Clearing visibility and unifying security tools with a cloud-native application protection platform (CNAPP)

Cybersecurity has change into a posh and quickly evolving recreation. To maintain up with cyber-criminals, enterprises proceed to tack on new, generally disparate instruments.

However disconnected instruments and platforms make visibility hazy — even opaque — leaving safety groups in a continuing recreation of catch-up.

Cloud-native software safety platforms (CNAPPs) purpose to declutter and streamline this panorama. A CNAPP pulls a number of safety and safety capabilities collectively into one single platform to assist establish threat throughout a cloud-native software and its infrastructure.

“Cloud-native safety requires a elementary shift in considering in the case of managing the safety of functions and workloads,” stated Rani Osnat, SVP for technique and enterprise growth at Aqua, which offers cloud-native safety instruments. “CNAPP is the chance for enterprises to attach the dots throughout the cloud software lifecycle and create extra environment friendly and efficient safety.”

Quickly rising section

Greater than three-quarters (76%) of enterprises now use two or extra cloud suppliers, and one-third have greater than 50% of their workloads within the cloud. Cloud funding is just anticipated to extend within the coming years, with Gartner predicting that end-user spending on public cloud companies will attain almost $600 billion this yr. 

However specialists warning that this elevated cloud use vastly expands the assault floor. In actual fact, Crowdstrike experiences that there was an estimated 95% increase in cloud exploitation in 2022. 

“The assault floor of cloud-native functions is rising,” Gartner analysts Charlie Winckless, Neil MacDonald and Dale Koeppen write in a CNAPP market guide. “Attackers are concentrating on the misconfiguration of cloud infrastructure (community, compute, storage, identities and permissions), APIs and the software program provide chain itself.”

Elevated reliance on open-source software program continues to place software program provide chains in danger. One report revealed a 300% year-over-year increase in provide chain assaults; one other reported a record-breaking 742% leap in open-source software program provide chain assaults perpetrated by cybercriminals trying to exploit malicious code launched into business functions.

“Rising dependence on the open-source software program ecosystem that sits on the coronary heart of contemporary software program growth implies that software program provide chains are more and more susceptible to compromise,” stated Osnat. 

All these elements proceed to stoke the worldwide CNAPP market. One prediction places the market at $19.3 billion by 2027. That’s up from $7.8 billion in 2022, representing a compound annual development price (CAGR) of almost 20%. 

Industries together with banking, monetary companies and insurance coverage (BFSI), healthcare, retail and ecommerce, and telecommunications are significantly demanding CNAPP options, and high distributors together with Pattern Micro, Palo Alto Networks, Crowdstrike, Fortinet, Proofpoint, Sophos and Aqua are rolling out instruments to fulfill these calls for. 

In the end, as CNAPP features increasingly more traction, Gartner expects that cloud-native safety will consolidate from the ten or extra instruments/distributors that organizations make the most of at the moment to a extra viable two to a few in only a few years.

As Osnat put it, “CNAPP is projected to be one of many greatest safety classes ever.”

Safety and compliance as a continuum

Winckless of Gartner factors out that as an alternative of utilizing completely different level options that remedy particular safety points and must be stitched collectively, enterprises ought to view safety and compliance as a continuum throughout growth and operations.

“Till just lately, comprehensively securing cloud-native functions required the usage of a number of instruments from a number of distributors which can be hardly ever well-integrated and sometimes solely designed for safety professionals, not in collaboration with builders,” write Winckless, MacDonald and Koeppen.

Lack of integration ends in fragmented views with out ample context, making it tough to prioritize threat, they level out. This will create extreme alerts that waste builders’ time and make remediation efforts complicated. With CNAPP, against this, the developer is on the core of the appliance threat accountability.

A CNAPP ought to have the capabilities of a number of present cloud safety classes, Gartner advises. Primarily, these are “shift left” artifact scanning, cloud safety posture administration (CSPM) and Kubernetes safety posture administration (KSPM), IaC scanning, cloud infrastructure entitlements administration (CIEM), runtime cloud workload safety platform (CWPP) and software program provide chain safety capabilities.

In trying to find the suitable instrument for his or her enterprise, safety leaders ought to assemble an analysis workforce of these with expertise throughout cloud safety, workload safety (together with containers), software and middleware safety, and growth safety in addition to builders, Gartner advises. 

This workforce ought to then look to built-in CNAPP choices that present full life-cycle visibility and safety, and establish the suitable particular person/workforce to place in control of figuring out threat.

Additionally, safety leaders ought to favor distributors that present quite a lot of runtime visibility methods. This may present probably the most flexibility at deployment, in response to Winckless. These methods embrace conventional brokers, prolonged berkeley packet filter (eBPF) assist, snapshotting, privileged containers and Kubernetes (K8s) integration.

“To make sure a profitable analysis, rank the CNAPP providing necessities,” write Winckless, MacDonald and Koeppen. “No single vendor provides best-of-breed capabilities throughout all capabilities.”

CI/CD embedding, flexibility essential

Osnat identifies a number of key options in a CNAPP that “organizations can’t afford to miss.” 

First, a instrument should be embedded into the continual integration/steady supply (CI/CD) pipeline and built-in with fashionable DevOps tooling. It is because “figuring out the appliance context is essential,” he stated.

CNAPP instruments should additionally be capable of scan artifacts within the construct part and preserve their integrity from construct to deployment. This will inform granular choices about their deployment — that’s, forestall unvetted pictures from operating in manufacturing.

A CNAPP instrument should additionally present safety, stated Osnat. This implies not simply offering visibility or posture evaluation, however detecting points and assaults and providing remediation strategies. Platforms needs to be out there as each SaaS and on-premises to cater to extremely regulated industries, and have in depth role-based entry controls that assist separation of duties (SoD) throughout a number of functions, groups and roles. This may also help to guard the biggest cloud-native environments.

Different vital options embrace assist for multicloud and hybrid cloud, and runtime insurance policies that present real-time safety for containers, VMs and serverless workloads. 

“Cloud-native functions are advanced and current the problem of a brand new assault floor,” stated Osnat. Additionally, “cloud-native assaults transfer on the identical pace as cloud-native apps.”

CNAPP: An built-in, holistic safety strategy

Osnat identified that almost all organizations have some type of runtime cloud workload safety platform (CWPP) for his or her digital machines. However with elevated adoption of containers and serverless computing, conventional CWPPs usually are not efficient as a result of they aren’t constructed for cloud-native functions’ know-how stacks.

Organizations additionally have a tendency to pick one scanning instrument for container pictures in growth and one other for CSPM. Moreover, many organizations have a number of distributors for various (or generally overlapping) features, thus creating silos of customers and findings.

“This makes it tough to create a unified image of threat,” stated Osnat. 

CISOs must be conscious that utilizing separate instruments for shifting left and for runtime safety creates safety gaps and leaves safety professionals “endlessly chasing vulnerabilities and runtime occasions with no context to prioritize and mitigate these quickly,” he stated.

In the end, “conventional safety instruments weren’t designed for cloud-native architectures and may solely provide restricted visibility and management,” he stated. CNAPP “provides a technique to cut back complexity whereas enhancing safety and the developer expertise.”