Cloud-native application development has matured to the point where certain assumptions can be taken more or less as facts. One early realization was that cloud environments are inherently diverse, disparate, and distributed. For the professionals responsible for managing these dynamic, complex environments, a natural response was to turn around and impose consistency and uniformity. The logic is that managing risk in these environments would be made more difficult when coordinating a large set of point products suited to a specific set of requirements.
This line of reasoning is why forward-thinking members of the security community have been focused on integrated cloud-native security platforms since the beginning. With the recent introduction of the Cloud Native Application Protection Platform (CNAPP) category from Gartner, this trend is finally becoming the mainstream approach.
Cloud Native Application Protection Platforms (CNAPP) combine functionality for Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), Cloud Infrastructure Entitlement Management (CIEM), and CI/CD security into a single, seamless solution to secure cloud-native applications across the full application life cycle. These integrated capabilities allow DevOps, cloud infrastructure, and security teams to more effectively and efficiently achieve more successful cloud security outcomes.
The Benefits of a CNAPP
The problem for many organizations is that responses to cloud native security have been reactive rather than proactive — dealing with issues as one-off problems rather than addressing cloud security more holistically. They have adopted individual solutions or tools for each issue that comes up, and they end up with a patchwork approach, which introduces even more problems, such as:
- Point solutions create more work: Managing a growing stack of tools eventually becomes its own workstream. And because most solutions don't communicate with each other without yet more work, teams get limited visibility and protection.
- You can't apply consistent protections: Dozens of security tools can perform a check at single points in the application life cycle. But without consistent controls across development, deployment, and runtime, security, and risk teams are stuck comparing disparate vulnerability and misconfiguration findings.
- Separation creates blind spots: Most cloud security teams need to analyze threats across cloud services, workloads or applications, networks, data, and permissions. Without a single tool, blind spots emerge in the gaps between solutions.
For all this, CNAPPs offer a number of clear benefits.
Distributed Problems Need Integrated Solutions
One of the primary drivers for a comprehensive, integrated security platform is that cloud security requires multiple teams to navigate a difficult combination of both granular and overlapping duties across functional areas.
Teams need to understand where their responsibilities begin and end regarding the shared responsibility model — data consistently shows that organizations tend to overestimate the protections and alerts that their CSP will provide on their behalf. In addition, there are overlapping needs from networking, storage, and compute instances for CSPM, but each of those environments also need controls for access and permissions that stem from CIEM.
—Workloads and Applications
Similarly, the workloads and applications on that infrastructure require vulnerability management, compliance monitoring, policy enforcement, and runtime protection. These are traditionally areas where either security teams or DevOps teams are expected to ensure protections are in place. However, those tools must be integrated with the data coming from CI/CD pipelines and extending into runtime for Web applications and APIs.
These applications require a network that delivers reliable and safe connectivity. Securing network communications requires least-privilege access for workloads accessing other workloads and inline threat prevention.
—Identity and Permissions
Underlying all of these areas, entitlements and permissions for cloud infrastructure and services must balance the need for distributed access with risk management to ensure there aren't excessive or outdated permissions that undermine all of your other efforts.
—Coding and Development
Developers and DevOps teams are responsible for delivering high-quality code, which in most cases also means secure code. But it's up to security teams to provide the insights that DevOps needs to create secure code. Injecting security guardrails as early as possible requires cohesive tools that can cross the entire application life cycle.
Each team needs to work closely to ensure these protections are consistently enforced, and CNAPPs are the integrated tools that help break down the silos that currently separate them.
Exploring CNAPPs In Depth
Gartner recently stated that "By 2023, 70% of all enterprise workloads will be deployed in cloud infrastructure and platform services, up from 40% in 2020." The challenge in securing these cloud environments stems from the nature of the cloud itself. Workloads and resources in the cloud are broadly distributed and highly ephemeral. One new cloud account connects with workloads, applications, and data, where each point presents potential attack vectors.
In order to secure cloud native applications and infrastructure, organizations need to adapt to be more agile and integrated. They need to be able to proactively address threats beginning in development, and provide continuous security throughout the full development life cycle all the way through to runtime environments. In order to achieve this agility, they need new tools that are purpose-built for cloud native environments, which can span the full application development life cycle and provide critical security information at the right point and right time.
Learn more about the industry trends that highlight the needs for CNAPPs by downloading the 2021 Gartner® Innovation Insight for Cloud-Native Application Protection Platforms.
About the Author
Ankur Shah, Senior Vice President of Products, Prisma Cloud, Palo Alto Networks, has spent 16+ years bringing innovative security, collaboration and virtualization technologies to market. He joined Palo Alto Networks through the acquisition of RedLock, where he ran product management for securing public clouds. In his current role, he is responsible for driving product strategy, roadmap and execution for public cloud security.