The Why and the How of Managed CNAPP

Originally published by Tamnoon.

Written by Ran Nahmias, CBO, Tamnoon.

CNAPP is a fundamental piece of the cloud security puzzle – but poor implementations, lack of in-house expertise, and insufficient prioritization can lead to disappointing outcomes. At a time when security teams are stretched to their absolute limit, managed CNAPP is a more productive way forward for organizations looking to see quick results from their CNAPP investments.

In this article:

• Importance of CNAPP in 2024
• The compelling case for managed CNAPP
• The case against managed CNAPP

CNAPP is (almost) non-optional for modern cloud deployments

What’s a CNAPP? Cloud-native application protection platforms (CNAPP) are enterprise software tools that provide comprehensive security for applications and workloads running in cloud environments. They will typically be packaged as ‘all in one’ security suites, combining a wide range of capabilities. These include attack path analysis, remediation, cloud security posture management (CSPM) to identify misconfigurations and compliance issues, cloud workload protection (CWP) to detect threats and anomalous activity at runtime, and more.

Why CNAPP, and why now? Organizations have rapidly transitioned applications and data to the cloud in recent years. This has often been a ‘lift and shift’ operation that did not include deploying dedicated cloud security tools. Organizations that have gone down this route are now scrambling to catch up with the demands of modern cloud security, which can be much more complex and multi-faceted than protecting the traditional cyber perimeter and can be overwhelming without dedicated tooling.

Further pressure is coming from the compliance side. A growing list of industry standards and regulations, such as SEC Cybersecurity Rules 2024, PCI DSS 4.0, NIST 800-52 Rev 5, require organizations to implement security controls and remediation processes for their cloud environments. Demonstrating compliance with these frameworks, often with stringent SLAs, is becoming a requirement for doing business.

Why Managed CNAPP? 3 Reasons

In managed CNAPP, a third-party provider handles the deployment, configuration, and ongoing operation of an organization’s CNAPP. Rather than grappling with the complexity of these tools in-house, the organization offloads those responsibilities to a team of external experts who deliver security outcomes as a service – often with the help of a dedicated technology layer that sits on top of the CNAPP.

The managed CNAPP model is gaining traction for several reasons:

1. Organizations need to move fast

For obvious reasons, security teams that lack ‘cloud native’ expertise can struggle to evaluate and deploy cloud security tools. However, deploying a CNAPP solution can be a heavy lift, even for highly sophisticated security teams.

The process often begins with an evaluation phase involving outreach to multiple vendors, numerous sales calls and demos, and complex bake-offs between products. Once a decision is made, the real work begins: properly configuring the CNAPP to map to the company’s unique environment and use cases, integrating it with existing security and DevOps workflows, and defining scalable processes for ongoing remediation and vulnerability management.

For example, a larger organization might need to tune its CNAPP to enforce specific regulatory compliance checks, feed alerts into its SIEM and ticketing systems, quarantine compromised resources, and align remediation with change management processes – all requiring deep expertise and coordination across multiple functions. Many organizations struggle to overcome these hurdles quickly, leading to drawn-out implementations that fail to deliver timely results.

The ability to shortcut this process and have a CNAPP solution up and running is appealing, especially for organizations that are in the early stages of their cloud security journey and under pressure to put controls in place quickly. As we’ve mentioned above, many organizations struggle to stay compliant without a solution in place. Few can afford to spend months on evaluation, configuration, and inter-organizational alignment. Managed CNAPP gets customers to the starting line faster so they can begin realizing the security benefits sooner.

2. A single owner for many moving parts

Getting a CNAPP in place doesn’t mean you’ve “solved” your security challenge. Effective cloud-native security requires close collaboration between security, DevOps, and application teams – as well as carefully considered risk prioritization, manageable workflows, and timely incident remediation.

With so many moving parts, it can be difficult for organizations to determine who should own and drive the CNAPP program. Security teams may seem like the natural choice, but they often lack the necessary context about cloud environments and modern application architectures. Meanwhile, IT and DevOps teams tend to focus more on performance and availability than security. As a result, critical tasks like vulnerability prioritization, compliance checks, and remediation SLAs can fall through the cracks.

What about MDR or MSSP? Other types of security outsourcing solutions are unlikely to fill this void:

• Managed detection and response (MDR) providers are primarily focused on threat detection and incident response, not on the broader compliance and risk reduction goals of CNAPP.
• Managed security service providers (MSSPs) usually offer some basic cloud security monitoring services but often lack the depth of expertise and focus to operationalize CNAPP.

Managed CNAPP providers can solve this problem by acting as a central point of coordination and accountability. They bring together the right stakeholders, processes, and expertise to ensure nothing slips through the cracks. Managed providers also benefit from seeing across many customer environments, allowing them to establish best practices and benchmarks that individual organizations may struggle to develop on their own.

3. Remediation is boring

Let’s face it: few security professionals get excited about spending their days sifting through CNAPP alerts and endlessly tweaking cloud configurations. Remediation work is often considered tedious and unrewarding, especially compared to more glamorous tasks like threat hunting or incident response.

Nevertheless, remediation is absolutely essential to the success of any CNAPP program. It doesn’t matter how many vulnerabilities you can find if you never fix them. And in the cloud, where new assets are constantly being spun up, and configurations are constantly changing, the backlog of issues requiring remediation can quickly spiral out of control.

This is where managed CNAPP providers can shine. By taking on the day-to-day burden of triage and remediation, they free up your team to focus on more strategic initiatives. Managed providers can also apply consistent processes and playbooks to ensure that issues are remediated quickly and effectively without getting bogged down in internal red tape.

Of course, this doesn’t mean your team gets to wash their hands of remediation work completely. You’ll still need to be involved in setting priorities, defining SLAs, and handling any particularly sensitive or high-risk issues. However, with a managed CNAPP provider doing the heavy lifting, you can approach remediation work as an oversight function rather than a full-time job.

The Case Against Managed CNAPP

While managed CNAPP can offer significant benefits, it’s not the right fit for every organization. Some common objections to outsourcing CNAPP include losing control over your own cloud security posture, which can be a tough pill for some organizations, and a lack of internal skill and knowledge-building, which can create an unhealthy dependency on the provider.

These are valid concerns when outsourcing core security responsibilities. The key to mitigating these risks is to work closely with your managed CNAPP provider to ensure that they’re not operating in a silo. This means establishing clear lines of communication, setting well-defined roles and responsibilities, and creating a shared roadmap for success.

It also means leveraging the provider’s expertise and tooling to complement and enhance your team’s capabilities rather than replacing them entirely. Managed CNAPP providers often have access to proprietary technologies and threat intelligence that would be impractical for individual organizations to develop independently. By tapping into these resources, you can increase your team’s productivity and effectiveness without needing to invest in a massive internal build-out.