CSPM — your starting point

Cloud Security Posture Management is the discipline of checking your cloud account configurations against best-practice baselines and compliance frameworks. A CSPM connects via the cloud provider's management APIs (AWS, Azure, GCP, OCI) and continuously asks: is this S3 bucket public? is this Lambda function over-privileged? does this database have backup enabled? It reports drift and prioritizes findings.

CSPM is the floor of cloud security. Every organization with cloud spend should have one — most cloud providers offer a basic version free (AWS Security Hub, Azure Defender for Cloud free tier). Commercial CSPM products distinguish themselves on signal-to-noise tuning, multi-cloud coverage, IaC pre-deployment scanning, and compliance pack quality.

CWPP — runtime workload protection

Cloud Workload Protection Platforms protect the running thing — VMs, containers, serverless functions — rather than the cloud-account configuration around it. A CWPP typically includes runtime malware detection, file integrity monitoring, network microsegmentation, and runtime behavioral analytics. Modern CWPPs are agent-based (Sysdig, Aqua, CrowdStrike Falcon Cloud Security) or agentless using snapshot-based scanning (Wiz, Orca).

CWPP and EDR overlap on Linux servers — both protect compute. The practical distinction is that CWPP understands cloud context (Kubernetes namespaces, IAM roles, container image provenance) while EDR understands user/process context. Many organizations run an EDR for the user-facing fleet and a CWPP for the production workloads.

CIEM — the permissions problem

Cloud Infrastructure Entitlement Management focuses on a problem nobody understood was a problem until cloud permissions exploded: most cloud identities (humans and especially service accounts) have far more permissions than they actually use. CIEM tools analyze actual usage and recommend least-privilege policies, flag toxic combinations, and identify dormant identities. Standalone CIEM is rare in 2026 — the capability has been absorbed by CNAPPs and CSPMs.

CNAPP — the unified platform

Cloud-Native Application Protection Platform is Gartner's umbrella term for the consolidation that has been happening: a single platform that covers CSPM + CWPP + CIEM + container security + IaC scanning + sometimes ASPM and DSPM, all in one UI with a shared asset graph. Wiz, Palo Alto Prisma Cloud, CrowdStrike Falcon Cloud Security, Aqua, Sysdig, and Orca are all positioning as CNAPPs.

The CNAPP argument is that an attacker does not respect the boundaries between these acronyms — they exploit a misconfigured IAM policy to access a vulnerable container running a service with hardcoded credentials. Stitching that path across separate CSPM, CWPP, and CIEM tools wastes hours during an investigation. A unified CNAPP shows the attack path in one screen, much like a mature vulnerability management program stitches scanner output into a single remediation queue.

The downside of CNAPP consolidation is that depth in any single area can lag specialist tools. Best practice in 2026 is to run one CNAPP for breadth and supplement with a specialist tool (e.g. dedicated DSPM, dedicated Kubernetes runtime security) only where the CNAPP's capability is genuinely insufficient.

KSPM, ASPM, DSPM — the newer acronyms

  • KSPM (Kubernetes Security Posture Management): CSPM specifically for Kubernetes — RBAC, admission control, pod security standards
  • ASPM (Application Security Posture Management): correlates findings across SAST, DAST, SCA, secrets scanning, and runtime — the application-layer version of CSPM
  • DSPM (Data Security Posture Management): discovers sensitive data across cloud stores and tracks who can access it. The fastest-growing 2025–2026 category

How to choose without overpaying

  1. Start from your top three cloud risks. If misconfiguration is the headline, you need CSPM; if container compromise is, you need CWPP; if data exposure is, DSPM
  2. Inventory what your cloud provider gives you free. Defender for Cloud (Azure), Security Hub (AWS), Security Command Center (GCP) cover baseline CSPM at no extra cost
  3. For CNAPP shortlisting, ask for an actual attack-path demo in a sandbox account — and pair the result with your EASM coverage so internet-exposed assets are factored in
  4. Avoid agent-only CWPPs for serverless-heavy architectures — agentless snapshot scanning is the standard there
  5. For multi-cloud, weight the platform's depth in your weakest cloud, not the cloud you already know best