Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

What to Look for in a CNAPP Solution

Home
Industry Insights
What to Look for in a CNAPP Solution

Blog Article Published: 06/24/2022

Written by Aqua Security.

As large-scale cloud native deployments become more prevalent, enterprises are trying to bring greater efficiency and speed to cloud native security. To do this, they’re moving to shift security left, implementing intelligent automation, cloud security posture management (CSPM) and cloud workload protection platforms (CWPPs).

However, doing this on their own is proving to be a challenge. That’s where cloud native application protection platforms (CNAPPs) come in.

In its report, Gartner defined this emerging category of security solutions to help organizations identify, evaluate, prioritize, and manage risk in cloud native applications, infrastructure, and configurations. A CNAPP is “an integrated set of security and compliance capabilities designed to help secure and protect cloud native applications across development and production,” the report says.

“Rather than treat development and runtime as separate problems—secured and scanned with a collection of separate tools—enterprises should treat security and compliance as a continuum across development and operations, and seek to consolidate tools where possible,” Gartner recommends.

CNAPPs combine the capabilities of several cloud security categories, including:

Using a CNAPP allows organizations to implement complete end-to-end security for cloud native environments, rather than having to stitch together multiple solutions that address specific, discrete security issues.

There are a number of benefits to this approach. Perhaps the most important is that by providing shared context between development and production, a CNAPP allows organizations to get a full view of application risks and thus to secure applications consistently across their life cycle.

Let’s take a look at what makes a CNAPP a CNAPP.

Platform

A CNAPP must be a platform. That means it must offer a range of capabilities across the application life cycle and support various types of workloads, stacks, and cloud environments. It also must support multiple integrations and be able to tie into multiple teams and processes across an organization.

In addition, it must provide a unified, consistent experience. Many existing solutions offer only partial capabilities, for example, addressing just infrastructure, runtime, or scanning. Others cobble together several products that aren’t well-integrated and don’t provide a seamless experience.

A CNAPP also must be available either as a software-as-a-service (SaaS) or on-premises solution, to be suitable for highly regulated sectors like finance and healthcare.

Protection

These integrated platforms provide more than just visibility and monitoring, however. The “protection” component means that a CNAPP must be able to respond to attacks as they occur.

This capability takes a CNAPP one step beyond even the most robust shift-left protection and hardening of the environment. This is crucial, because those steps—although important—won’t protect you from zero-day exploits or runtime attacks that use advanced techniques to evade detection.

The high speed at which DevOps moves code through the CI/CD pipeline is one reason why conventional security solutions are less effective in cloud native environments. Cloud native attacks move at the same speed as cloud native apps, so the ability of a CNAPP to detect and respond to attacks in real time is imperative.

Application

In order for a platform to protect an application, it must be able to identify and understand the application context.

This means tracking artifacts throughout the application life cycle and applying security controls that address risks according to the context. For example, just knowing that “container 4c01db0b339c executed ps” isn’t enough. You also need to know such things as:

  • Which application the container belongs to
  • Which image it originated from
  • Whether executing ps is normal for the container in that application
  • Whether executing ps in that context is legitimate or might indicate an attack

That’s why it’s important for a security solution to be embedded into the CI/CD pipeline and to integrate with DevOps tools. To understand the application context, it’s critical for a platform to provide scanning for artifacts in the build phase and to maintain their integrity from build to deployment. In turn, this helps to make decisions about deployment, for example, preventing unvetted images from running in production. If a solution doesn’t do that, it’s not a CNAPP.

Cloud native

What truly makes an application protection platform a CNAPP is that it’s built and tailored specifically for cloud native environments.

The dynamically orchestrated, ephemeral workloads that characterize cloud native applications mean that traditional network-based security tools aren’t sufficient. In a cloud native environment, it’s risky to rely on end-point detection and response, host-based, or firewall security solutions.

For a platform to protect an application in a cloud native environment, it must be able to analyze, track, monitor, and control multiple types of cloud native workloads, such as containers, serverless functions, and VMs. It also must be compatible with cloud native infrastructure, including Kubernetes, IaC tools, and multiple public cloud providers.

To be a CNAPP, a platform must be designed for cloud native. If it can scan for container vulnerabilities but is oblivious to other aspects of cloud native, it’s not a CNAPP.

Conclusion

Organizations are seeking to bring more efficiency and greater speed to security for their large-scale cloud native deployments. Employing a collection of security tools that aren't integrated and that aren't built specifically for the cloud native environment makes this effort more difficult—and increases risk.

CNAPPs provide integrated security and compliance capabilities that are designed to help secure and protect cloud native applications across both development and production.

ComplianceDevSecOpsVulnerabilities

Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Upselling Cybersecurity: Why Baseline Security Features Shouldn’t Be a Commodity

Published: 04/24/2024

Secure Your Kubernetes Environment by Enforcing Least Privilege

Published: 04/24/2024

‘Leaky Vessels’ Docker Vulnerabilities Found in Many Cloud Environments: RunC (60%) and BuildKit (28%)

Published: 04/23/2024

Neutralizing the Threat with Cloud Remediation

Published: 04/23/2024