CNAPP -- what is it and why should you care about it? [Q&A]
The IT world is littered with acronyms and one of the latest is CNAPP, standing for Cloud Native Application Protection Platform. If you haven't heard about it already you almost certainly will do soon.
We spoke to Stanimir Markov, CEO at Runecast, about CNAPP, what it is and how it can benefit modern enterprises and their cloud environments.
BN: Has cloud security been neglected in the dash to hybrid and remote working?
SM: To a certain extent, yes. Especially when the pandemic hit, naturally most organizations just wanted to 'make things work' at any cost, and security took a back seat. Another aspect of that is the overall skill shortage. While many businesses already had plans to embrace cloud and containers, this disruptive global event forced them and even in a way empowered them to accelerate that journey. Relatively quickly they ended up with a complex hybrid or multi cloud setup and a mix of cloud-native and traditional applications. The skills and experience to properly manage the security and compliance of their new IT take longer to develop and are very often insufficient. Especially if you want to do it in a holistic way.
BN: What is CNAPP and how does it differ from other solutions like CWPP and CSPM?
SM: It doesn't really differ. You can think of CNAPP as a set of capabilities that include CSPM capabilities, CWPP capabilities, as well as DevOps Security and potentially an additional set of capabilities like CIEM, Cloud Network Security and Segmentation. While the CNAPP term has been changing slightly since it was introduced in 2021, Gartner generally defines cloud-native application protection platforms (CNAPPs) as an 'integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production'. All of these capabilities are typically siloed and over time organizations acquired multiple tools, at least one for each capability. The market is starting to see the need for converging them, in order to implement a more holistic approach that actually works. Gartner just gave this convergence a name -- CNAPP.
Cloud-native applications usually leverage container or serverless components, but still communicate with traditional virtual or physical machines, with other cloud or on-prem workloads. They are also rapidly developed, released into production and scaled up and down. Considering the unique characteristics of cloud-native applications, they are impossible to secure without applying a truly integrated approach that covers their entire lifecycle -- from development to production.
BN: How can these solutions be consolidated but still deliver security for the business?
SM: Very often organizations attempt to consolidate these capabilities by stitching together 10 or more tools they already have. Leaving aside how costly this can be, it usually fails to deliver the integrated security approach necessary to protect cloud-native applications. It is logical that analyst firms advise customers to seek vendors that can help them converge these capabilities into fewer tools or ideally one platform. Often larger vendors try to address that by stitching a number of products, some coming through acquisitions, into what ends up to be a loosely integrated platform they offer to their customers. One of the major differentiators we offer with the Runecast platform is that the CNAPP capabilities we ship are all organically part of the same product and not put together from separate tools. This helps our customers to achieve an integrated security and compliance approach towards protecting their IT.
BN: Does this benefit operations as well as security teams?
SM: Ultimately the CNAPP approach helps achieve visibility and control over your applications security risk. Empowering the operations teams with such visibility and control helps them maintain continuous security and compliance throughout operations. The operations folks are typically the ones tasked with providing security reports and remediating any gaps. Having one platform and a unified view that can be used by operations and security teams benefits the integration of these two roles and the efficiency of their efforts.
BN: Will we see the CNAPP approach start to become mainstream?
SM: Absolutely. There is a clear demand for such convergence of security and compliance capabilities, and we have seen the CNAPP popularity grow increasingly fast since the term was coined in 2021. We, at Runecast, are proud to be one of the pioneers in the category. It is exciting to be in such a space where the problems are complex and dynamic which calls for continuous innovation.