The COVID-19 pandemic accelerated digital transformation initiatives for many businesses. For many, this entailed embracing cloud-native application development to make possible rapid deployment of software. The downside? Increased security risks across large and ephemeral cloud environments.
As cloud security only continues to become more complex and difficult to manage, organizations are increasingly looking at cloud-native application protection platforms (CNAPP) to protect their cloud infrastructure and applications running in the cloud. The idea behind CNAPP is to consolidate point solutions to enable more automation and reduce security gaps between tools.
Bundling CSPM, CWPP, CIEM
"You can think of CNAPP as the king of acronyms in cloud security," says Kate MacLean, senior director of product marketing at Lacework. "It encompasses everything from CSPM [cloud security posture management], CWPP [cloud workload protection platform], CIEM [cloud infrastructure entitlements management], and more, bringing these features together into a single platform."
Lacework recently updated its CNAPP offering, Polygraph Data Platform, with agentless workload scanning for secrets and vulnerabilities plus attack path analysis.
These new capabilities are designed to help IT security teams achieve better visibility into their organizations’ complex, dynamic, and unique environments so they can better identify, understand, and respond to the security alerts that matter, according to the company.
MacLean explains that agentless workload scanning helps build layered security into the cloud environment, giving IT security teams the ability to scan more resources for vulnerabilities in a faster and more comprehensive way.
"With broader coverage in the runtime environment and continuous monitoring, teams have a better understanding of potential risks in the cloud so they can proactively secure for them," she says.
Addressing Workload, Configuration Security
Ami Luttwak, co-founder and CTO of Wiz, says CNAPP aims to address workload and configuration security by scanning the areas during development and protecting them at runtime.
The company provides an agentless, API-centered approach offering organizations instant coverage of their multicloud environments. Wiz's platform scans public buckets, data volumes, and databases in Amazon Web Services, Google Cloud Platform, and Microsoft Azure and classifies data so that organizations can find out what data is located where.
"CNAPP is becoming the main platform for security and dev teams for everything they need from cloud security, from code time to production," he says. "It solves for the core challenges of protecting cloud infrastructure from a security perspective."
The platform uses schema matching across the entire environment to understand data flow and lineage, including when data is moved between environments or regions and improper storage of production data. It also continuously assesses for compliance to ensure security standards are consistently enforced across business units, regions, applications, and users, according to Wiz.
Holistic Cloud Security
A proper CNAPP protects cloud application development throughout the entirety of the application development life cycle — from build time through runtime. This simplified approach covers all clouds, and a single tool handles vulnerabilities, remediation, compliance, and reporting, giving it necessary context and visibility. With multiple tools and security functions consolidated into one platform, a CNAPP can replace multiple point solutions — not to mention countless hours of operational usage.