Cloud Native Application Protection Platform (CNAPP): An Evolving Approach to Cloud Security

A closer look at the newest Cloud Security category as defined by Gartner: Cloud Native Application Protection Platform (CNAPP).

Ermetic Team By Ermetic Team
Cloud Native Application Protection Platform (CNAPP): An Evolving Approach to Cloud Security

Cloud Security Challenges of Enterprises Today

CISOs and CIOs are dealing with a plethora of cloud security challenges across the development and operations lifecycles. According to our survey, 98% of companies experienced some kind of cloud-related security breach in the past 18 months. Today, enterprises attempt to close these gaps by implementing a variety of tools, each answering a specific risk. Some tools take a “shift left” security approach by focusing on developers and DevSecOps, while others address runtime aspects like infrastructure and configurations. Yet a third group deals with access management, and there are more.

This dispersed tool approach is time consuming, creates friction between Security and Development, as well as overhead, and forces teams to work in silos. In addition, misconfigurations between tools that are stitched together could increase the attack surface by creating vulnerabilities. With the limitations of the current tools, enterprises cannot successfully implement cloud-native security.

Vendors have identified this gap. They are now attempting to address the market’s needs by offering hybrid solutions that answer both control and data plane risks. By using a single converged tool with multiple security capabilities for applications and services, enterprises can reduce risk, overhead and operational costs.

Gartner has identified this lifecycle approach trend and need, and created a new category to define it: CNAPP.

What is CNAPP?

Cloud Native Application Protection Platforms (CNAPP) are cloud security platforms that consolidate and integrate multiple security and compliance capabilities into one. A term coined by Gartner, CNAPP is a new type of cloud security platform that secures cloud-native applications from development to production, while reducing friction and mitigating risks that result from tool silos.

CNAPP Components and Capabilities

CNAPP is an integration of tools and capabilities designed to secure cloud-native applications from development to production. Let’s break down CNAPP into its components.

  • Cloud Security Posture Management (CSPM) - Technologies for automatically monitoring risk in public cloud service configurations and security settings, and mapping them to security standards and policies. Read more here.
  • Cloud Workload Protection Platforms (CWPP) - Technologies for securing workloads, including containers, serverless, virtual machines and servers.
  • Cloud Identity Entitlement Management (CIEM) - Technologies for managing access and enforcing least privilege in the cloud through monitoring of cloud identities and recommending policies. Read more here.
  • Kubernetes Security Posture Management (KSPM) - Technologies that fix security and compliance issues for Kubernetes (i.e. CSPM for Kubernetes)
  • Development artifact scanning - Assessment of weaknesses in development artifacts, including SAST/DAST, APIs, software composition analysis and exposure scanning
  • IaC scanning - Assessment of weaknesses in configuration files
  • Network Configuration and Security Policy - Security policy management to govern access
  • Addition Runtime Protection Tools - Technologies for web application and API protection, application monitoring, network segmentation and exposure scanning

It’s important to note that CNAPP is more than a stitching together of all these capabilities. By combining user behavior data from the cloud and from workloads, CNAPP provides advanced insights that could improve detection rates and reduce false positives. These insights can be generated by, for example, correlating posture misconfigurations with workload alerts or over entitlement.

10 CNAPP Benefits for Security Teams, DevOps and DevSecOps

CNAPP is designed to ensure:

  1. Better visibility into workloads and across infrastructure to identify and prioritize risk
  2. Improved identification and remediation of risk through a lifecycle approach that offers security consistency and context from coding to runtime
  3. Fewer misconfigurations and streamlined management of containers, Kubernetes clusters and other components
  4. Minimal overhead and complexity when managing tools and vendors
  5. Seamless integration of scanning capabilities into the SDLC and developer tools
  6. Shift left security – and less reliance on runtime protection
  7. Better insight into and governance of attack path analysis; this includes permissions and configurations
  8. Bi-directional security feedback between development and operations
  9. Cloud-native security (and not on-prem security adapted to the cloud)
  10. Infrastructure and application security

How Can I Get Started with CNAPP?

Despite the hype and the promise, CNAPP is still more of a hypothetical category than an actual tool vendors are offering. The category is emerging, and tools do not yet provide all the converged capabilities -- despite what some vendors may promise.

However, since the risks of cloud security are not hypothetical, it is recommended to take action and build your organization and its tooling to be ready for CNAPP. This includes creating a cloud security plan and researching vendors with capabilities that offer a strong basis for CNAPP while evaluating their offerings. In addition, keep on continuously scanning artifacts, containers and Kubernetes to identify vulnerabilities and malware. This is an emerging market, so we expect to see more vendors offering these capabilities soon. As Gartner notes, focus on solutions that are well integrated, prioritize risk to avoid wasting time and include cloud configuration awareness.