Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

Best Practices for Reducing Public Cloud Security Risk with CNAPP


Cloud security is currently addressed by a wide variety of security solutions. This patchwork approach creates problems for security teams as these tools are siloed, with each offering its own narrow, isolated view of a portion of the overall security posture. Without consistent security controls across development, deployment, and runtime, security teams are stuck attempting to prioritize across disparate vulnerability and misconfiguration findings, to name just a couple. This creates unnecessary friction between security and operations teams, which leads to security blind spots, and introduces complexity that slows teams down.


Key concerns and challenges of securing the public cloud:

Securing dynamic, complex environments 

According to Gartner, more than 80% of organizations use multiple clouds today. It is important to secure them to protect organizations from potential breaches. The complexity of multi-cloud environments and the need to coordinate across various stakeholders—from cloud operations and cloud architects to DevOps and traditional security teams—compounds security challenges.

Prioritize remediation of true risk 

As the number of data breaches, vulnerabilities, and sophisticated attacks rises, it becomes difficult to identify the actual risks that pose the greatest threat to business. At a time when organizations of all sizes are challenged to keep security teams adequately staffed, being able to prioritize and remediate risk is more essential than ever, as there just isn’t enough time or resources to fix them all.

Reactive, slow response to security incidents 

According to this IBM report, without automation, it takes an average of 228 days to identify a breach and 80 days to contain it, for a total of 308 days. As public cloud infrastructure and native services continue to expand and evolve, security resources to protect them remain limited. On top of that, having multiple solutions to secure the cloud leads to alert fatigue with hundreds of alerts received daily all with equal weight and importance. Moreover, expanding threat vectors and emerging attack strategies, vulnerabilities, and exploits—along with insiders capable of bypassing security measures—create a reliance on reactive security and can leave organizations exposed. 


Why cloud-native application protection platform (CNAPP)?


Gartner has defined the cloud-native application protection platform (CNAPP) as “an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production.” 

CNAPP, by its nature, is consolidating many of the most important features from siloed point products into one single offering. The main capabilities are usually listed as IaC scanning, runtime protection, and cloud configuration. These tools can replace CSPM, CIEM, IaC scanning, vulnerability scanning, and more. With automated, powerful protection offered by CNAPP, organizations can ensure strong collaboration within teams with a single platform, address limited staff and knowledge gap issues, and reduce the complexity and cost due to point products. Most importantly it helps automate and implement security best practices with ease and secure cloud-native environments without disrupting development workflows.

Let's explore how CNAPP can help to automate, enforce, and implement security best practices:

Complete visibility and control

Comprehensive visibility and control is imperative to secure the public cloud. Security, operations, and DevOps teams need the entire picture to mitigate risk and threats as early as possible. Given the dynamic and ephemeral nature of cloud and services, it can be difficult for teams to continuously monitor and track risks, especially in complex environments with high churn. Organizations need the right platform that can integrate seamlessly with cloud services and drive strong team collaboration, visibility, and control. 

CNAPP provides comprehensive visibility and insight into the metrics and controls needed to continuously monitor the environment without interfering with or distracting teams' respective workflow. 


Fig: Posture Control (Zscaler CNAPP solution) centralized dashboard for visibility and control

Eliminate misconfigurations

The greatest risk to the public cloud stems from misconfiguration. Gartner predicts that cloud misconfigurations will be the top root cause of successful cloud security breaches for a long time to come. Through the year 2025, 99% of cloud security issues will be the customer’s fault. Misconfigurations are common and can result in sensitive data and workloads being accidentally exposed to the internet, or provide an attack vector for malicious actors. Adherence to security best practices can secure the cloud from the common misconfiguration mistakes that leave data exposed, and provide entry points for attackers or ransomware attacks.

CNAPP allows security teams to tightly integrate security into the cloud services, providing unified, comprehensive security across multi-cloud environments and control over cloud configurations and applications. CNAPP can easily identify misconfigurations by continuously scanning cloud environments and enforcing best practices to secure the cloud from misconfigurations. It also provides remediation recommendations and auto-remediation options for common misconfigurations to mitigate the risk caused by configuration errors. 

Enforce least privilege

As digital transformation and cloud migration initiatives continue to accelerate security teams need to manage thousands of human and non-human identities and associated permission as these are the most common entry points for threats. Forrester estimates that at least 80% of data breaches have a connection to compromised privileged credentials, such as passwords, tokens, keys, and certificates. Organizations need a holistic, risk-based approach that secures these human and machine identities to protect applications, infrastructure, and data. 

CNAPP provides security teams with comprehensive permissions intelligence that can be used to precisely implement least-privileged access. Security teams get access to total context and visual topography of access to the resources, sensitive data, network connections, configurations, and more in a single dashboard which enables security teams to enforce stringent policies to protect permissions and access only where needed, without overwhelming the operations team or stifling development innovation.


Fig: Posture Control identity and entitlement view dashboard

Prioritize risks based on context

A significant purpose of prioritizing risks is to form a basis for allocating and effectively managing limited resources to mitigate that risk. Prioritization risk can be challenging in complex, dynamic public cloud environments with limited staff, time-consuming data collation, and the overhead of managing multiple-point security solutions. 

A CNAPP spans multiple cloud platforms and natively integrates with developers and DevOps tools to correlate critical signals across several cloud services. It identifies hidden risks across the cloud-native lifecycle or attack paths and patterns caused by a combination of misconfigurations, threats, and vulnerabilities and prioritizes them based on the severity of business impact, rich context, and remediation guidance.




Fig: Posture Control risk and threats correlation and prioritization dashboard 

Shift left security (Infrastructure as Code security)

As Infrastructure as Code (IaC) usage grows across teams, the chances of configuration errors and other mistakes are higher, leading to amplification of security incidents. Developers have strong expertise in building applications, but their experience varies regarding provisioning, testing, and securing IaC usage. 

CNAPP helps to automate IaC security to detect potential security vulnerabilities in infrastructure code early and fix them before they go into production, to minimize risk and maintain cloud compliance. Overall, it helps to enforce IaC best practices, strengthen IaC security, and establish a strong collaboration among development, security, and compliance teams. 


Fig. Posture control IaC scan and risk detection

Maintain continuous compliance  

Compliance is a continuous process in the cloud. With CNAPP, organizations can continuously review and monitor their compliance posture, and enforce compliance with pre-defined checks based on the industry standards and regulatory frameworks (e.g., CIS, NIST, HIPAA, PCI DSS), while automating time-consuming compliance processes. Organizations can easily address risks and non-compliance issues to meet regional and industry mandates as well as avoid financial risks like penalties and reputational damage. It can generate reports for compliance, security, and business leaders from a single dashboard. 


Fig: Posture Control compliance dashboard 



Organizations continue to take advantage of cloud services for storage, virtual machines, containers, serverless functions, and more. This introduction of new cloud technologies has increased the potential for security weaknesses and vulnerabilities. CNAPP solutions like Posture Control can help automate enforcement of security best practices that unify security and decrease operational complexity across increasingly heterogeneous and sprawling public cloud environments. Through automation of the security best practices organizations can shift the culture of teams working in silos to continuous collaboration, improvement, and compliance from development through deployment into production. It can improve security without becoming a bottleneck to Dev and DevOps teams who rely on crucial cloud services to move the business forward. 

Talk to our experts or schedule a demo to discover how Posture Control can help reduce public cloud risk. 

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.