CNAPP: What is it and why should you take notice?

Markus Strauss at Runecast unpicks the benefits of Cloud Native Application Protection Platforms

 

The cyber security world is one of acronyms. From APTs to ZTNA, the list is long, ever-growing, and fabulously complicated. One notable recent addition to that list is CNAPP, or Cloud Native Application Protection Platforms.

 

Amidst the acronym avalanche, it would be easy to dismiss CNAPP as just another snowflake in the tundra. That would be a mistake.

 

To properly define CNAPP, we need to take a brief look at its predecessors – Cloud Workload Protection Platforms (CWPP) and Cloud Security Posture Management (CSPM).

 

CWPPs are software solutions that secure cloud-based workloads. In practice, this means that all cloud environments are protected by a single piece of software.

 

The so-called “single pane of glass” interface shows every single environment, thus reducing the time security professionals spend checking separate dashboards, and minimises the risk of missing a potentially critical alert. Key CWPP features include intrusion prevention and malware scanning, catered specifically to the cloud.

 

CSPM protects workloads from threats caused by misconfigurations. Many organisations are reliant on public cloud infrastructure, but far too many are unaware of the best practices or configurations of that cloud.

 

For example, when a cloud environment changes or adds a new feature, organisations don’t necessarily know how to handle the effects those changes may have on their existing configurations. To remedy this, CPSM monitors infrastructure, detects misconfiguration throughout the environment and resolves it with best practices and documented fixes.

 

Now that we’re acquainted with its family tree, we can better understand what CNAPP actually is.

 

CNAPPs are a consolidation of CWPPs and CSPM. They are a holistic approach to cloud security, combining the protection element of CWPP with the proactive monitoring capabilities of CSPM to provide full coverage of cloud environments and cloud native apps.

 

A relatively new kid on the block, CNAPP was first defined by Gartner in 2021 as:

 

“An integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production. CNAPPs consolidate a large number of previously siloed capabilities, including container scanning, cloud security posture management, infrastructure as code scanning, cloud infrastructure entitlements management and runtime cloud workload protection platforms.”

 

So, why should you take notice?

 

Cloud technology has revolutionised business and IT. It has also ramped up the complexity of infrastructure security to a hitherto unimaginable level. Tool sprawl has fast become endemic in cloud security, with a recent IBM survey revealing that the average enterprise uses 45 security tools to secure its network. The old adage rings true: more tools, more problems.

 

The crux of the tool-sprawl issue is that it stretches security professionals further than is necessary or sustainable. Flipping between dashboards and wading through alerts to gather the data needed to respond to an attack isn’t only time consuming, but immensely frustrating. Spinning so many plates means that, eventually, one will end up smashed.

 

Tool sprawl can result in a tool being left unpatched, and hackers waste no time exploiting such a vulnerability. CNAPPs address this by, as we have already mentioned, consolidating existing cloud security tools. Namely, CWPPs and CSPM.

 

Aside from this, CNAPPs address a whole host of problems.

 

Compatibility

CNAPPs can apply to virtually any cloud workload. Compatibility is a major issue with traditional security solutions, typically being limited to a specific type of application or  requiring other tools to function properly. CNAPPs replace multiple, disparate solutions, while compatibility concerns are eradicated.

 

The best CNAPP solutions cover all bases. They are compatible with virtual, containerised and physical workloads – across AWS, Azure, GCP, Kubernetes and VMware, along with Windows and Linux OS. This means that IT teams can strike vulnerabilities that arise from incompatibility between services and applications from their list of worries.

 

But it basically boils down to this – improved compatibility ensures cloud environments function as they should. For stressed security professionals, there is little more important than that.

 

Configuration drift and misconfiguration

Configuration drift is one of the many spectres currently haunting cybersecurity professionals. It essentially involves application owners making modifications to their applications and the underlying infrastructure, in order to improve their product.

 

Modifications of this nature bring with it changes to the configuration of applications and infrastructure. Such changes can be benign, but severe drifts can result in vulnerabilities, putting organisations at risk.

 

The best CNAPP solutions guard against configuration drifts and misconfiguration across VMs, containers, hybrid, and multi cloud infrastructure. They cover everything, from inception to delivery, shifting left to cover development cycles and bringing security and compliance every step of the way.

 

Threat detection

CNAPPs both scan for and resolve issues earlier in the pipeline than most traditional security solutions. Let’s go back and look at its predecessors, CWPP and CSPM, to better understand this.

 

CSPM platforms monitor for ongoing threats after implementing cloud processes. While CWPPs do work earlier in the pipeline, their scope is far smaller and swathes of an organisation’s attack surface can be missed.

 

Those who opt for a CNAPP, however, get the best of both worlds. Marrying the timeliness of CWPPs with the scope of CSPM ensures that threats across the attack surface are addressed as early as possible.

 

The beauty of CNAPP is that it speeds up threat response times throughout an application’s lifecycle. They can be used to identify misconfigurations or compliance issues before producing a new application, giving IT teams more time to take action.

 

Their transparency also enables faster responses after deployment, as security pros don’t have to switch between tools. As any self-respecting cyber-geek knows, time is everything when it comes to responding to an attack.

 

Automation

Much in the same way as consolidation soothes the pain caused by tool sprawl, the automation capabilities of CNAPPs take a veritable tonne of work off operations and security teams.

 

While automation has long been part of security solutions, CNAPP puts an unprecedented emphasis on it. It automates threat detection, regulatory compliance and reviewing protocols such as identity access management (IAM). It then goes further, prioritising these issues based on risk.

 

As many businesses lack the budgets or staff to manage all of their cloud security operations manually, and the cyber skill shortage only continues to grow, automating as much as possible is integral to enterprise security.

 

If you take anything away from this article, it should be this: CNAPP is the future of cloud security.

 

As cloud infrastructure grows larger and more complex, CNAPP is a salve to soothe the stretch marks caused by that growth. If you want to keep up with cloud security threats, CNAPP should be firmly on your radar.

 

---

 

Markus Strauss is Head of Product Management at Runecast. The information for this article was largely based on this blog post.

 

Main image courtesy of iStockPhoto.com