Do I Need CNAPP If We’re Only Starting to Deploy to the Cloud?
It’s a leading question because no matter how new you are to the cloud you need CNAPP – find out why
You’ve started deploying workloads to the public cloud. Here’s your security strategy: Let’s use our provider’s native tooling, keep our workload vulnerability scanner and add in a cloud security posture management (CSPM) tool. They’ll flag the vulnerabilities and misconfigurations, and keep us compliant, at minimal spend. That’s good enough cloud security for us now – anything bigger would be taking a hammer to an ant.
True or false?
Decidedly false. You’re not going to conquer security in the cloud with a piecemeal approach or by ticking compliance checkboxes. With the data center firewall gone, cloud security is an ongoing, dynamic, multi-layered acrobatic act. Studies report ballooning misconfigurations and vulnerabilities, and excessive entitlements, for all organizations no matter how small their cloud footprint is. When cloud resources are not configured correctly, the cloud environment is vulnerable.
This blog explores the rationale for a holistic cloud security approach from the get-go – even for fledgling cloud environments.
Cloud security problems start upon migrating workloads
We see a tendency among customers new to the cloud: During and after deployment, their teams are applying the same data center principles and even using the same tools regardless of how well they don’t function in the cloud. We also see that as they make that initial deployment to the cloud they are typically over-permissive with identities and generic about security policies in an effort to minimize the number of obstacles and amount of troubleshooting that will need to be done.
The cloud involves frequent spinning up and down of infrastructure, service accounts getting broad access and third parties needing access, workloads in flux and Kubernetes workloads acting like closed black boxes. It’s near-impossible to not mess up on security configurations and access policies. Using data center tools for cloud security or deploying workloads with over permissive access creates huge security gaps that can lead to exposure – and are a gift to cloud threat actors. These gaps include misconfigurations, workload vulnerabilities and risky policies, roles, and identities, as well as unsecured assets and potentially publicly accessible resources. In addition to the risks specific to assets, using the wrong tools or applying lax access entrenches security practices not suited to the new cloud environment.
Organizations are aware of the risks. A 2023 TechTarget ESG study found the most common cloud security concerns included managing access control to reduce risk and the attack surface, and ensuring developers aren’t circumventing security teams. Respondents also reported contending with a wide range of misconfigurations.
So what are organizations new to the cloud doing about their security concerns and to reduce their cloud attack surface? Some rely solely on their cloud provider's native tools. Others supplement such tools with -- or use only -- 3rd-party cloud security posture management (CSPM) and other independent software vendor security capabilities.
What security can you count on your CSP to provide?
For starters, your CSP can help you:
- Align with best practices
- Educate your organization on the leading risks and threats
- Mature your cloud and cloud security program and roadmap
AWS, for example, offers the AWS Cloud Adoption Framework, which consists of foundations, domains and iterative phases necessary for successful cloud transformation. Security is one of the framework’s key foundational capabilities.
Security-wise, cloud providers offer an ever-evolving treasure chest of security tools and related documentation to help you ensure the confidentiality, integrity and availability of your cloud workloads and data. These security capabilities span identity and access management (IAM), network security, data and infrastructure protection, monitoring and logging, vulnerability management, governance, incident response and more. Many of these tools integrate well with the cloud customer’s existing workflows and support automation.
While cloud provider tools can offer a security foundation, they typically require a high degree of cloud security expertise to implement and use effectively. Also, even with provider tools in place, the cloud customer must configure their environment correctly, follow best practices and implement additional security measures for specific needs. The success and effectiveness of provider security tools depends on how well your organization configures, monitors and maintains them.
Under shared responsibility, cloud providers recommend security best practices for cloud-stored data – yet the cloud customer has the onerous task of executing those best practices, and carrying out regular security assessments to ensure continued compliance. For organizations new to the cloud, building out a security program using cloud provider tools can create a huge amount of work, result in solutions not necessarily automated and potentially compromise the cloud environment’s resilience to attacks and lateral movement.
Then there’s the matter of detected risks. CSP security tools may generate findings – but what to do next? Are the findings critical or minor? Are the risk mechanisms able to identify toxic combinations? Do the tools answer questions you need to know about what is taking place in your environment? Knowing how to mitigate detected misconfigurations and risks can be a challenge for even the most resourceful and experienced teams.
