What’s a CNAPP and why is it essential for security?
Article by Aqua Security director for Asia Pacific and Japan Zhihao Tan.
With large-scale cloud-native deployments becoming more prevalent, enterprises are trying to bring greater efficiency and speed to cloud-native security. To achieve this, they are moving to shift security left, implementing intelligent automation, cloud security posture management (CSPM), and cloud workload protection platforms (CWPPs).
Yet, doing this on their own is proving to be a challenge, which is where cloud-native application protection platforms (CNAPPs) come in.
Gartner defines this emerging category of security solutions to help organisations to identify, evaluate, prioritise and manage risk in cloud native applications, infrastructure, and configurations. Gartner defines CNAPP as an ‘an integrated set of security and compliance capabilities designed to help secure and protect cloud native applications across development and production,’*.
“Rather than treat development and runtime as separate problems — secured and scanned with a collection of separate tools — enterprises should treat security and compliance as a continuum across development and operations, and seek to consolidate tools where possible,”* Gartner recommends.
CNAPPs combine the capabilities of several cloud security categories, including developer security posture management (DevSPM) shift-left artifact scanning, infrastructure-as-code (IaC) scanning, CSPM, Kubernetes security posture management (KSPM), VM IAAS, cloud infrastructure entitlements management, and runtime CWPP.
Using a CNAPP allows organisations to implement complete end-to-end security for cloud-native environments, rather than having to stitch together multiple solutions that address specific, discrete security issues.
This approach offers multiple benefits. Perhaps the most important is that, by providing shared context between development and production, a CNAPP allows organisations to get a full view of application risks and, thus, secure applications consistently across their life cycle.
So, let’s take a look at what makes a CNAPP a CNAPP.
A CNAPP must be a platform, meaning it has to offer a range of capabilities across the application life cycle and support various types of workloads, stacks, and cloud environments. It must support multiple integrations and be able to tie into multiple teams and processes across an organisation.
It also needs to provide a unified, consistent experience. Many existing solutions offer only partial capabilities; for example, addressing just infrastructure, runtime, or scanning. Others cobble together several products that aren’t well-integrated and don’t provide a seamless experience.
A CNAPP also must be available either as a Software-as-a-Service (SaaS) or on-premises solution in order to be suitable for highly regulated sectors like finance and healthcare.
However, these integrated platforms provide more than just visibility and monitoring. The ‘protection’ component means that a CNAPP must be able to respond to attacks and block them as they occur.
This capability takes a CNAPP one step beyond even the most robust shift-left protection and hardening of the environment. This is crucial since those steps, although important, won’t protect organisations from zero-day exploits or runtime attacks from the most motivated group of attackers that use advanced techniques to evade detection.
The high speed at which DevOps moves code through the CI/CD pipeline is one reason why conventional security solutions are less effective in cloud-native environments. Cloud-native attacks move at the same speed as cloud-native apps, so the ability of a CNAPP to detect, automatically respond and block attacks happening in your DevOps pipeline as well as running workloads in real time is imperative.
For a platform to protect an application, it must be able to identify and understand the application context.
This means tracking artifacts throughout the application life cycle and applying security controls that address risks according to the context. For example, just knowing that “container 4c01db0b339c executed ps” isn’t enough. You also need to know such things as:
- Which application the container belongs to.
- Which image it originated from.
- Whether executing ps is normal for the container in that application.
- Whether executing ps in that context is legitimate or might indicate an attack.
That’s why it’s important for a security solution to be embedded into the CI/CD pipeline and to integrate with DevOps tools. To understand the application context, it’s critical for a platform to provide scanning for artifacts in the build phase and to maintain their integrity from build to deployment. What happens in this phase have a very important bearing on your security posture in runtime.
In turn, this helps to make decisions about deployment; for example, preventing unvetted images from running in production. If a solution doesn’t achieve this, it’s not a CNAPP.
What truly makes an application protection platform a CNAPP is its ability to be built and tailored specifically for cloud-native environments.
The dynamically orchestrated, ephemeral workloads that characterise cloud-native applications mean that traditional network-based security tools aren’t sufficient. In a cloud-native environment, it’s risky to rely on end-point detection and response, host-based, or firewall security solutions.
For a platform to protect an application in a cloud-native environment, it must be able to analyse, track, monitor and control multiple types of cloud-native workloads, such as containers, serverless functions, and VMs. It also must be compatible with cloud native infrastructure, including Kubernetes, IaC tools, and multiple public cloud providers.
To be an effective CNAPP, a platform must be designed for cloud-native. If it can scan for container vulnerabilities but is oblivious to other aspects of cloud-native such as those listed above, it’s not a CNAPP.
Organisations are seeking to bring more efficiency and greater speed to security for their large-scale cloud-native deployments. Employing a collection of security tools that aren't integrated and are not built specifically for the cloud-native environment makes this effort more difficult. It also increases risk.
CNAPPs provide integrated security and compliance capabilities that are designed to help secure and protect cloud native applications across both development and production.
* Gartner, “Innovation Insight for Cloud-Native Application Protection Platforms,” Neil MacDonald, Charlie Winckless, August 25, 2021