CNAPP and the World of Cloud Security
Recently we’ve been seeing more and more talk about CNAPP. It’s a relatively new term coined by Gartner that stands for cloud-native application protection platform. Gartner has added CNAPP to their hype cycle, especially as they predict that the use of public cloud will outstrip private data center usage. That’s a pretty big claim for a pretty big acronym. Let’s dig a little deeper into it.
As cloud-first becomes the norm, many companies are moving away from older tools and older ways of working into models and platforms which can handle the multi-cloud and hybrid cloud way of working. There simply isn’t time for security teams to be checking multiple security tools for each cloud framework and yet another different platform for edge protection. What the cloud protection world is moving toward is holistic integrated protection from single platforms; hence, CNAPP.
CNAPP and Shift Left
CNAPP, in this sense, is more than just a combination of earlier terms and technologies. Though it may appear to be a combination of a cloud workload protection platform (CWPP) and cloud security posture management (CSPM), it’s more than that. CNAPP covers more of the cloud-native application development life cycle, an area not necessarily covered by the other two acronyms. We call that shifting left.
If you think of the development life cycle as a linear process, moving from left to right, many traditional protection platforms only protected the very end of the process; the finished product. CNAPP shifts protection left to cover more of the application build process. This is crucial for catching issues and errors earlier in the development life cycle, meaning more effort and cost are saved. It also means that the security, development and operations teams are all using the same tool to monitor the environments. There’s no longer the need for a handoff between the dev environment and security platform to the live environment and security platform.
CNAPP, CWPP and CSPM—Oh My!
A combination of CWPP, CSPM and CNAPP can deliver end-to-end protection of your infrastructure, cloud environments, workloads and your cloud-native applications.
Cloud workload protection platforms are a so-called single-pane-of-glass for monitoring and securing cloud-based workloads. According to Gartner, “Organizations continue to adopt public cloud, private cloud, containers and serverless computing at higher rates as the result of COVID-19 and digital transformation. Technology service providers (TSPs) must meet this demand by offering broad CWPP capabilities that align with all forms of cloud workloads.”
Having only one dashboard to check, regardless of the number of cloud workloads or cloud infrastructure providers, cuts down on time and effort for security teams in their monitoring and prevention efforts. A good CWPP security solution should cover all the ingredients of the modern hybrid and multi-cloud environments, including on-premises, physical and virtual machines and containers as well as anything else that might reasonably be called cloud.
Cloud security posture management is a different approach primarily based on protecting cloud workloads from threats due to misconfiguration. An increasing number of organizations rely on public cloud infrastructure but may not know best practices or best configurations of that infrastructure. CSPM is the art and practice of monitoring infrastructure, detecting misconfiguration using best practices and documented fixes to resolve issues. These best practices and fixes should be drawn from a multitude of sources, including vendor-based knowledge bases and vendor-neutral industry-standard sources, which cover the most effective principles of cloud security. Integrating all of this information can give your security teams the power to spot and remediate issues and vulnerabilities as fast as possible.
A Holistic Approach
CNAPP is aiming to be a holistic approach, encompassing many cloud environments and cloud-native apps. It provides both the proactive management and monitoring of a CSPM solution while adding in the protection element from a CWPP.
CNAPPs guard against configuration drift and misconfiguration across VMs, containers, hybrid cloud and multi-cloud.
CNAPP isn’t likely to replace CWPP and CSPM, but it is a powerful complement to the previous tools that were available. There is still value in the CWPP and CSPM approaches but, as the tools and market for cloud security continues to grow, we may find many people trading in their old tools for new tools that put all the issues, and their solutions, at the fingertips of the teams that need to fix them.
