What is CNAPP and how does it affect cloud application security?

Today’s cloud-native environments present new and complex application protection challenges. To protect applications spread across public, private, and hybrid clouds, security teams typically must use multiple security tools – and those tools don’t always work well together. Cloud-native application protection platforms (CNAPPs) are a relatively new category of products that aim to solve this problem. They are designed to unify the capabilities of multiple security tools and safeguard cloud apps throughout the entire development lifecycle, from build and cloud configuration through deployment and runtime protection. 

Why is CNAPP important to cloud application security? 

Cloud-native application environments have become remarkably complex. App workloads may continually move between multiple private and public clouds, using mixtures of open-source and custom-developed code. Code bases never stop changing as release cycles accelerate, new features are continually rolled into production, and old code disappears. 

To cope with the challenges of securing these highly dynamic environments, security operations teams often have to bolt together multiple types of cloud security tool. In addition, many companies also still operate a variety of older traditional app protection tools.

The problem is that that each tool provides a siloed, limited view of application risk, potentially increasing the organization’s exposure to threats and creating more work for security professionals. SecOps teams find themselves struggling to manually correlate information from multiple tools, make sense of confusing alerts, and respond quickly. 

CNAPPs promise to address these challenges by combining the capabilities of multiple cloud security tools into a single platform. As described by Gartner Inc., which first defined the CNAPP category, CNAPP products provide a more integrated approach that covers the entire app lifecycle from development to runtime protection. They employ advanced analytics to address application risk, open-source component risk, cloud infrastructure risk, and runtime workload risk.

What is CNAPP?

Ideally, a CNAPP should integrate the capabilities of four existing categories of security tools: cloud workload protection platforms (CWPP), cloud security posture management (CSPM) products, cloud application security brokers (CASB), and cloud infrastructure entitlement management (CIEM) tools. It should scan containers as well as infrastructure-as-code (IaC), and help organizations harden apps in cloud workloads both during development and after they are deployed. 

In reality, CNAPP is a relatively young category, and the products are still evolving toward those goals. Not all are equally comprehensive or integrated. Some may still require add-ons to support all the workloads or cloud platforms you run, especially if your environment includes cloud services from providers other than Amazon, Microsoft, and Google. Still, it’s often possible to gain value from evolving CNAPPs for cloud application protection if they possess robust CSPM and CWPP capabilities.

Key components of a complete CNAPP

As CNAPP solutions mature, they’ll encompass ever more of the functionality of the four core elements, starting with CWPP capabilities and building out.

Cloud workload protection platform (CWPP): Protecting cloud workloads

CWPPs focus on protecting server workloads wherever they are, whether in on-premises physical or virtual machines, or in infrastructure-as-a-service (IaaS) running on public clouds. They typically combine system integrity protection, application control, behavioral monitoring, intrusion prevention, and (in some cases) anti-malware protection at runtime. 

Cloud security posture management (CSPM): Ensuring proper cloud configuration

CSPMs identify, monitor, and remediate misconfigurations and compliance issues that can cause problems such as data breaches. To do so, CSPMs may embed and draw upon best practices from leading cloud providers, security control frameworks, and compliance standards – including legal requirements such as HIPAA. 

Cloud application security broker (CASB): Controlling cloud usage

Sometimes described as firewalls for cloud services, CASBs sit between cloud providers and users and enforce security policies to ensure that authorized users can only access specified cloud services – and that unauthorized users are denied access. CASBs can discover the cloud services an organization is using, including unmanaged shadow IT services, and then apply diverse security enforcement policies to them. These can include authentication, authorization, single sign-on (SSO), credential mapping, device profiling, encryption, tokenization, logging, alerting, and malware detection/prevention. 

Cloud infrastructure entitlement manager (CIEM): Managing cloud identities and privileges

CIEMs help organizations manage all their identities and privileges across all cloud environments. They identify and fix access entitlements that aren’t necessary or that exceed the least-privilege principle by allowing a greater level of access than is needed. 

Benefits of a CNAPP solution

Beyond integrating previously separate solutions, CNAPPs also promise many other benefits, including:

• Easier management, more automation. CNAPPs promise to make cloud app security professionals more effective – and help them respond faster – by simplifying the identification and correlation of issues wherever they arise in cloud workloads, infrastructure, or development. At the same time, CNAPP systems can potentially widen the use of policy-based automation in security testing throughout the cloud app development lifecycle.
• Better visibility into risks. CNAPPs aim to offer a coherent view of risks arising from application code, open-source components, cloud infrastructure, misconfigurations, incorrect permissions, runtime workloads, and beyond. They should help prioritize and remediate risks in VM, container, and serverless workloads that may previously have escaped timely detection. 
• Earlier detection to support shifting left in app security. Agile development practices and self-service cloud provisioning have helped developers move code into production faster than ever, but security hasn’t always been baked in upfront. CNAPP may help organizations apply DevSecOps practices to fully integrate security assessment throughout their CI/CD pipelines. For example, by surfacing code misconfigurations early in development, CNAPP can help teams avoid vulnerabilities that would otherwise only be discovered at runtime. 

The role of CNAPP in cloud-native application security 

By offering a holistic approach to cloud security across the entire app lifecycle, CNAPP promises developers the ability to uncover risks wherever they may emerge – in custom or open-source code, in configurations, in endpoints, containers, serverless environments, and at runtime. CNAPP aligns more closely with how cloud software is developed, thus enabling app security that is more tightly integrated throughout the development process, supporting DevSecOps initiatives, and making it easier to harden applications no matter how quickly they change. 

CNAPP continues the trend of blurring the lines between cloud security and application security, says Frank Catucci, Chief Technology Officer and Head of Security Research at Invicti Security. Over time, he expects CNAPP products to offer a growing range of features as they inch closer to the goal of providing comprehensive cloud app protection.

“We’re going to see a broader convergence of capabilities into CNAPP, including support for everything from IaC to containers,” Catucci predicts.