Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Embed Security from Code to Cloud with Unified CNAPPs

Published 12/12/2023

Embed Security from Code to Cloud with Unified CNAPPs

Originally published by CSO Online.

Written by Giulio Astori, Principal Program Manager, Microsoft Security.

A decade ago, most companies relied on individual point solutions to secure specific aspects of their cloud environment. They might have one solution for vulnerability management, another for monitoring employee device usage, yet another for verifying login information, and so on.

However, as multi-cloud environments grew in popularity and attack surfaces became more complex, we saw a shift toward vendor consolidation and native tool unification. This move reduced the need to manually consolidate security signals across disparate solutions and streamlined workflows. Today, that trend has evolved into a push for contextualized cloud security.

Read on to learn how cloud native application protection platforms (CNAPPs) work in tandem with Cloud Security Posture Management (CSPM) to drive code to cloud contextualization and embed best practices across the entire organization.


Introducing CSPM: The bridge between code and cloud

Before we can talk about CNAPP, it’s essential to first understand the pivotal role of CSPM in the "code to cloud" security continuum. CSPM acts as a key pillar, providing centralized administration and oversight over the security posture from the onset of code development, through the DevOps pipeline, and onto the cloud infrastructure. By identifying, assessing, and mitigating risks and misconfigurations, CSPM lays a solid foundation for the unified security approach that is embodied by CNAPP.

Embedding ‘code to cloud’ contextualization within CSPM signifies a holistic approach to cloud security. This involves proactive security enforcement right from the code development phase, where potential vulnerabilities are identified and rectified early on. As the code is released and deployed through the DevOps pipeline onto the cloud environment, CSPM’s continuous monitoring and compliance assessments ensure that the security posture remains robust.

Furthermore, the integration of CSPM within a CNAPP framework amplifies this contextualized security approach. CNAPP, with CSPM at its core, orchestrates a unified security response across the application lifecycle, ensuring that security insights from the code level are not lost but rather, carried forward and utilized to bolster cloud security.


Enhance cloud security with CNAPP and CSPM

In delving deeper into the realm of cloud security, the relationship between CSPM and CNAPP emerges as a crucial aspect. At the heart of this relationship lies the fundamental idea of enhancing security from the ground up, right from the code level to the deployment in cloud environments. CSPM serves as the cornerstone of this framework, acting as a centralized hub for managing and enforcing security policies across the cloud infrastructure. It helps in identifying, assessing, and mitigating risks and misconfigurations, thereby ensuring a robust security posture throughout the application lifecycle.

An effective CNAPP should combine capabilities across CSPM, DevOps security management, cloud workload protection, cloud infrastructure entitlement management, and network security.

For instance, envision a financial services company looking to safeguard its cloud-based applications and data. Utilizing a CNAPP could significantly enhance its cloud security posture. Within this CNAPP, CSPM capabilities continuously monitor and enforce security policies, ensuring compliance with industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS).

DevOps security management within the CNAPP could also ensure that security is embedded right from the code development phase, identifying, and mitigating potential vulnerabilities early in the development lifecycle. Cloud workload protection and cloud infrastructure entitlement management capabilities could provide real-time monitoring and protection of cloud resources and manage permissions, ensuring only authorized personnel have access to sensitive data.


Agent-based versus agentless security--why choose?

There's a significant debate right now in the cybersecurity community over agent-based versus agentless cloud protections. And while each has its unique benefits, we'd argue that the better approach is to prioritize a CNAPP that incorporates both.

Agent-based security uses software installed on cloud-based or on-premises workloads to empower organizations with in-depth visibility and allow them to defend their IT infrastructure and data against cyber-attacks and data breaches. These agents provide real-time threat protection and comprehensive monitoring of individual workloads. When combined with Security Information and Event Management (SIEM) software, agent data can be synthesized and correlated to investigate complex and cross-platform security incidents.

Agentless security, on the other hand, collects data using non-invasive methods such as cloud image analysis, log file analysis, and API connections. This approach is more scalable, reduces management overhead, and negates the need for constant maintenance of a deployed agent. While agentless protection is particularly effective when companies need to spin up resources quickly, it's even more powerful when combined with the deep-reaching capabilities of cloud security agents.

For instance, if a financial service organization needs to protect its data, it might leverage agentless technology to ensure no sensitive data is internet exposed. This sensitive data can include things like personal identifiable information, such as SSNs or credit card numbers. In these cases, the instant nature of agentless can help security teams understand context and linked risks. If the organization wants to detect and respond to ongoing and future attacks aimed at data filtrations, such as a malware campaign, it can turn on agent-based protection and receive real-time alerts about brute force attacks or malware infiltration.

By choosing a CNAPP that leverages agent-based and agentless security in concert, organizations benefit from a robust and flexible solution that meets a range of cloud security needs. The CNAPP can adapt to the context, optimizing its use of agent-based or agentless security as needed to provide proactive security from DevOps all the way to runtime workloads. Combining agent-based and agentless protection methods also enables the CNAPP to better integrate into complex multicloud environments, delivering end-to-end protection that unifies DevOps security management and CSPM while protecting cloud workloads.

Want to learn more about CNAPPs or cloud security? Check out our webinar, "Implementing a CNAPP Strategy to Embed Security From Code to Cloud."

Share this content on your favorite social network today!