Cloud-native application protection platforms (CNAPP) are used to secure cloud-native application lifecycles. Learn about the components, benefits, and DevSecOps impacts of CNAPP solutions.
Today’s cloud-native environments present new and complex application protection challenges. To protect applications spread across public, private, and hybrid clouds, security teams typically must use multiple security tools – and those tools don’t always work well together. Cloud-native application protection platforms (CNAPPs) are a relatively new category of products that aim to solve this problem. They are designed to unify the capabilities of multiple security tools and safeguard cloud apps throughout the entire development lifecycle, from build and cloud configuration through deployment and runtime protection.
Cloud-native application environments have become remarkably complex. App workloads may continually move between multiple private and public clouds, using mixtures of open-source and custom-developed code. Code bases never stop changing as release cycles accelerate, new features are continually rolled into production, and old code disappears.
To cope with the challenges of securing these highly dynamic environments, security operations teams often have to bolt together multiple types of cloud security tool. In addition, many companies also still operate a variety of older traditional app protection tools.
The problem is that that each tool provides a siloed, limited view of application risk, potentially increasing the organization’s exposure to threats and creating more work for security professionals. SecOps teams find themselves struggling to manually correlate information from multiple tools, make sense of confusing alerts, and respond quickly.
CNAPPs promise to address these challenges by combining the capabilities of multiple cloud security tools into a single platform. As described by Gartner Inc., which first defined the CNAPP category, CNAPP products provide a more integrated approach that covers the entire app lifecycle from development to runtime protection. They employ advanced analytics to address application risk, open-source component risk, cloud infrastructure risk, and runtime workload risk.
Ideally, a CNAPP should integrate the capabilities of four existing categories of security tools: cloud workload protection platforms (CWPP), cloud security posture management (CSPM) products, cloud application security brokers (CASB), and cloud infrastructure entitlement management (CIEM) tools. It should scan containers as well as infrastructure-as-code (IaC), and help organizations harden apps in cloud workloads both during development and after they are deployed.
In reality, CNAPP is a relatively young category, and the products are still evolving toward those goals. Not all are equally comprehensive or integrated. Some may still require add-ons to support all the workloads or cloud platforms you run, especially if your environment includes cloud services from providers other than Amazon, Microsoft, and Google. Still, it’s often possible to gain value from evolving CNAPPs for cloud application protection if they possess robust CSPM and CWPP capabilities.
As CNAPP solutions mature, they’ll encompass ever more of the functionality of the four core elements, starting with CWPP capabilities and building out.
CWPPs focus on protecting server workloads wherever they are, whether in on-premises physical or virtual machines, or in infrastructure-as-a-service (IaaS) running on public clouds. They typically combine system integrity protection, application control, behavioral monitoring, intrusion prevention, and (in some cases) anti-malware protection at runtime.
CSPMs identify, monitor, and remediate misconfigurations and compliance issues that can cause problems such as data breaches. To do so, CSPMs may embed and draw upon best practices from leading cloud providers, security control frameworks, and compliance standards – including legal requirements such as HIPAA.
Sometimes described as firewalls for cloud services, CASBs sit between cloud providers and users and enforce security policies to ensure that authorized users can only access specified cloud services – and that unauthorized users are denied access. CASBs can discover the cloud services an organization is using, including unmanaged shadow IT services, and then apply diverse security enforcement policies to them. These can include authentication, authorization, single sign-on (SSO), credential mapping, device profiling, encryption, tokenization, logging, alerting, and malware detection/prevention.
CIEMs help organizations manage all their identities and privileges across all cloud environments. They identify and fix access entitlements that aren’t necessary or that exceed the least-privilege principle by allowing a greater level of access than is needed.
Beyond integrating previously separate solutions, CNAPPs also promise many other benefits, including:
By offering a holistic approach to cloud security across the entire app lifecycle, CNAPP promises developers the ability to uncover risks wherever they may emerge – in custom or open-source code, in configurations, in endpoints, containers, serverless environments, and at runtime. CNAPP aligns more closely with how cloud software is developed, thus enabling app security that is more tightly integrated throughout the development process, supporting DevSecOps initiatives, and making it easier to harden applications no matter how quickly they change.
CNAPP continues the trend of blurring the lines between cloud security and application security, says Frank Catucci, Chief Technology Officer and Head of Security Research at Invicti Security. Over time, he expects CNAPP products to offer a growing range of features as they inch closer to the goal of providing comprehensive cloud app protection.
“We’re going to see a broader convergence of capabilities into CNAPP, including support for everything from IaC to containers,” Catucci predicts.