And note: cloud provider tools typically do not identify risk in other cloud environments -- and not at granular levels. Yet studies show that most organizations deploying to the cloud find themselves, in short order, expanding to additional cloud providers for different business unit and application needs. For multicloud security, many organizations turn to 3rd-party tools.
CSPM and CIEM are a great start - but not enough
Investing in cloud security posture management tools is a widely recognized first step in securing workloads deployed to the cloud. The same ESG report found that almost 75% of organizations are using third-party CSPM solutions including for consistency across platforms.
Enterprises small and large are increasingly seeking out identity and entitlement management (CIEM) tools in combined use with CSPM. Together, these capabilities provide cloud security posture management with greater context for more effective compliance, reduction of the cloud attack surface by reining in permissions risk, and enforcement and scaling of least privilege access.
Are CSPM and CIEM enough? Together they help reduce faulty cloud misconfigurations, and identity and access risk. However they do not address security at the cloud-native application level, namely:
- Continuous scanning of workflows
- Kubernetes security
- Shift left infrastructure as code (IaC) scanning, to prevent errors at source
- Anomaly detection
You’re thinking: I don’t need all that now. Yet for time saving, organizational and even investment reasons, and improved outcomes overall, a more effective approach to cloud security is to adopt CNAPP from the get go. Let’s take a closer look.
Adopting CNAPP early enables seamless security scaling
The ESG study found that most organizations are using DevOps for their cloud-native application building and plan to ramp up security practices in those efforts in the next two years. Microsoft reports that the number of service identities in the cloud is tenfold that of human users. In other words, very quickly in your organization’s cloud journey you will be engaging in the cloud’s productivity enablers and facing the challenges and risks of cloud complexity.
CNAPP holistically combines and tightly integrates the cloud infrastructure security capabilities of CSPM and CIEM with cloud-native application security for holistic lifecycle protection from development to deployment. CNAPP offers a robust and layered security posture spanning all aspects of cloud security, including risks to identities and entitlement (such as unintended privilege escalation), misconfiguration of cloud infrastructure components (such as publicly exposed storage resources), exposure of workload vulnerabilities (such as vulnerable OS versions) and misconfigurations in code as infrastructure. CNAPP solutions integrate and correlate otherwise siloed capabilities. They automate cloud security to detect risks and threats more accurately than standalone tools, and remediate in a fraction of the time. They perform the analysis for ensuring regulatory compliance.
Taking a holistic approach to your cloud security out of the gate makes good sense - you grow your cloud security incrementally, minimizing the attack surface where possible. Piecing together your cloud security one solution – or many unintegrated solutions – at a time may make you late to the game in detecting risks of impact. CNAPPs, from the first steps of implementation, actually improve your speed in detecting risks and eliminate time spent chasing alerts.
Indeed, the pursuit of consolidated platforms is on the rise. Gartner predicts that, by 2025, 75% of new CSPM purchases will be part of an integrated CNAPP offering.
A CNAPP solution provides quick, early wins with minimal effort. As an example, in the first weeks to months of implementing a CNAPP you can already:
- Find and prioritize toxic combinations - See which workloads have both critical vulnerabilities and additional severe risks
- Remove all IAM inactive users at a click
- Reveal exposed secrets across all your cloud environments
- Resolve critical risks - ~2% of findings - across identity, secrets, network, workload, compute, data, custom policies and anomalies
- Automate compliance benchmarks
Over time, you operationalize the solution further, remediating through project-based workflows, implementing least privilege, identifying and addressing flaws in infrastructure as code and more – eliminating operational silos and empowering cross-functional teams.
And there are other bonuses. A CNAPP practically automatically produces a best practice path to an ever-maturing cloud security strategy. The capabilities are there, waiting to be used, with added correlated insight with every new use case you incorporate. Remediation guidance is rich in the why and how, teaching teams as they go. Updates on cloud provider services and tools take place automatically without the need for manual updates.
Four reasons to start your cloud security with CNAPP
While the domain is yet emerging and evolving, there are key qualities to guide your thinking in what to look for in a CNAPP.
