CNAPP: The Future of Cloud Security

The cloud has arrived. According to data from the Cloud Security Alliance (CSA), 89% of organizations now host sensitive data or workloads in the cloud. But increased use doesn’t necessarily mean better protection: 44% of companies feel “moderately” able to protect this data, and 33% say they’re only “slightly” confident in their defense.

With cloud networks growing exponentially, businesses need a new way to handle both existent and emerging threats. Cloud-native applications protection platforms (CNAPP) offer an integrated, end-to-end security approach that can help companies better manage current conditions and prepare for future attacks.

What is CNAPP?

As noted by research firm Gartner in their August 2021 Innovation Insight for Cloud-Native Application Protection Platforms report (paywall), CNAPP is “an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production.”

The goal of CNAPP solutions is to protect cloud-based applications across their entire lifecycle, from initial deployment and integration to regular use and maintenance to eventual end-of-life. Rather than taking a point-based approach to security that sees companies adopting multiple solutions which may (or may not) work in tandem to solve security issues, CNAPP looks to provide a single user interface and a single source of truth for all cloud-related security processes.

In effect, this approach prioritizes the centralization of cloud security processes to help companies better manage disparate applications and services.

Why Is Security in the Cloud so Challenging?

Effective security relies on effective attack path analysis – the categorization and protection of pathways. In a traditional infrastructure model, these pathways were relatively simple, stretching from internal resources to Internet applications and back.

Highways offer a simple analogy. Say that your resources are in San Francisco, California, and the Internet is in San Jose. Different highways offer different paths to the same destination. Installing checkpoints along these highways, meanwhile, makes it possible for companies to ensure that cars heading into San Francisco or back to San Jose have permission to do so. If they don’t, they’re not allowed to proceed.

The cloud significantly complicates this process by adding a host of new destinations and attack pathways, both on the ground and in the air. Where companies might have managed 50 potential points of compromise, in the cloud this number could be 5000 or 50,000 —and is constantly growing. Plus it is 100x easy to misconfigure the points of compromise.

As a result, there are both more vehicles traveling and more routes for them to travel, in turn making it 100x more complicated to see and secure the cloud. This in turn, increases the risk of traffic getting into or out of your network without the proper permissions, resulting in everything from lateral compromise to ransomware payloads to advanced persistent threats (APTs).

Clouds also create a challenge when it comes to third-party protection. While cloud-native applications are evolving to meet new enterprise requirements, well-known or specialized third-party solutions are often tapped for additional security controls or to provide enhanced functionality. In our traffic example, this means that different checkpoints are managed by different vendors that may not always speak the same language or use the same metrics. This means it’s possible for one of these checkpoints to report a false positive or negative, in turn putting your local cloud environment at risk.

How Can CNAPP Help Companies Address Cloud Security Challenges?

CNAPP solutions makes it possible to centralize security management for greater visibility and control. According to Gartner, this is accomplished via five key components:

1. Infrastructure as Code (IAC) Scanning
   IAC scanning helps companies identify potential issues with distributed configurations across their network. This is especially critical as infrastructure provisioning becomes more and more automated. Without the ability to regularly scan for potential weak points, IAC becomes a potential liability.
2. Container Scanning
   Containers are a critical part of cloud computing. By making it possible to package applications in a platform- and service-agnostic framework, it’s easy for companies to deploy new services without rebuilding code from the ground up. The caveat? Containers that have been compromised present serious risks. As a result, container scanning is critical.
3. Cloud Workload Protection Platforms (CWPPs)
   CWPPs are designed to discover workloads within both cloud and on-premises infrastructure and then perform vulnerability assessments to determine if these workloads pose potential risks based on current policies and if any actions are required to remediate this risk.
4. Cloud Infrastructure Entitlement Management (CIEM)
   CIEM tools help handle identity and access across the cloud. By automatically granting, revoking, and administering access to cloud services, the judicious application of CIEM solutions make it possible for companies to adopt a principle of least privilege approach to access.
5. Cloud Security Posture Management (CSPM)
   CSPMs automate the process of identifying and remediating risk across IaaS, PaaS, and SaaS deployments in enterprise clouds. These tools provide the data-driven foundation for risk visualizations and assessments that empower effective incident response.

Working together, these solutions make it possible for companies to see what’s happening in their cloud network environments, when, and why, in turn allowing IT teams to prioritize alerts and take immediate action. Consider the RedSeal Stratus CNAPP solution, which provides companies with a “blueprint map” of their entire cloud framework to identify where resources are located and full attack path analysis to identify where they are exposed.

In the context of our highway example, RedSeal Stratus makes it possible to map every possible path and checkpoint taken, in addition to providing information about each exposed resource at risk in San Francisco and who can get to them within minutes. This makes it possible to assess the net effective reachability of all aspects of your cloud and pinpoint areas that require specific action.

What Comes Next for CNAPP?

Put simply, CNAPP is the future of cloud security, but it’s not a monolithic, one-size-fits-all solution. Given the rapidly-changing scope and nature of cloud services, CNAPP solutions won’t be one-vendor affairs but rather a consolidation of differing vendor specialties under a unified platform model that provides a single pane of glass visibility for users.

Moving forward, companies should expect an increasing focus on the data residing in the resources as the core component of CNAPP. This includes not only a focus on how they are accessible and permissions but on positively identifying where they’re located, what they’re doing, who is accessing them, risks and how they interact with other services and solutions both on-Premise and cloud.

CNAPP is coming of age. Make sure you’re ready for the next generation of cloud security with RedSeal.