CEO and cofounder of Ermetic, a provider of public cloud security technology.
The benefits of the cloud—and the many new challenges it has brought—have become a daily topic of conversation for security professionals. The focus for security personnel has been on how to eliminate gaps between cloud provider security controls that cover hardware, software, and networking and customers’ responsibilities for protecting data, applications, identity, and access management and configurations.
This is where cloud-native application protection platforms (CNAPP) come in. Gartner introduced this concept in the wake of the surge in cloud use during the pandemic pivot, when it noted that organizations had cobbled together many tools—sometimes 10 or more in one organization—to protect their growing networks of cloud-based assets.
Gartner has warned that cobbling together single-purpose tools—for workload protection and entitlement management, among other functions—would result in silos and gaps that would compromise security, as companies “lift and shift” applications to the cloud.
“Optimal security of cloud-native applications requires an integrated approach,” Gartner concluded. “SRM leaders should evaluate emerging cloud-native application protection platforms that provide a complete life cycle approach for security.”
CNAPP solves these issues with a unified cloud security structure that ties together siloed views of risk and helps address challenges in governance and compliance that often arise in cloud-based systems. The approach consolidates a large number of capabilities, including, but not limited to, infrastructure as code (IaC) scanning, container scanning, runtime cloud workload protection, cloud infrastructure entitlement management (CIEM) and cloud security posture management (CSPM).
Instead of separate tools, CNAPP takes a holistic view of risk on the cloud. It looks to empower DevOps and production teams with visibility and insights to improve security across the development lifecycle, not view them as an afterthought. It brings them the capability to scan for configuration issues, sensitive data and other trouble spots that play a vital role in improving security posture.
The Promise Of CNAPP
CNAPP brings the benefits of prioritization through context, which can address the bane of security analysts’ existence—alert fatigue. Any one siloed security solution can produce hundreds of alerts daily, grinding analysts down until they can’t figure out what is important and what isn’t.
Solutions like security information and event management (SIEM) systems are designed to make something meaningful of this onslaught, but CNAPP takes it one step further. CNAPP does this inherently by assessing all of the risks in the environment, using advanced technology to put each signal in context and understand what is actually important. In this respect, it’s truly the next generation in application security.
CNAPP makes life much simpler and easier for teams that are already overwhelmed by the number of technologies they need to master in the cloud. Imagine having one unified picture of your organization’s attack surface and attack vectors, with automatic visualization of risks in context and investigation tools that already have access to all of the required data.
As we all know, when it comes to patching vulnerabilities or incident response, time is of the essence. CNAPP solutions have full risk context, so they can also remediate more safely and effectively, including automating remediation. Either through full auto-remediation or detailed, guided steps that can be sent to developers, the time to remediate is dramatically shorter.
The Risks Of CNAPP
No progress comes without risk. In articulating and promoting this vision, Gartner and others have created an environment where every cloud security vendor now markets CNAPP. Before choosing any CNAPP provider, there are some things you need to look out for:
• A “full” solution does not exist: The Gartner CNAPP definition is very broad. It’s a good starting point, but each organization needs to assess alternatives based on its specific requirements. An organization may not need comprehensive CNAPP capabilities today, but it’s nevertheless important to understand what a particular solution delivers now and whether it can accommodate future needs as they arise.
• Too-rapid consolidation: Just as in the case of traditional cloud security, acquisitions are becoming a big factor in CNAPP growth. So be wary of “suites” of products that don’t really work together but rather perpetuate silo challenges when stand-alone point solutions are bundled.
• Jacks-of-all-trades: Vendors often will update their marketing to “check all the CNAPP boxes.” Beware of solutions that only scratch the surface in each CNAPP discipline. Evaluate a product’s current capabilities against its ability to address your top use case.
• Old solution, new name: As in every new tech category, repositioning old products is a common technique. Take a critical look at what a vendor has offered before and how it differentiates from the product they are offering under the CNAPP banner.
The Path Forward
Before you embrace CNAPP, set your own priorities: What elements of cloud security are most important to you? Do you have a zero-trust or an identity-defined security initiative in your organization? Are you driven by industry best practices or compliance standards? Do you already have some solutions in place that are effective or at least “good enough” at covering some of the CNAPP building blocks? Determine this before you go into an evaluation—or at least before you purchase a platform.
Define some test scenarios for evaluating the solutions you decide to trial that align with your organization’s environment, its business and its operational structure.
As in any procurement exercise, the more you know, the better, so educate yourself about cloud technologies, application development processes and application architectures. All of these are essential to a deep understanding of cloud security.
CNAPP is emerging as a front-running framework to address most cloud security challenges, which is why security professionals should get comfortable with the concept. The architecture is in its infancy and will face growing pains, but it pays to become fluent in it now in order to plan the right path forward as CNAPP matures.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?