- Exceptional cloud identity security - According to Gartner, 75% of breaches are the result of misconfigured identities
- Usability and ease of onboarding - All dashboards look nice but when you click through do you understand the problem and what you need to do?
- Dynamic risk prioritization - Nuanced, contextual analysis across workloads, network, identity, data and Kubernetes filters out noise and pinpoints what’s most important
- Easy communication with developers - Detailed findings easily shipped to change owners is a boon to security collaboration and best practice
Tip #1: Exceptional cloud IAM security
As organizations move to the cloud, identity is the new perimeter, taking front-and-center as a major security control. Many security use cases, like network security, are now being addressed by identity controls – such as segregation between development and production, third-party access and data security. Yet identity configurations in the cloud are extremely complex. Even the most basic questions like “who can access what?,” are hard to answer. Many organizations get it wrong.
Look for a CNAPP solution with strong cloud identity security, integrating complete visibility, detection, and remediation capabilities for identity-related configuration and risks.
Tip #2: Usability - for quick wins and to close gaps
Organizations are increasingly deploying resources to the public cloud – adopting Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings and services. The complexity of the environments and the knowledge required by different teams using the services grows exponentially (IAM service alone has more than 3,000 configurations). Understanding the root cause and being able to prioritize cloud misconfigurations is extremely challenging.
Look for a CNAPP that visualizes key configurations (e.g., network exposure, entitlement or access activities) in a user-friendly way. Such usability will allow any user to not only detect a potential misconfiguration but easily identify the root cause – accelerating triage and remediation. Seeing the problem despite its complexity makes troubleshooting much easier.
Tip #3: Dynamic risk analysis and prioritization
Cloud environment complexity and lack of cloud security expertise leads to the detection and visualization of large numbers of cloud misconfigurations by automated monitoring tools. Even experienced teams face challenges in triaging and resolving all the detected misconfigurations. But all misconfigurations are not equal - some have critical impact. Teams need to be able to accurately prioritize misconfigurations and findings.
Seek out a CNAPP that combines visibility across the technical stack – network, compute, data, and identity configurations – and allows building a comprehensive risk profile for each misconfiguration and finding, effectively selecting the critical risks, and greatly reducing the time to resolution. Best are solutions that provide policies that do not have a ”fixed” risk level; rather, determine risk dynamically based on deep contextual analysis. Also, look for solutions that can detect when a combination of misconfigurations can create high-risk attack scenarios (such as internet-exposed machines that also have critical vulnerabilities and sensitive permissions).
Tip #4: Detailed findings and easy communication with developers
Once a misconfiguration is detected, remediation may require much work, including in ensuring that the findings are delivered to the DevOps, CloudOps, or Dev teams responsible for the misconfigured resource and that have the technical ability to triage the finding and remediate the risk. This process is further complicated use of different platforms by teams to communicate such information (e.g., Jira, Slack, MS Teams, PagerDuty, ServiceNow). Furthermore, the relevant DevOps individual or developer may lack the knowledge to determine the best way to remediate the specific risk – and may be concerned that a configuration change may cause production issues. Implementing the remediation procedure might take up precious time, making semi- or fully-automated remediation capabilities a must.
Seek out CNAPP capabilities that automatically identify stakeholders potentially responsible for the misconfigured resources and allow you to set up automatic notifications. These settings allow you to automatically share findings with stakeholders via different channels based on specific rules, e.g., environment, risk severity and event. It’s very important that the CNAPP solution provide detailed remediation instructions for each finding, to inform stakeholders of the optimal remediation process. It’s also important that the platform offer built in secure configurations (in cloud-native or IaC formats) that integrate in CI/CD processes or automatically to further save time and build developer trust in the security tooling.
Awareness of the importance of securing cloud environments is high. Where to apply your budget for the best immediate and long-term value? Organizations with larger cloud footprints and security tooling are already seeking to consolidate their tools to save on overhead and get better outcomes for their investment.
Organizations like yours, new to the cloud, have a magical moment to get security right from the start and launch your cloud protection program with consolidation built in.
Like a home with extra bedrooms for growth, consider a CNAPP solution a smart, scalable choice for your cloud security investment that gives you quick wins and modular expansion. You gain advanced, correlated risk intelligence from your first steps and a security gap reduction gift that keeps on giving as your cloud usage grows.