Demystifying CNAPP (Cloud Native Application Protection Platforms) to improve enterprise security posture

Ability to compete in fast-paced, software-driven markets has become critical for enterprises, and in a world evolving in digital tech and cyber threats, security is central to success.

The new norm of large-scale cloud native deployments is putting pressure on enterprises to combine “shift left” DevSecOps, intelligent automation, CSPM (cloud security posture management) and CWPPs (cloud workload protection platforms), to bring efficiency and speed to cloud native security. For many in the cloud-tech arena, just navigating the minefield of jargon and the evolving cloud landscape is a challenge in itself.

Since Gartner coined the term Cloud Native Application Protection Platform (CNAPP), many vendors jumped on the bandwagon – but how can CISOs identify and disregard solutions masquerading as CNAPPs, that were not designed and optimised for cloud native?  It is critical to know the essential components to look for.

Conflicting team challenges

There are some clear security challenges for cloud native deployments. Application security teams face a steady stream of vulnerabilities coming from CI/CD pipelines, while Cloud security teams struggle with cloud configuration issues, and SecOps teams field alerts and incidents from the production environment. With each team operating separately and using different sources of data, the result is inefficient prioritisation of issues, wasted effort, higher costs, little continuous improvement of security posture, and ultimately elevated risk.

By embracing security earlier in the development cycle and embedding right through to production while using a unified view into risk across development and production environments, DevSecOps teams can improve team collaboration, resulting in a more secure environment. But to protect a growing tech ecosystem, it’s vital to fully understand the cloud native application and its lifecycle, as well as the capabilities of an effective CNAPP.

Understanding a ‘cloud native’ application and application lifecycle

An app that is “cloud-native” is run and hosted in the cloud, and cloud-native app development is a way to speed up how to build new applications, optimise existing ones, and connect them all. The overall aim is to deliver what apps users want at the pace a business needs.

For a CNAPP to be able to adequately protect these distributed applications, the CNAPP must identify and understand the application context. Traditional network-based security tools are simply irrelevant. An effective CNAPP will share context between development and production, giving it a full view of application risk to consistently secure applications across their entire lifecycle. It’s vital that a platform can provide the broadest platform support from clouds to platforms (for instance, Red Hat OpenShift or VMware Tanzu Application Service), as well as Windows containers. Consistent controls are also key across the entire application lifecycle.

It’s generally accepted in the industry that a unified full lifecycle approach is the only effective way to secure cloud native applications. The concept of full lifecycle security means to “provide scalable security for the complete development-to-deployment lifecycle of containerised applications”.

Embracing the full cloud-native infrastructure

Being truly cloud-native, a CNAPP must be aware of, and capable of analysing, tracking, monitoring and controlling different types of cloud native workloads — such as containers, serverless functions, and VMs. It must also work within an interface with the full stack of cloud native infrastructure, to include Kubernetes, infrastructure-as-code (IaC) tools, multiple public cloud providers, and more. Being cloud-native is key – if the solution scans for container vulnerabilities but not other aspects of cloud native, it’s not a CNAPP.

Understanding the significance of the convergence of trends in containers, DevOps and Cloud is vital to appreciate the need for a CNAPP. Due to the breadth of capabilities required from a CNAPP — both across the application lifecycle, and in supporting multiple types of workloads, stacks, and cloud environments — an effective platform will have multiple integrations and be intrinsically connected to various teams and processes within the organisation.

An effective CNAPP will be aware of, and capable of analysing, tracking, monitoring, and controlling different types of cloud native workloads. The first is cloud security posture management (CSPM), which is a security tool designed to identify cloud misconfiguration issues and cloud-based compliance risks.

A CNAPP should also include Kubernetes security posture management (KSPM). KSPM is the use of security automation tools to discover and fix security and compliance issues within any component of Kubernetes. It can double-check the security of the configurations that you use to govern Kubernetes resources and resolve any mistakes that could lead to breaches.

A CNAPP platform may provide various security functions from code to build to deployment and beyond. Performing all these functions in a holistic platform removes friction from DevSecOps processes, enables insights with context, and improves overall enterprise security posture.

How CNAPPs fall short across the application lifecycle

One of the most important features required for this vital tool for business performance is protection, and not just acting as a monitoring solution. A CNAPP should be able to stop cyber attacks as they happen. Even the most robust ‘shift left’ protection is powerless to defend against zero-day exploits or sophisticated runtime attacks.

A CNAPP that can’t handle the high speed of DevOps and code moving through the CI/CD pipeline, to detect and respond to attacks in real time isn’t relevant for 2022’s cyber challenges. Also, many CNAPPs aren’t able to offer granular runtime controls, such as drift prevention. Teams must be able to monitor running workloads and prohibit any changes to a container that was authorised to be deployed. It’s important to be able to detect and block any suspicious activity without killing containers or incurring application downtime.

Key features of an effective CNAPP

There are some key features of a CNAPP which organisations can’t afford to overlook.

  1. A solution must be embedded into the CI/CD pipeline and integrated with a broad suite of modern DevOps tooling. Knowing the application context is critical.
  2. A solution can only be a true CNAPP if it scans artifacts in the build phase and maintains their integrity from build to deployment for the application context, which in turn can inform granular decisions about their deployment (e.g., prevent unvetted images from running in production).
  3. A platform must be available as SaaS or on-prem to suit the needs of highly regulated industries, such as finance and healthcare.
  4. It’s also important to choose a CNAPP with extensive role-based access controls that supports separation of duties (SoD) across multiple applications, teams, and roles, enabling true enterprise-wide implementations that can protect the largest cloud native environments.

A holistic cloud native security approach is vital 

In the context of today’s evolving threat landscape, it’s not enough for security and development teams to agree with DevSecOps in theory. An organisation must practice the approach and secure cloud native applications from day one to succeed in the fast-paced arena of software development.

An effective CNAPP will embed security in the full software development lifecycle – from build to runtime, in real time. Only an integrated platform approach will enable an organisation to elevate its security posture and accelerate digital transformation journeys.

About the Author

Rani Osnat is SVP Strategy at Aqua Security. Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.

featured image: ©denisismagilov