Navigating the cloudy seas: CNAPPs as a cloud security compass
The invention of the ship was also the invention of the shipwreck. This quote applies to many things, as it does for the cloud. The more we virtualize, the more layers we put on top of each other, the more vulnerabilities will appear.
To mitigate all these issues and work more securely in the cloud, organizations have invested in a myriad of different tools and techniques. The complexity and lack of visibility resulting from this has led to the creation of so-called Cloud-Native Application Protection Platforms or CNAPPs. The idea behind these is to take a step back, assess the broad and complex tooling landscape and create a single platform that is easier to manage.
The multi-cloud security problem space
When moving to or working in the (multi-)cloud, several security problems can emerge. A well-known threat for instance is that of misconfiguration, and even though companies have been getting better at it, ill-configured environments can indeed lead to significant vulnerabilities. Then there is the issue of limited visibility over the security posture of multi-cloud assets across an organization. Think about kids installing unknown apps or games on their parents’ phone or laptop at home, which in turn are then brought into a company’s network environment. The same lack of visibility can occur when speed and agility are prioritized to test and launch new cool models that require access to an organization’s production data.
Obviously, the technology jungle with its new tools and many point solutions, only addressing part of the security challenges, brings about another hurdle. And last but not least, there are the issues of rapidly evolving threats and software vulnerability due to increasing complexity.
How do you handle all these problems within a fast-moving software space? As they are not new problems, appropriate security solutions exist for each of them separately. But is there an overarching solution to cover them all?
The emergence and evolution of CNAPPs
In 2021, Cloud-Native Application Protection Platforms (CNAPP) appeared for the first time and already high on the Gartner cloud security hype cycle, bundling other items in that same cycle including Cloud Workload Protection Platforms (CWPP), Cloud Security Posture Management (CSPM), and Cloud Identity and Entitlement Management (CIEM). Two years later, CNAPPs had already moved quite a bit forward on the Gartner hype cycle, now expected to reach their plateau within 5 to 10 years.
So, what are CNAPPs? Gartner defined a CNAPP as “an integrated set of security and compliance capabilities designed to help secure and protect cloud native applications across development and production.”
Looking a bit closer, a CNAPP can be seen as a logical evolution for DevSecOps and so-called “shift left” security. Starting at the left of the DevOps cycle, with the development of code, security needs to be assured through so-called artifact scanning. At this stage, packages can be added to the code that provide protection later. At the bottom of the cycle there is cloud configuration, which includes CSPM tooling that scans an environment to see if, for instance, networks and storage are well protected. Finally, when the code is built, moving to the right side of the DevOps cycle, it is used and secured from attacks by runtime protection.
What a CNAPP does is bring these three angles – artifact scanning, cloud configuration and runtime protection – together in one single platform. We will discuss further in this post how that works.
The capabilities of a CNAPP
First, let’s have a look at what CNAPP involves and for what it can be used in practice. CNAPP indeed covers several capabilities for modern multi-cloud security:
- Cloud Security Posture Management (CSPM), involving continuously monitoring public cloud environments to detect and protect cloud infrastructure from security threats as well as to maintain compliance. CSPM is about scanning the estate of what organizations have in the cloud, benchmarking it against best practices and ideally remediating wherever possible.
- Cloud Infrastructure Entitlement Management (CIEM): is about ensuring that the people that need access to the cloud environment only have the right privileges and a protected way to get access. In most organizations, this is poorly managed as it is challenging for them to adjust and validate their identity and privilege management in light of how quickly things are changing on the cloud.
- Cloud Workload Protection (CWP) or the actual runtime protection such as anti-malware, anti-virus, runtime container and database protection, etcetera.
- Threat and Vulnerability Management (TVM): or how you scan for vulnerabilities at runtime, keep track of dependencies and gather threat intelligence that helps you to protect my (your?) estate.
- Code security (CS): involving several tactics to address misconfigurations and unsecure secrets, including SAST, DAST, software composition analysis, secrets scanning and container images scanning.
- Network security (NWS): the cloud must be protected, and this involves having the correct visibility and detecting anomalous network behaviour.
Bringing it all together
As mentioned, CNAPP features cover the three categories of Artifact Scanning, Runtime Protection, as well as Cloud Configuration. This allows the platform to perform security and protection of cloud assets throughout the whole lifecycle. But how does it bring the three items together?
First, the goal of CNAPPs is to provide full visibility across multi-cloud environments, filling the existing knowledge gap. Where is my risk? What do I need to change? Which of the layers in my stack have holes and how can I limit these risks as fast as possible? CNAPP is to provide answers to these questions and make sure that the multi-cloud environment can work securely.
Next to visibility, CNAPP provides other outcomes, such as the ability to better prioritize risks thanks to a centralized and contextualized risk queue. Moreover, it allows organizations to work more efficiently due to auto remediation and to reduce complexity and costs associated with multiple security tools. And finally, a seamless integration with CI/CD pipeline leads to better security tool acceptance from DevOps teams.
Towards a secure cloud environment
Does CNAPP provide an answer to all cloud security questions? The answer is that it is not a golden bullet. It is certainly not a solution for everything and does not cover all areas of the whole cloud estate. Existing CNAPP solutions, for example, currently do not cover SaaS that well, or protect end-user devices for that matter.
On the upside, CNAPP supports organizations by offering simplicity and visibility within a single tool that offers the best-of-breed. Even if not all the vendors have jumped on the bandwagon yet. However, it is very likely that within a few years, most of the capabilities should be covered in CNAPPs.
And finally, the CNAPP framework is getting bigger and bigger. And within the ‘platform’ concept, it may well be possible that other items in the hype cycle will be included in the CNAPP platform, including Cloud Detection and Response (CDR), or Data Security Posture Management (DSPM). With the prospect of CNAPP becoming a true Swiss army knife of cloud security solutions, vendors will surely include more capabilities in their solutions.
