must re-scan the instances. For example, if you have added a total of 10 cloud services and each cloud service has 15 instances, we recommend that you purchase a quota of 3,000. The value is calculated by using the following formula: 10 × 15 × 20 = 3,000.

      After you purchase the CSPM feature, you can view the remaining quota that can be consumed by configuration checks on the CSPM > Configuration Check tab.

      Upgrade, downgrade, or renew Security Center

      If you cannot run configuration checks because the remaining quota is insufficient or your subscription to Security Center expires, you can click Scale Out to purchase more quota or renew the subscription to Security Center on the Order Upgrade tab. You can also reduce the quota on the Order Downgrade tab based on your business requirements.

      Change the billing method from subscription to pay-as-you-go

      After you purchase a quota for CSPM based on the subscription billing method, you cannot directly change the billing method to pay-as-you-go. You can downgrade Security Center or request a refund for Security Center before you enable the feature based on the pay-as-you-go billing method.

    Use the feature

    1. Add cloud services: View the supported cloud services and add the cloud services whose configurations you want to check to Security Center. Alibaba Cloud services and third-party cloud services are supported

    2. Use the CSPM feature: Configure a check policy, view check results, and handle the detected risk items.

    3. Use the attack path analysis feature: Conduct thorough scans and analyses of access paths among Alibaba Cloud services to understand their interconnections and potential risk areas. The process is instrumental in detecting redundant direct access permissions and uncovering potential vulnerabilities.

    FAQ