What is a cloud native application protection platform?
Gartner has defined the cloud native application protection platform (CNAPP) as “an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production.” CNAPP comprises a new category of cloud security platforms, combining the capabilities of:
Why is CNAPP needed today?
In short, CNAPP solutions are important today because they can provide complete coverage for today's environments. Traditional security approaches and tools were designed to protect on-premises data centers and endpoints, not cloud native apps and services. So, with the shift to cloud native technologies and modern development practices (e.g., infrastructure as code [IaC], CI/CD pipelines, containers, serverless functions, Kubernetes), those traditional security tools fall short.
To ensure that cloud services meet security best practices and compliance mandates while maintaining speed, organizations need application security that identifies risk early in development, offers immediate remediation, and provides continuous assurance. Moreover, with development happening in a wide variety of different cloud infrastructures, that security needs to be consistent. The interconnected, interdependent nature of everything makes it difficult to identify and remediate security issues and vulnerabilities with traditional approaches.
Securing the cloud environment means securing cloud service configurations and the production environment
Dynamic and ephemeral environments, faster release cycles, and cloud-deployed apps and technologies (e.g., software and infrastructure as a service [SaaS and IaaS]), all lead to new cybersecurity challenges. Securing a cloud environment means ensuring the security of your cloud service configurations and production environment at a minimum, with runtime protection a valuable layer of additional protection. Security teams need to optimize cloud security and compliance to support DevOps and minimize friction—and to do that, they need to evolve from protecting infrastructure to protecting applications that run on workloads.
Challenges in using disparate tools
As organizations grow organically, they tend to end up with a mixture of technologies in use, with disparate security controls in various cloud environments. Security teams deploy multiple tools, including CSPM, CIEM, CWPP, and others, to secure cloud infrastructure and production environments. However, this approach leaves them unable to effectively focus, prioritize, and remediate risk, thanks to:
- Visibility gap and security blind spots
- Multiple sources of data points vs. a single source of truth
- Information overflow and time-consuming data collation processes
- Alert fatigue without any indication of critical issues that need immediate attention
- Limited resources, technical expertise, and training on each tool
- Operational complexity and increased overhead from managing each tool separately
Trying to maintain proper controls using disparate tools across complex environments takes a lot of time, resources, and manual effort. To effectively manage risk, security teams need a single pane of glass through which to gain visibility and define consistent security policies throughout the cloud infrastructure and production environment.
Ideally, a comprehensive security solution such as a CNAPP can provide complete security coverage to help you keep up with ephemeral, containerized, and serverless environments while reducing complexity and overhead.
Analyst perspective and recommendations
In "Innovation Insight for Cloud-Native Application Protection Platforms," Gartner offers this advice: “Rather than treat development and runtime as separate problems — secured and scanned with a collection of separate tools — enterprises should treat security and compliance as a continuum across development and operations, and seek to consolidate tools where possible.”
Key recommendations include:
- Implement an integrated security approach that covers the entire life cycle of cloud native applications, starting in development and extending into production.
- Scan development artifacts and cloud configuration comprehensively, and combine this with runtime visibility and configuration awareness to prioritize risk remediation.
- Evaluate emerging CNAPP offerings as contracts for CSPM and CWPP expire, and use this opportunity to reduce complexity and consolidate vendors.
How does CNAPP work?
CNAPP platforms bring together multiple security tools and functions to reduce complexity and overhead, providing:
- The combined capabilities of CSPM, CIEM, and CWPP tools
- Correlation of vulnerabilities, context, and relationships across the development life cycle
- Identification of high-priority risks with rich context
- Guided and automated remediation to fix vulnerabilities and misconfigurations
- Guardrails to prevent unauthorized architecture changes
- Easy integration with SecOps ecosystems to send alerts in near-real time
Figure 1: What CNAPP encompasses (Image adapted from Gartner's "How to Protect Your Clouds with CSPM, CWPP, CNAPP, and CASB," May 6, 2021)
There is synergy in combining CWPP and CSPM capabilities, and multiple vendors are pursuing this strategy. The combination will create a new category of Cloud-Native Application Protection (CNAPs) that scan workloads and configurations in development and protect workloads and configurations at runtime.
Key capabilities of a CNAPP
As a convergence of so many security and compliance tools, CNAPPs have dozens of specific capabilities. Let's look at the broader strokes of what a CNAPP enables your organization to do.
Secure multicloud infrastructure
Discover all apps, APIs, cloud resources, identities, and sensitive data. Gain complete visibility of compliant and noncompliant resources across AWS, Azure, and Google Cloud, and prioritize them for remediation based on risk.
Secure production environment
Move security earlier in the development process (i.e., "shift left"). Empower your DevOps professionals to detect threats and vulnerabilities sooner, and fix them faster, to ensure applications and data are compliant.
More easily detect and manage vulnerabilities and security misconfigurations as well as perform network-based behavioral monitoring, policy enforcement, and identity-based cloud workload segmentation.
Continuous governance and compliance
Minimize audit fatigue with automated security controls for continuous compliance and governance of data, configurations, and permissions.
Team collaboration platform
Incorporate common workflows, data correlation, meaningful insights, and remediation to reduce friction and foster team collaboration between DevSecOps, DevOps, and cloud security operations.
The most significant benefit of a CNAPP approach is better visibility and control of cloud-native application risk.
Zscaler and CNAPP
Zscaler Cloud Protection is a powerful answer to the growing need for CNAPP platforms, delivering a new approach that takes the operational complexity out of cloud workload security. Our innovative zero trust architecture reduces business risk by automatically remediating security gaps, minimizing the attack surface, and eliminating lateral threat movement.
If you’ve been challenged with a public cloud security stack fragmented across different tools from third-party vendors and cloud providers, take a look at how Zscaler Cloud Protection can simplify your cloud security infrastructure while improving security with a zero trust approach.
Click here for more information.