What is a Cloud-Native Application Protection Platform (CNAPP)?
Published 10/25/2021
This blog was originally published by Wiz here.
Written by Josh Dreyfuss, Wiz.
The security space is rife with acronyms and it can be difficult to keep track of everything. There is a new acronym emerging, however, that is worth diving into: CNAPP. CNAPP, or Cloud-Native Application Protection Platform, is a new category of security products, encompassing the functionality previously found in Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) products and more.
What does CNAPP mean?
CNAPP stands for Cloud-Native Application Protection Platform. The term was coined by Gartner, who recognized the expanding needs that go into securing applications in the cloud. Broadly speaking, CNAPP solutions aim to address workload and configuration security by scanning them in development and protecting them at runtime.
Earlier, we said that CNAPP is a step forward in cloud security. The reason for that is that CNAPP serves as a convergence of multiple technologies, combining the capabilities of existing cloud security solutions, primarily CSPM and CWPP, and also including elements of Cloud Infrastructure Entitlement Management (CIEM), Kubernetes Security Posture Management (KSPM), API discovery and protection, serverless security, and more.
Why does CNAPP exist?
There are two important elements in the term CNAPP that help explain why it exists. The first is “cloud-native.” The shift to the cloud has brought a wide range of new security needs along with it. The rise of dynamic and ephemeral environments within the cloud have increased complexity and created unique and unpredictable interactions. Traditional agent-based security approaches can’t provide the coverage needed to keep up with ephemeral, containerized, and serverless environments.
The second element is “application protection.” Previously, most cloud security tooling was focused on helping teams understand the security of their infrastructure. However, as Gartner says, “it’s no longer enough to ask, ‘Is my cloud infrastructure secure?’ Security tools must now ask, ‘Are my cloud applications secure?’”
When it comes to cloud applications, organizations need to be holistic in their security thinking. There are many ways to expose applications to risk in the cloud, from unintentional public Internet exposure to overly permissive access rights and more. Organizations should focus on identifying and mitigating the highest priority risks their cloud applications are exposed to, not just collecting a long list of security-related issues that in isolation pose little risk. With individual point solutions, it is often the case that they focus narrowly on a limited set of security issues and don’t integrate well together when it comes to correlating their signals, leading to challenges around prioritizing many low-priority alerts.
Key components of CNAPP
As CNAPP represents a convergence of existing security product categories, let’s briefly review what capabilities fall under the CNAPP umbrella. Everything below represents an existing point solution. CNAPPs bring aspects of these point solutions together to provide full stack visibility across cloud environments, and shift the focus from individual security issues to broader, interconnected combinations of issues that pose a critical risk.
CSPM
CSPM solutions are focused on identifying misconfigurations in cloud resources and tracking compliance to different controls and frameworks. They focus on the control plane, examining cloud infrastructure at the provider level. CNAPPs perform a deeper analysis of configurations and combine them with other inputs to identify and prioritize actual risks.
CWPP
CWPP is about securing cloud workloads, such as VMs, containers, and serverless functions, regardless of their location. CWPP capabilities go inside the workload, scanning for vulnerabilities, system configuration, secrets, and more. CNAPPs leverage CWPP capabilities to identify issues in the data plane within workloads themselves.
Supporting tooling: CIEM, KSPM, serverless, and more
While CSPM and CWPP capabilities are the primary components of CNAPP, a complete CNAPP solution will bring in elements of other cloud security tooling. Some examples include:
- CIEM. CIEMs deliver infrastructure entitlement management capabilities so organizations can enforce related governance controls. Identity and access governance represent an important risk area that CNAPPs should be able to address. For example, Wiz recently found that 82% of cloud companies unknowingly give 3rd party providers access to all their cloud data.
- KSPM. KSPMs are essentially CSPMs for Kubernetes. They focus on Kubernetes-related misconfigurations and security needs. For CNAPPs, bringing in a dedicated focus on Kubernetes and container security is important for cloud-native environments.
- Some other areas that are relevant for CNAPP solutions include serverless security, API discovery and protection, and more.
Learning more about CNAPP
Ultimately, the rise of CNAPP is a recognition that cloud security is complex, and requires new approaches to support and secure what DevOps teams are doing in the cloud. Increasingly dynamic and ephemeral environments, faster release cycles, and a growing number of technologies deployed in the cloud all lead to new challenges for cloud security. With CNAPP, the goal is not just to identify all the misconfigurations and security issues in your environment, but to uncover the actual risks that merit the team’s attention.
If you’re interested in uncovering the largest risks in your cloud environment, consider exploring a full stack, multi-cloud solution like a CNAPP. Ensure that you find something that can cover the breadth of your cloud deployment and perform a deep assessment of your cloud environment to identify and correlate the security issues that expose you to actual risk.
Related Articles:
Level Up Your Cloud Security Skills With This Jam-Packed Training Bundle
Published: 12/11/2024
Elevating Application Security Beyond “AppSec in a Box”
Published: 10/02/2024
Five Levels of Vulnerability Prioritization: From Basic to Advanced
Published: 09/04/2024