From Code to Cloud, the Case for Cloud-Native App Protection

Originally published by CXO REvolutionaries.

Written by Rich Campagna, SVP & GM, Posture Control, Zscaler.

A Cloud Native Application Protection Platform (CNAPP) is far more than just another buzz-acronym in an industry already chock full of them. It’s the next logical stage of security evolution for organizations increasingly relying on public cloud services.

The security challenges of increasing cloud usage are three-fold:

1. Cloud environments are diverse, dynamic, and automated

Cloud computing allows for a wide range of resources to be spun up based on automated policies. This dynamic design, though responsive and efficient, makes it harder for security teams to analyze compared to older, more static architectures.

Couple that with the way you use the cloud over time. Many have migrated through on-prem and hybrid infrastructures to cloud-first strategies. In turn, enterprises now run complex multicloud infrastructures that provide a lot of agility, resilience, and performance. Every cloud service has its own management paradigm, proficiencies, and features, further complicating the struggle to monitor and secure IT services.

In tandem, many organizations develop their software for deployment into one or more cloud services. Usually, development and operations teams aren’t as tightly integrated as they could be. This can lead to security issues. Dev teams, for instance, may not know what the future cloud-based operating environment will consist of, or even which cloud services will be involved. Without such insight ahead of time, it’s extremely difficult for security teams to assess code for potential security problems.

Ideally, security teams can set policies and decide where to enforce guardrails. DevOps teams should be able to correct issues directly in the tools they’re already using, without interrupting their flow or needing to learn another tool.

2. Understanding cloud security risks and demonstrating regulatory compliance

Every security team aims to spot risks and triage them according to business needs as quickly and comprehensively as possible. But when dealing with architecture as dizzyingly complex as in the cloud, that’s far easier said than done. Built-in security offered by those services often lacks essential context.

Suppose, for instance, a vulnerability scan identifies that a container running in AWS has an unpatched vulnerability categorized as critical. Does that mean the team must immediately act to solve the problem? Not necessarily. It depends largely on how much corporate data is potentially exposed and how isolated that particular container is in the total IT architecture.

But AWS doesn’t know that, and hence, can’t tell you. It's better to consider a wide range of risk indicators, identifying weaknesses most likely to be exploited by bad actors and prioritizing accordingly. This ensures your team is maximizing their efforts for efficiency.

Key input signals include a holistic cloud asset inventory and an overview of misconfigurations, excessive entitlements, internet exposure, unpatched vulnerabilities, and sensitive data. With these capabilities, IT teams can consolidate point products like cloud CMDB, CSPM, CIEM, DLP, and vulnerability scanning.

3. Regulation compliance gets harder, slower, and costlier in the cloud

How easily can you demonstrate compliance when you don’t own and control the clouds involved? What if those clouds are in a constant state of operational flux?

Just as security teams struggle to track and triage cybersecurity risks, they’re also likely to struggle to map regulation requirements to the cloud architectures their core services increasingly require.

And manual audits are usually both costly and slow; they’re so slow, they’re often ineffective. This is because the audit team takes so long that new requirements may apply by the time they’re finished, essentially invalidating the results.

The best solution would be an advanced form of automated compliance that continually considers all the relevant variables – essentially, an application of cloud strengths to the compliance problem. But in most organizations, such a solution doesn’t yet exist.

CNAPP is the best way to solve all of these security and compliance cloud challenges

CNAPPs help organizations identify and prioritize the combinations of cloud weaknesses that are most likely to lead to a security incident. Because a CNAPP is able to provide these capabilities not only across cloud service providers, but across a wide range of development and DevOps tools, it can help identify issues early on, not only reducing overall risk but helping to foster rather than hinder organizational agility and innovation.

Not all CNAPPs are created equal, but the more advanced versions can swiftly and accurately improve any organization’s cloud security posture in many respects. These include:

• Consolidating management across diverse clouds to a single pane of glass. Instead of multiple interfaces to manage multiple clouds, security teams use one interface to manage all of them, leading to faster problem detection and resolution.
• Automatically and continuously identifying, prioritizing, and mitigating the security risks of any cloud architecture in a manner that’s context-aware. This intelligent automation gives teams the information and insight they need at the virtual machine, container, and serverless levels — no matter which leading cloud services they use.
• Analyzing code in development, spotting security problems before they can manifest in the cloud, and integrating with development solutions to empower developers with the information needed for a fix.
• Linking DevOps and security teams via trigger alerts, trouble tickets, and automated workflows, putting everyone on the same page, and enabling new software to create business value than cause security issues.
• Automatically and continuously analyzing and reporting on governance and compliance, to ensure the cloud strategy is fully compliant without the time, hassles, and expense of a manual audit process.
• Creating and enforcing suitable entitlements assigned to human and machine entities, to minimize the risks of unauthorized access to core services and data.