Getting to grips with cloud-native application protection platform (CNAPP) security -- to protect everything, everywhere, all of the time
As many CISOs are discovering, protecting cloud native environments requires a fundamental shift in thinking when it comes to keeping threats at bay. The huge change in the technology stack, the rapid delivery of software updates, and the unfettered use of open source, all present new challenges that old-style security tools cannot resolve.
Rather than using different point solutions that only solve specific security issues and need to be manually stitched together, Gartner recommends adopting a unified and end-to-end full lifecycle solution that starts in development and extends to deliver comprehensive runtime protection. In other words, a cloud-native application protection platform (CNAPP).
Problem is, not all CNAPPs are the 'real deal' which explains why many organizations will find themselves grappling with a growing stream of vulnerabilities emanating from their CI/CD pipelines on the one hand. Meanwhile, their SecOps teams are being deluged by alerts and configuration issues arising from their production environments.
To understand what truly constitutes a complete end-to-end cloud native security platform, let’s first take a look at the implications of cloud native from a wider enterprise security perspective.
Getting to grips with cloud native security -- the basics
Cloud native has generated a huge shift in the way today’s modern applications are built. One that has seen organizations embrace new agile methodologies and become increasingly reliant on open source code. They’re also utilizing microservices featuring multiple ports per app that are proving a top target for cybercriminals. But that’s not all.
They’re also using tools like Kubernetes to automate the deployment, scaling and management of a growing array of container-based applications. Problem is traditional network-based security tools were never designed with cloud native traffic in mind and have limited capabilities in these new dynamically orchestrated environments. They’re also proving ineffective when it comes to undertaking fast and efficient endpoint monitoring and incident response in a distributed microservices environment.
As IT and infosec leaders are discovering, cloud native changes the rules of the game when it comes to managing the overall risk exposure of the enterprise. Alongside gaining deep visibility over all open source components to ensure security vulnerabilities can be identified before applications are released into production, they now need to ensure that security controls follow workloads wherever these are run to assure protection everywhere.
Unfortunately, relying on the security offerings provided by the major cloud hyperscalers isn’t the answer because these services will not deliver the single pane-of-glass view across every enterprise environment. And that’s especially challenging for organizations looking to pursue a multi-cloud strategy.
What’s needed is an end-to-end security solution that makes it possible for enterprises to securely build, ship and run their cloud native applications and enable comprehensive runtime protection in each and every environment. And that’s where CNAPP comes into play.
Protecting everything, everywhere, all of the time
Not all CNAPP solutions are the real deal when it comes to providing the unified and end-to-end protection today’s enterprises need. For example, a solution that scans for container vulnerabilities but is oblivious to other security aspects related to cloud native isn’t CNAPP.
When it comes to identifying the essential attributes a CNAPP should possess, CISOs and IT leaders should be on the lookout for solutions that can:
- Analyze, track, monitor and control all types of cloud native workloads (containers, serverless functions and VMs).
- Work with the full stack of cloud native infrastructure: Kubernetes,infrastructure-as-code (IaC) tools, cloud providers and more.
- Support multi-cloud and hybrid cloud security with no need to reconfigure controls or policies for each environment: secure once, run everywhere and with minimal effort.
- Deliver full lifecycle security: if a solution can’t scan code in build phase and maintain integrity from build to deployment, it’s not a true CNAPP solution.
Going for gold -- what differentiates best-in-class CNAPP solutions from the rest
To transform their cloud native security posture, organizations will need to deploy enterprise-grade cloud native security solutions that are purpose built for the task of stopping cloud native attacks from development to production, while also securing the underlying infrastructure.
Best-in-class solutions will feature unified capabilities across several cloud security categories. Everything from shift left artifact scanning, CSPM and Kubernetes security posture management, and runtime cloud workload protection.
The most robust and comprehensive CNAPPs also feature an integrated supply chain security solution that prevents exposure to the potential software security risks that can be introduced via third party packages and tools.
Finally, the very best solutions will also offer features like drift prevention capabilities that assure the immutability of workloads at run time, together with proactive workload monitoring that makes it possible to block any suspicious container activity with no downtime or restarts. All of which enables organizations to detect and stop attacks wherever applications are deployed -- on prem, in the public cloud or a hybrid environment.
Rani Osnat is SVP Strategy at Aqua Security.