What is a Cloud-Native Application Protection Platform (CNAPP)? 1

What is a Cloud-Native Application Protection Platform (CNAPP)?

With the evolving digital space and the work we do in it, numerous security solutions have been utilized over the years to address the challenges of each part. Devices and servers need to be protected. Defenses against attacks like phishing and ranswomware should be put up. As digital transformations took place and moved data and applications to the cloud, various cloud-specific and targeted technologies emerged. A cloud-native application protection platform (CNAPP) is a unified umbrella solution that covers cloud-based security needs. Here’s more about what a CNAPP includes, and examples of some of these comprehensive solutions.

The Increasing Need for Consolidated Solutions

With multiple types of security needs, it can become complex and difficult to manage multiple corresponding solutions. There’s limited visibility, and information must be exchanged between the different platforms. This can bog down security teams and leave more room for error in the transmission of security data. A smarter approach is to combine all of these elements into a unified, integrated solution that contains all of the necessary segments and communicates between them seamlessly.

Graphic shows the multiple aspects of CNAPP scope: artifact scanning, runtime protection, and cloud configuration.

In recognizing this issue, the technology research group Gartner coined the term CNAPP, referring to a single platform that provides comprehensive application protection in the cloud environment. This term shifts security perspectives from looking at individual problem points to instead seeing broader, interconnected combinations of issues, bringing a more holistic approach to cybersecurity.

Elements of a CNAPP

Since a CNAPP is a combination of several different solution technologies, it encompasses all of them within its reach. The tools included in the umbrella CNAPP are generally these solutions:

Cloud Security Posture Management (CSPM)

CSPM solutions keep track of cloud configurations, ensuring that platforms are set up properly and optimally. They also track compliance to various regulation standards so that the cloud environment is up to date and postured according to best practices and current legal frameworks. For instance, if you have an AWS S3 bucket or Azure Storage Blob that’s set to publicly available but contains personal identifiable information, you’ll get an alert that you need to restrict access. When you combine a deep analysis of these areas with other data outside the CSPM realm, you get even better identification of risks and overall system health.

Cloud Workload Protection Platform (CWPP)

The focus of a CWPP solution is securing cloud workloads regardless of where they reside. These workloads may be in virtual machines (VMs), containers, or serverless functions, for example. The abstraction layers between where these workloads actually run and the work that the user does with them can make securing the whole environment a complex task. CWPPs take a deep dive into these workloads, scanning for vulnerabilities and other issues.

Kubernetes Security Posture Management (KSPM)

Containers are used to independently package code so that software applications can be quickly and reliably used anywhere. This software is isolated from its environment in order to work uniformly regardless of the computing environment. Such containers are generally managed through Kubernetes, an open-source container management platform. Thus, much like with a CSPM, security posture management is necessary for Kubernetes as well. This kind of solution will look for misconfigurations and security issues specifically in the Kubernetes platform. Since container workloads are commonly used, thorough CNAPPs include KSPM as well.

Cloud Infrastructure Entitlement Management (CIEM)

A Cloud Infrastructure Entitlement Management solution (CIEM, pronounced like “Kim,” presumably to differentiate it from the similarly acronymed SIEM) revolves around the critical risk area of identity and access governance. It helps manage and enforce permissions and rights across cloud environments, including multi-cloud setups. The best CIEM approach uses the Zero Trust principle of least privilege, scanning cloud infrastructure to find unnecessary access so that tighter controls can be applied for the most secure environment. If an admin hasn’t performed any admin activities in the last 30 days, for example, they may be a candidate to have their permissions removed or have Just-in-Time access enforced.

What is a Cloud-Native Application Protection Platform (CNAPP)? 2

There are other tools in CNAPPs as well, such as API discovery and other, smaller security elements, but these are the main bulk of what make up a cloud-native application protection platform. As you can see, juggling them separately can become inefficient and difficult—and that’s why the more comprehensive route is a good idea. Not only is visibility streamlined, but integrated elements present the strongest awareness of risk, which leads to the best defenses.

Examples of Cloud-Native Application Protection Platforms

A couple of the common CNAPPs on the market are Amazon Web Services (AWS) Shield and Google Cloud Platform (GCP) Security. Our favorite is Microsoft Defender for Cloud, though, which is the only one of the three that can natively support the others’ clouds in addition to its own. The entire Defender suite is constantly being updated and improved, too. Last week at the annual Microsoft Ignite conference, there were a ton of new Defender announcements that highlighted innovations across the security platform.

Working in cloud environments and securing them wisely, with a CNAPP or otherwise, is a lot to think about. If you have questions or could use some guidance for your organization, we’re always happy to help.


Leave a Comment