What is a Cloud-Native Application Protection Platform (CNAPP)?
CNAPP is an integrated, lifecycle-based cloud security solution that typically includes CSPM, CIEM, CWPP, container security and more
So what actually is a Cloud-Native Application Protection Platform?
CNAPP is a new cloud security approach defined by Gartner that addresses the need for unified lifecycle security. Such an integrated approach across the security stack is instead of the current reality of siloed solutions that provide only partial protection, overlap with each other without added benefit, incur overhead and often create friction.
CNAPP encompasses a wide set of tools from development to deployment, including but not limited to: Infrastructure as Code (IaC) scanning, cloud workload protection (CWPP), cloud infrastructure entitlement management (CIEM) and cloud security posture management (CSPM).
CNAPP solutions provide full coverage and visibility into multicloud environments and continuously detect security and compliance risks across the tech stack, including cloud configuration, workload and identity. They help organizations identify risk early in the software development lifecycle by enabling shift left on security. Finally, CNAPP solutions are ideally designed to simplify cloud security and encourage adoption among IT, IS, DevOps, DevSecOps and engineers.
CNAPP is not a roughly stitched integration of the aforementioned capabilities. Rather, it is a convergence of them. Since CNAPP is still an emerging category, it is important to ensure your CNAPP vendor can deliver on the promise. Before choosing a provider, it’s important to understand which capabilities the solution offers, how deeply these capabilities go and its future roadmap. In addition, validate the comprehensiveness of the offering (as opposed to siloed solutions bundled together) and make sure it’s not the vendor’s previous, single purpose offering, marketed under a new name.
What are the benefits of a Cloud-Native Application Protection Platform?
Enterprises gain many benefits from a Cloud-Native Application Protection Platform (CNAPP) platform:
- Visibility - DevOps, security, DevSecOps, IT and other stakeholders can see into their cloud infrastructure, identities, workloads and more to identify, control, prioritize and remediate risk.
- Enhanced and consistent security posture - The CNAPP lifecycle approach provides security consistency and context from coding to runtime, ensuring improved identification and remediation of risk.
- Cloud infrastructure health - The platform streamlines security hygiene for containers, Kubernetes clusters and other components, and leads to fewer misconfigurations during development and in production.
- Minimal overhead - The integrated tooling offers simplicity and nearly effortless usage compared to management of separate tools and vendors.
- Seamless integration - Notification and remediation of the findings integrate easily into the SDLC and developer pipelines.
- Shift left security – Security protection applied in development reduces reliance on runtime protection which is, in any case, limited.
- Insights and observability - The capabilities enable analysis and governance of attack paths, and better understanding of permissions and configurations.
- Holistic security - Security feedback promotes collaboration among development, operations, infrastructure and application security teams.
- Cloud-native security - Cloud security is provided by design rather than on-prem security adapted to the cloud.
Who needs CNAPP?
CNAPP simplifies cloud security for all security stakeholders: security and risk management, DevOps, DevSecOps, IAM and IT. By using CNAPP, these disciplines can work together to implement an integrated security approach that will govern access, improve cloud security posture and scale least privilege, without impacting application continuity or time to market.
Key components of a Cloud-Native Application Protection Platform Solution
CNAPP solutions provide multiple capabilities that have been previously offered as siloed tools. By combining and converging these capabilities, CNAPP provides insights based on user behavior data from the cloud and workloads. These insights can improve threat and vulnerability detection rates and reduce alert false positives, such as by correlating cloud misconfigurations with workload alerts or over entitlement.
CNAPP ideally includes these capabilities:
- Cloud Security Posture Management (CSPM) - Automates risk monitoring of public cloud service configurations and security settings, including against standards, policies and regulations.
- Cloud Workload Protection (CWP) - Secures workloads, including containers, serverless, virtual machines and servers.
- Cloud Identity Entitlement Management (CIEM) - Secures identities and entitlements and enforces least privilege at scale. Can include JIT (Just-in-Time) access in the cloud that revokes temporary privileges immediately after use.
- Kubernetes Security Posture Management (KSPM) - Covers security and compliance remediation for Kubernetes (i.e. CSPM for Kubernetes).
- Development Artifact Scanning - Assesses weaknesses in development artifacts: SAST/DAST, APIs, software composition analysis, exposure scanning and more.
- IaC Scanning - Assesses and alerts to weaknesses in code written as infrastructure.
- Network Configuration and Security Policy Management - Manages security policies for access governance.
- Additional runtime protection tools - Can include tools that secure web applications and APIs, and monitor applications, network segmentation and exposure scanning.
How does CNAPP work?
According to Gartner, “Optimal security of cloud-native applications requires an integrated approach.” CNAPP answers this need by providing a unified cloud security stack that addresses security, governance and compliance challenges, from development to production.
CNAPP provides a holistic view of cloud risk and provides security, DevSecOps, DevOps and engineering teams with visibility, actionable findings and contextual alerts for comprehensive protection and for improving the security posture. These are delivered across five core capabilities: infrastructure as code (IaC) scanning, container scanning, cloud workload protection platforms (CWPPs), cloud infrastructure entitlement management (CIEM) and cloud security posture management (CSPM). In CNAPP, all these capabilities are consolidated into a single platform rather than each being delivered separately from different vendors.
CNAPP functions in the same manner as each of these platforms separately, but continuously, seamlessly and from a single point of access, and across a multicloud environment. These abilities enable CNAPPs to deliver on their promise of finding and remediating risks at scale.
CNAPP vs. CWPP
A Cloud Workload Protection Platform (CWPP) is made up of tools for securing cloud workloads: virtual machines, servers, containers, serverless workloads and any other component of cloud computing, cloud storage and cloud networks. CWPP identifies workloads vulnerabilities and alerts about potential threats.
CWPP capabilities are typically a key pillar of a CNAPP solution. Gartner suggests that CWPP can be an alternative to CNAPP provided it is used together with CSPM and container scanning solutions, and integrated “into the development pipeline using APIs.” Such a piecemeal approach would involve considerable additional effort to meet the objective of unified risk visibility across tools. Indeed, according to Gartner, “integrating results and identifying risks would require the organization to build their own solution or introduce yet another vendor to consolidate risk visibility.”
CNAPP vs. CSPM
Cloud Security Posture Management (CSPM) is a tool that helps organizations validate that their cloud applications and services are securely configured. CSPM offers a broad view of network, data storage and API settings by acquiring configuration data from the cloud services in use and monitoring the data continuously for risk. CSPM analyzes compliance benchmarks and other guidelines to detect threats and vulnerabilities to help the enterprise with compliance requirements.
CSPM offerings are another key pillar of CNAPP. CSPM can be used by the enterprise as an alternative to CNAPP if it is integrated with CWPP and container scanning solutions (see above). That said, such a combination would lack inclusion of identities and entitlements in the cloud environment’s risk calculus.
CNAPP vs. Cloud Provider Security Tools
According to Gartner, “all major cloud platform providers offer some degree of integrated security capabilities.” Such tools require much work on the part of the cloud customer, are by nature not holistic and do not provide an answer for multicloud environments. Gartner warns that “cloud-provider specific solutions don’t address the needs of hybrid multicloud deployments.” The burden to secure what is within the cloud rests on the shoulders of the cloud customer, who must look beyond cloud provider tools to adequately protect their data (see the Shared Responsibility Model for more details).
CNAPP solutions typically provide multicloud protection and comprehensive cloud security, relieving IS, DevSecOps, DevOps and IT teams from stressing about what they need to protect.