As the cloud security landscape evolves, many organizations are adjusting and evaluating their control stacks to include new services, cloud-native options and cloud platforms offered by well-known security vendors.
The past few years have seen an influx of cloud security acronyms, including CASB, CSPM and CWPP, to name a few. Now, another acronym is entering the mix: CNAPP, which stands for cloud-native application protection platform.
What exactly is this new acronym? Why may it be useful? What companies should consider a CNAPP in their cloud architecture and deployment planning? Let's take a look.
What is a CNAPP?
A cloud-native application protection platform, in short, is a combination of existing cloud security technology areas. CNAPPs represent a convergence of workload security and configuration security for the cloud control plane, which are already covered by cloud workload protection platforms (CWPPs) and cloud security posture management (CSPM). CNAPPs also incorporate identity entitlement management; automation and orchestration security -- particularly for Kubernetes; and API discovery and protection.
CNAPPs focus on the concept of cloud-native, which involves cloud-centric technologies and controls that help lock down and secure the entire application deployment process in a single product. Capacity is the primary industry driver for cloud-native products generally and CNAPPs specifically. Most cloud security and security operations teams are overwhelmed and don't have the time or bandwidth to build and manage unique control models that cover workloads, cloud services, identities and the cloud control plane.
Before adopting a CNAPP
Security, DevOps and cloud engineering teams may wonder why they need a CNAPP: Is this something that makes sense? Are there any viable offerings in the marketplace? These are good questions, especially since we have seen an increase in cloud security tools and services emerge over the last few years.
CNAPPs are not a mature option yet. The component elements of CNAPPs, described earlier, are rapidly maturing, but the combined offering is early in development. Most commercial products today are good at one or perhaps several of the core elements that constitute CNAPPs, but almost no commercial vendor excels in all of them. CWPP tools are plentiful, and CSPM services are common; however, few vendors have excelled in both areas, along with orchestration and API security.
Why CNAPPs may be useful
CNAPPs emphasize cloud security controls and assessments earlier in the pipeline, unlike standalone options have in the past. For example, CNAPPs scan infrastructure-as-code (IaC) templates for configuration controls before deployment and look for container image vulnerabilities and Kubernetes pod and cluster configuration settings. While these areas have been covered to some degree, no single vendor or product offers significant strength in all these areas.
CNAPPs are also heavily focused on automation and API integration, which is appealing to DevOps teams that want security controls to be integrated with pipeline tools and services to minimize disruption and streamline continuous integration/continuous delivery deployments.
The future of CNAPPs
The cloud-native application protection platform concept is likely to succeed, even if the acronym itself does not.
There is a definite need for unified security capabilities across the DevOps pipeline -- particularly when it comes to workload images, IaC, and orchestration and vulnerability posture; configuration and controls for the cloud control plane; and runtime workloads in the cloud.
There are several requirements cloud-native application protection platforms need to meet these goals: powerful API integration for asset discovery and vulnerability and configuration posture; integration with DevOps pipeline tools to quickly and accurately assess IaC templates and workload images; and runtime protection for all types of workloads, including serverless functions.
Dig Deeper on Cloud Security Management and Cloud Operations Security
Infrastructure-as-Code series - Ondat: IaC is the means to a DevOps end
Infrastructure-as-Code series - KPMG UK: IaC's critical role in cybersecurity
Infrastructure-as-Code series - Kyndryl: Beyond the ‘box’, into workable cloud
Infrastructure-as-Code series - GitLab: Control, efficiency & paths to GitOps