Cloud computing has myriad benefits, and its growing adoption is a welcome development for the IT and business communities. The changes it brings, however, raise the complexity of cybersecurity. Cloud adoption usually comes with the deployment of new security controls or tools to address new threats aimed at cloud resources.
One of the new cybersecurity models designed to address the new security challenges that come with the cloud is CNAPP or Cloud-Native Application Protection Platform. IBM cloud security expert Michael Massimi likens it to a “utility knife for cloud security services” and describes it as “the future of cloud security.”
CNAPP capabilities
First defined in Gartner’s Innovation Insight or Cloud-Native Application Protection Platforms research paper, Cloud-Native Application Protection Platform (CNAPP) is a new cybersecurity model that is projected to supplant several independent security tools with a unified holistic solution. This new solution is particularly designed for modern organizations that use multiple security solutions and operate with cloud-native workloads.
The multiple security solutions used by most organizations nowadays tend to be disjointed, which leaves security visibility inadequacies and management complexities. “Organizations have manually stitched together DevSecOps with 10 or more disparate security tools — some new and some old — each with siloed responsibilities and a limited view of application risk,” Gartner pointed out in its research paper. DevSecOps teams had to figure out ways to effectively oversee the security of their network while working with multiple security controls and ensuring a solid security posture.
CNAPP improves visibility by contextualizing the information obtained by the different security controls and providing the means to achieve end-to-end visibility with specific details about technology stacks, settings, and user/device and service identities. It also provides the ability to prioritize security alerts to make sure that the most urgent concerns are addressed the soonest, preventing duplicate, unimportant, and less important notifications or “noises” from concealing security information that merits utmost attention.
On the other hand, CNAPP addresses the cybersecurity complexities brought about by cloud adoption by emphasizing cloud-native security. This means that instead of creating parameter defenses, CNAPP provides a framework or model for integrating security controls with continuous integration and continuous delivery pipelines. This ensures that security is provided not only on-prem but also in private and public clouds. CNAPP provides cyber threat protection that covers containers and serverless infrastructure.
Enabling tighter controls
Organizations moving partly or entirely to the cloud will eventually have to work with cloud-based apps and services, containers, container orchestration platforms, secrets, IT assets that use cloud resources, and other elements that expose them to new or unfamiliar threats. These can open opportunities for possible misconfigurations or configuration errors. They need tighter controls to make sure that they keep their security posture intact.
For this, CNAPP provides organizations the ability to proactively examine their cloud-related resources to detect and promptly resolve security threats and compliance issues. Cloud security expert Shai Morag, in an article on Forbes (Morag is a Forbes Technology Council member), wittily summarizes the way CNAPP enables tighter controls: “taming clouds, avoiding storms.” Citing Gartner’s paper on CNAPP, Morag lists the different components that enable CNAPP to unify cloud security and expand security risk perspectives.
- Infrastructure as code (IaC) scanning – This process seeks to find security issues that may reside in the software-defined infrastructure, which is used to configure and deploy infrastructure components rapidly. It covers the development, distribution, deployment, and runtime aspects of the infrastructure-as-code model.
- Container scanning – Also known as container image scanning is a crucial part of container security. It entails the evaluation of containers and their components to detect possible threats or vulnerabilities.
- Cloud workload protection platforms (CWPPs) – These protect workloads that go through private, public, and hybrid cloud setups. It guides organizations in integrating security solutions right from the start and continues throughout the app development cycle.
- Cloud infrastructure entitlement management (CIEM) – This is about the overseeing of identities and access to cloud and multi-cloud services and infrastructure to mitigate the security risks that may arise from the unintentional or unmonitored granting of privileges.
- Cloud security posture management (CSPM) – This allows organizations to monitor, detect, and remediate security issues automatically across the different software-as-a-service, infrastructure-as-a-service, and platform-as-a-service solutions they are using.
CNAPP integration: the key to its versatility
Aren’t there cloud-native security tools available to address the new threats that come with cloud adoption? There are actually a good number of these tools. However, simply using them is basically just a continuation of the traditional cybersecurity approach. It means using multiple solutions or tools that do not integrate well or seamlessly work together. CNAPP offers a significant change in approach by integrating end-to-end cloud-native security controls and solutions across different workloads.
With CNAPP, enterprises can proceed with a code-and-commit approach wherein IaC and third-party library scans are undertaken hand in hand. It also supports container image assurance, runtime assurance, automated micro-segmentation, virtual machine protection, API protection, and entity behavior analytics. Doing all of these as part of a holistic enterprise security system lightens the burden for DevSecOps teams and ultimately enhances enterprise security posture.
The best way to prevent vulnerabilities from emerging in production environments is to perform security scans at all stages of development. Doing this is impossible with security solutions that are set for well-defined network perimeters. It is difficult to afford workload protection for apps and cloud resources when they are in different locations (hybrid and multi-cloud environments) and there are ephemeral and dynamic components or elements involved.
In summary
As a shift from the on-prem to the cloud-based setup broadens, it is no longer viable to continue using conventional cybersecurity approaches. Relying on the traditional model of deploying security solutions for serverless environments and containers, for example, can leave gaps and silos that weaken security posture.
CNAPP allows organizations to bring together different security solutions that address security concerns in different stages of the development process regardless of their location. It also brings automation to the process. This means comprehensive protection with a unified management console, enhanced visibility, and efficiency. It also results in security cost reduction, as organizations get to veer away from standalone security products and use an integrated platform with fewer dedicated resources involved.