Gartner’s 2023 “Market Guide for Cloud-Native Application Protection Platforms” (CNAPP) caused some security leaders to question whether they need yet another tool to protect the complex beast that is the cloud.
Procuring yet another shiny security product is probably not how you earn the envy of your peers, but if your organization relies on shipping secure applications fast, then CNAPP should be on your radar. What exactly is CNAPP? It’s right there in the name:
Cloud native application is the thing being secured. Cloud native software is typically custom-developed, greenfield software that’s designed to run in cloud environments. A cloud native application is the opposite of a legacy commercial off-the-shelf application.
Protection platform implies a broad security feature set, interoperability and ecosystem integrations.
CNAPP is not a one-for-one replacement for existing tools. Most organizations are not, and may never be, fully cloud native and must continue to maintain the security of their traditional environments. CNAPP won’t displace the endpoint protection for your remote workforce, for example.
Even though some CNAPP capabilities sound like they address the same problems as traditional tools, they specifically serve the use cases around securing modern applications and infrastructure developed for the cloud.
This includes benefits of elasticity and resiliency via on-demand resources without the need to over allocate, as was often the case with traditional architecture. If you’re not building cloud native applications (yet), you don’t need a CNAPP (yet). In short, CNAPP is for securing software you build, not software you buy.
Most organizations, particularly those in the midst of digital transformation, find that they are building applications or functionality, though, regardless of the industry they operate in.
Teams Have Unique Needs
Because CNAPP helps secure the software you build, the tool must serve the needs of an unusually broad audience and interoperate smoothly with a large set of systems. The platform must be friendly and frictionless for developers, who may not have advanced security skills, and security operations teams, who may not have much development experience. The workflow challenges we’ve faced for decades with remediation and response persist here. And they’re exacerbated by the massive scale, speed and complexity of digital transformation.
When considering a CNAPP product, make sure the evaluating team includes representatives from all potential user groups. Pay special attention to workflow, integrations with development tools (e.g., git) and SOC tools (e.g., SIEM), and whether data is presented with appropriate, actionable context for each user persona. Overall, it helps to take an application-centric view.
Think of CNAPP as addressing the security of an application throughout its entire life cycle, rather than focusing on traditional IT silos or security domains.
Shift Left, Shield Right, Do the Hokey Pokey
Shift left is about catching security issues earlier in the application life cycle. Shield right is about making sure that the workload is safe from attacks at runtime because it’s impossible to ship something completely flawless.
Are you starting to get whiplash from what sounds like conflicting guidance? Don’t worry. This is simply defense in depth, 2020s version. A good CNAPP tool should enable layered defense, which means your application’s code, artifacts, configurations and all other components are checked before delivery, and then they are rigorously monitored as they run in real time.
An effective CNAPP also provides some form of risk aggregation and correlation. For example, the platform could spotlight vulnerable assets that are reachable from the internet or whether known vulnerable libraries are being used by a given application.
Taking an application-centric approach to security comes with substantial complexity. Teams that typically don’t work together must collaborate very closely. There is no room for adversarial relationships, and reducing friction should remain a priority.
Implemented effectively, this strategy allows you to form a view of aggregated risk around the application, its components and its supporting infrastructure. We can then reason more effectively about investments in the security program to address the underlying sources of risk instead of playing whack-a-mole with vulnerabilities.
We’re asking a lot of one tool here, and most vendor offerings will be missing pieces or be weaker in some areas. If you’re going to shop for a CNAPP, it’s best to forget the acronyms altogether and focus on your specific requirements. You can start with NIST SP 800-53 and the CSA Cloud Controls Matrix, but you’ll need to tailor them to your organization before you can evaluate whether a given CNAPP provides relevant controls. The market is still maturing, and you should evaluate a vendor’s product roadmap as heavily as their existing feature set.
Are Cloudy Threats a Risk?
Supply chain risk has been of great concern for security leaders for years. When your business builds its own software, you are directly responsible for much more of that software supply chain than when you consume software from a vendor. New risks come into play, like the piles of malicious images lurking in public repositories or sophisticated attacks targeting cloud assets.
On the bright side, building gives you more control over the features you deliver and the security of both the delivery process and the final product. A security program with effective tooling designed specifically for cloud puts your organization in a better position to mitigate risk due to a rapidly evolving threat landscape.
Like most security challenges, maintaining security posture remains largely a human problem, not just tooling. Getting the most value out of CNAPP relies heavily on organizational factors, cloud consumption patterns and design choices, not technical problems alone.
Note: This article was originally published in The New Stack.