Cloud Native Application Protection Platform (CNAPP) Fundamentals
The more the cloud native application space evolves, the more moving parts seem to be introduced. Thankfully, the industry has learned from previous iterations of technology and is using a very modular approach with cloud native technologies. As such, existing CI/CD pipelines and runtime platforms can be extended and updated as better methods are discovered. This includes integration of everything from external storage solutions through CSI drivers like NetApp Trident, to enhancing CI pipelines with products from the DevSecOps space like static code analysis testing (SAST).
The downside of all the modularity is the complexity. It can be daunting to even figure out what to introduce in the application lifecycle to get a reasonable level of security policy and enforcement in place. This is where the Cloud Native Application Protection Platform (CNAPP) comes into play. Leveraging a CNAPP in your environment will provide in-depth coverage across all aspects of your environment from proactive validation of workloads to auditing the policies on the public cloud platform you are running on.
So What is CNAPP?
Gartner has recently introduced Cloud Native Application Protection Platforms – or CNAPP – as a new product category. The idea is to have a defined set of criteria to achieve holistic coverage, which allows customers and vendors to see the value that suites bring; rather than a series of point solutions that then need to be integrated.
A similar thing happened with Application Performance Management (APM) solutions almost a decade ago. As industry adoption increased, everyone could know what to expect and what minimum functionality was – all before starting down the path for proof of concepts.
A CNAPP encapsulates five concepts under its umbrella, from development to production and back to development.
These capabilities are:
- Development artifact scanning
- Cloud Security Posture Management (CSPM)
- Infrastructure as Code (IaC) scanning
- Cloud infrastructure entitlement management
- Runtime cloud workload protection platform
A feedback loop creates true end-to-end coverage of a cloud native application lifecycle.
What Does CNAPP Do?
The best way to describe what a Cloud Native Application Protection Platform does is to describe its five core capabilities.
Development artifact scanning
There are two major areas of artifact scanning, whether artifacts are source code or a compiled binary. They are Software Composition Analysis (SCA) and application security testing.
SCA reviews an artifact to find any open source libraries it has included. It then flags the version and license for the library in use. With that information, it can then list any common vulnerabilities and exposures (CVE) and their rating, and attach that in a report or as metadata for the artifact in the repository it lives in.
Application security testing falls into three main groupings: static (SAST), dynamic (DAST), and interactive (IAST). SAST looks at the source code or built artifact for best practices and common mistakes that can be found in code like unchecked buffers. DAST treats the artifact as a black box while it is running. It pokes at it like an attacker would, looking for things like input validation or unsecured pages. IAST works inside the application while it is running but only analyzes the application code as it is executed. It is most often seen in environments where QA teams are running functional tests.
Cloud Security Posture Management (CSPM)
Posture is what something looks like when it is actively running. Like a person’s posture when standing up. I’m sure we’ve all been told not to slouch and to stand up straight. A CSPM does this for the cloud platform that is being used. It validates what is running and alerts on anything that doesn’t match how it expects to see things. Examples would be open ports or security roles with more access than required.
Infrastructure as Code (IaC) scanning
A big draw of the cloud native ecosystem is the ability to automate everything an application needs to run. IaC can be things like templates for CloudFormation, Kubernetes manifests, Dockerfiles, or Terraform plans. The idea behind IaC scanning is to find obvious security flaws before they make it to production and cause problems.
Cloud Infrastructure Entitlement Management (CIEM)
This is an area that is probably the most proactive area within a CNAPP. The CIEM functionality looks at existing cloud platforms it is connected to and makes recommendations on how to implement a least-privilege model for your environment. It can find things like admin access being granted when only read access is needed. Once these decisions are made, the CSPM would enforce them.
Runtime Cloud Workload Protection Platform (CWPP)
This is the part that operations teams would care the most about. A CWPP is the runtime enforcement part of the CNAPP security suite. It works towards having a zero trust model in place where nothing is automatically trusted.
It will perform actions like:
- Runtime detection: Detect and prevent suspicious behavior in containers at runtime. Automate response for container threats.
- System hardening: Anomaly detection inside of Linux hosts or VM-based workloads running on top of the host.
- Vulnerability management: Vulnerability detection in container images in the CI/CD pipeline and registries before deploying to production.
- Network security: Enforce Kubernetes-native network policies, including segmentation, and provide network traffic visualization down to the container level.
- Compliance: Validate container compliance and ensure File Integrity Monitoring inside containers.
- Incident Response: Forensics Analysis and incident response for Kubernetes and the containers it manages even after the container is gone.
Why Invest in CNAPP?
The benefits of implementing a CNAPP are better visibility and control of the entire cloud native application stack. Currently, even if an organization has all five of those areas covered, they are often using separate and distinct tools. Consequently, there is no easy way to correlate the data and provide a current measurement of risk. Companies will spend time and effort to try to consolidate data from all the point solutions it has in place across its entire technology landscape. While this is valuable, it does not ensure all areas have the same coverage. Building reports on incomplete data just increases your risk profile by providing a false sense of security.
Some examples where having a CNAPP security platform will add valuable and consistent enforcement of policies.
- The build teams have implemented security scanning in the build and test pipeline, which is fantastic. So let’s say an SCA tool is running against the registry where artifacts are stored, and is tagging them with known vulnerabilities from the CVE database. What happens if something that is already in production is tagged with a new critical alert? If it is severe enough, like the recently announced Log4Shell vulnerability, then impacted applications need to either be immediately shut down or have the potential attack otherwise mitigated. Workload protection is the functionality required to automate the response to this type of event. Gartner lists CWPP as a core feature of CNAPP for this very reason.
- A cloud engineer is testing in their own sandbox, which opens an extra port into a subnet. But, the engineer doesn’t back out that change before their next commit. What will catch that? Well, a CNAPP has two methods that could. The first is IaC scanning, which identifies bad practices in things like CloudFormation and Terraform plans before they are applied. If that misses the change then cloud posture compliance checking will find anything out of place in the live system. The CNAPP can often be configured to allow immediate automated remediation to bring the configure back into compliance when discovered.
Five Steps to be Successful
As with any new platform, the implementation steps seem easy from the outside; that is, until you get into the details. The basic structure to follow is to allow the CNAPP security tooling to discover what is available and make recommendations. Then, apply a few of those recommendations at a time, monitor and alert on how the cloud native apps they are providing security for react. Then go back for more recommendations. Shampoo bottles say, “Lather. Rinse. Repeat.” That is some of the best advice one can get when working with anything new. You will not get it perfect the first time.
- After installing the CNAPP, allow it to investigate the environment to build a profile of what is in place.
- Review any policies it has found in place and recommendations it has made.
- Select a few of the recommended policies to implement. Do not jump to the highest impact right away. It might take a little time until you are comfortable with how your cloud native application platform reacts to the new or updated policies. In addition developers will also want time to adapt their practices to better react to and incorporate the CNAPP’s feedback.
- Monitor and react to any alert after the changes.
- Go back to Step 1.
Organizations large and small usually feel like they don’t know enough about security. This is especially the case in the cloud native application space, which is moving much faster than traditional software platforms have. By implementing a CNAPP, any organization can achieve a reasonable level of security across all major aspects of their application stack. It will improve the overall security profile of the organization, while not interrupting developer productivity.
Ultimately, everyone’s goal is to deliver value to customers faster and in a more flexible way. Embedding security from the earliest stages of the development process all the way into production will ensure that what is delivered will maintain the security and integrity that your customers expect from your products.