What to Look for in a CNAPP Solution
Blog Article Published: 06/24/2022
Written by Aqua Security.
As large-scale cloud native deployments become more prevalent, enterprises are trying to bring greater efficiency and speed to cloud native security. To do this, they’re moving to shift security left, implementing intelligent automation, cloud security posture management (CSPM) and cloud workload protection platforms (CWPPs).
However, doing this on their own is proving to be a challenge. That’s where cloud native application protection platforms (CNAPPs) come in.
In its report, Gartner defined this emerging category of security solutions to help organizations identify, evaluate, prioritize, and manage risk in cloud native applications, infrastructure, and configurations. A CNAPP is “an integrated set of security and compliance capabilities designed to help secure and protect cloud native applications across development and production,” the report says.
“Rather than treat development and runtime as separate problems—secured and scanned with a collection of separate tools—enterprises should treat security and compliance as a continuum across development and operations, and seek to consolidate tools where possible,” Gartner recommends.
CNAPPs combine the capabilities of several cloud security categories, including:
- Shift-left artifact scanning
- Infrastructure-as-code (IaC) scanning
- Kubernetes security posture management
- Cloud infrastructure entitlements management
- Runtime CWPP
Using a CNAPP allows organizations to implement complete end-to-end security for cloud native environments, rather than having to stitch together multiple solutions that address specific, discrete security issues.
There are a number of benefits to this approach. Perhaps the most important is that by providing shared context between development and production, a CNAPP allows organizations to get a full view of application risks and thus to secure applications consistently across their life cycle.
Let’s take a look at what makes a CNAPP a CNAPP.
A CNAPP must be a platform. That means it must offer a range of capabilities across the application life cycle and support various types of workloads, stacks, and cloud environments. It also must support multiple integrations and be able to tie into multiple teams and processes across an organization.
In addition, it must provide a unified, consistent experience. Many existing solutions offer only partial capabilities, for example, addressing just infrastructure, runtime, or scanning. Others cobble together several products that aren’t well-integrated and don’t provide a seamless experience.
A CNAPP also must be available either as a software-as-a-service (SaaS) or on-premises solution, to be suitable for highly regulated sectors like finance and healthcare.
These integrated platforms provide more than just visibility and monitoring, however. The “protection” component means that a CNAPP must be able to respond to attacks as they occur.
This capability takes a CNAPP one step beyond even the most robust shift-left protection and hardening of the environment. This is crucial, because those steps—although important—won’t protect you from zero-day exploits or runtime attacks that use advanced techniques to evade detection.
The high speed at which DevOps moves code through the CI/CD pipeline is one reason why conventional security solutions are less effective in cloud native environments. Cloud native attacks move at the same speed as cloud native apps, so the ability of a CNAPP to detect and respond to attacks in real time is imperative.
In order for a platform to protect an application, it must be able to identify and understand the application context.
This means tracking artifacts throughout the application life cycle and applying security controls that address risks according to the context. For example, just knowing that “container 4c01db0b339c executed ps” isn’t enough. You also need to know such things as:
- Which application the container belongs to
- Which image it originated from
- Whether executing ps is normal for the container in that application
- Whether executing ps in that context is legitimate or might indicate an attack
That’s why it’s important for a security solution to be embedded into the CI/CD pipeline and to integrate with DevOps tools. To understand the application context, it’s critical for a platform to provide scanning for artifacts in the build phase and to maintain their integrity from build to deployment. In turn, this helps to make decisions about deployment, for example, preventing unvetted images from running in production. If a solution doesn’t do that, it’s not a CNAPP.
What truly makes an application protection platform a CNAPP is that it’s built and tailored specifically for cloud native environments.
The dynamically orchestrated, ephemeral workloads that characterize cloud native applications mean that traditional network-based security tools aren’t sufficient. In a cloud native environment, it’s risky to rely on end-point detection and response, host-based, or firewall security solutions.
For a platform to protect an application in a cloud native environment, it must be able to analyze, track, monitor, and control multiple types of cloud native workloads, such as containers, serverless functions, and VMs. It also must be compatible with cloud native infrastructure, including Kubernetes, IaC tools, and multiple public cloud providers.
To be a CNAPP, a platform must be designed for cloud native. If it can scan for container vulnerabilities but is oblivious to other aspects of cloud native, it’s not a CNAPP.
Organizations are seeking to bring more efficiency and greater speed to security for their large-scale cloud native deployments. Employing a collection of security tools that aren't integrated and that aren't built specifically for the cloud native environment makes this effort more difficult—and increases risk.
CNAPPs provide integrated security and compliance capabilities that are designed to help secure and protect cloud native applications across both development and production.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.