Clearing visibility and unifying security tools with a cloud-native application protection platform (CNAPP)

Cybersecurity has become a complex and rapidly evolving game. To keep up with cyber-criminals, enterprises continue to tack on new, sometimes disparate tools.

But disconnected tools and platforms make visibility hazy — even opaque — leaving security teams in a constant game of catch-up.

Cloud-native application protection platforms (CNAPPs) aim to declutter and streamline this landscape. A CNAPP pulls multiple security and protection capabilities together into one single platform to help identify risk across a cloud-native application and its infrastructure.

“Cloud-native security requires a fundamental shift in thinking when it comes to managing the security of applications and workloads,” said Rani Osnat, SVP for strategy and business development at Aqua, which provides cloud-native security tools. “CNAPP is the opportunity for enterprises to connect the dots across the cloud application lifecycle and create more efficient and effective security.”

Rapidly growing segment

More than three-quarters (76%) of enterprises now use two or more cloud providers, and one-third have more than 50% of their workloads in the cloud. Cloud investment is only expected to increase in the coming years, with Gartner predicting that end-user spending on public cloud services will reach nearly $600 billion this year. 

But experts caution that this increased cloud use vastly expands the attack surface. In fact, Crowdstrike reports that there was an estimated 95% increase in cloud exploitation in 2022. 

“The attack surface of cloud-native applications is increasing,” Gartner analysts Charlie Winckless, Neil MacDonald and Dale Koeppen write in a CNAPP market guide. “Attackers are targeting the misconfiguration of cloud infrastructure (network, compute, storage, identities and permissions), APIs and the software supply chain itself.”

Increased reliance on open-source software continues to put software supply chains at risk. One report revealed a 300% year-over-year increase in supply chain attacks; another reported a record-breaking 742% jump in open-source software supply chain attacks perpetrated by cybercriminals looking to exploit malicious code introduced into commercial applications.

“Growing dependence on the open-source software ecosystem that sits at the heart of modern software development means that software supply chains are increasingly at risk of compromise,” said Osnat. 

All these factors continue to stoke the global CNAPP market. One prediction puts the market at $19.3 billion by 2027. That’s up from $7.8 billion in 2022, representing a compound annual growth rate (CAGR) of nearly 20%. 

Industries including banking, financial services and insurance (BFSI), healthcare, retail and ecommerce, and telecommunications are particularly demanding CNAPP solutions, and top vendors including Trend Micro, Palo Alto Networks, Crowdstrike, Fortinet, Proofpoint, Sophos and Aqua are rolling out tools to meet those demands. 

Ultimately, as CNAPP gains more and more traction, Gartner expects that cloud-native security will consolidate from the 10 or more tools/vendors that organizations utilize today to a more viable two to three in just a few years.

As Osnat put it, “CNAPP is projected to be one of the biggest security categories ever.”

Security and compliance as a continuum

Winckless of Gartner points out that instead of using different point solutions that solve specific security issues and need to be stitched together, enterprises should view security and compliance as a continuum across development and operations.

“Until recently, comprehensively securing cloud-native applications required the use of multiple tools from multiple vendors that are rarely well-integrated and often only designed for security professionals, not in collaboration with developers,” write Winckless, MacDonald and Koeppen.

Lack of integration results in fragmented views without sufficient context, making it difficult to prioritize risk, they point out. This can create excessive alerts that waste developers’ time and make remediation efforts confusing. With CNAPP, by contrast, the developer is at the core of the application risk responsibility.

A CNAPP should have the capabilities of several existing cloud security categories, Gartner advises. Mainly, these are “shift left” artifact scanning, cloud security posture management (CSPM) and Kubernetes security posture management (KSPM), IaC scanning, cloud infrastructure entitlements management (CIEM), runtime cloud workload protection platform (CWPP) and software supply chain security capabilities.

Identifying the right tools

In searching for the right tool for their enterprise, security leaders should assemble an evaluation team of those with skills across cloud security, workload security (including containers), application and middleware security, and development security as well as developers, Gartner advises. 

This team should then look to integrated CNAPP offerings that provide complete life-cycle visibility and protection, and identify the right person/team to put in charge of identifying risk.

Also, security leaders should favor vendors that provide a variety of runtime visibility techniques. This will provide the most flexibility at deployment, according to Winckless. These techniques include traditional agents, extended berkeley packet filter (eBPF) support, snapshotting, privileged containers and Kubernetes (K8s) integration.

“To ensure a successful evaluation, rank the CNAPP offering requirements,” write Winckless, MacDonald and Koeppen. “No single vendor offers best-of-breed capabilities across all capabilities.”

CI/CD embedding, flexibility critical

Osnat identifies several key features in a CNAPP that “organizations can’t afford to overlook.” 

First, a tool must be embedded into the continuous integration/continuous delivery (CI/CD) pipeline and integrated with modern DevOps tooling. This is because “knowing the application context is critical,” he said.

CNAPP tools must also be able to scan artifacts in the build phase and maintain their integrity from build to deployment. This can inform granular decisions about their deployment — that is, prevent unvetted images from running in production.

A CNAPP tool must also provide protection, said Osnat. This means not just providing visibility or posture assessment, but detecting issues and attacks and offering remediation methods. Platforms should be available as both SaaS and on-premises to cater to highly regulated industries, and have extensive role-based access controls that support separation of duties (SoD) across multiple applications, teams and roles. This can help to protect the largest cloud-native environments.

Other important features include support for multicloud and hybrid cloud, and runtime policies that provide real-time protection for containers, VMs and serverless workloads. 

“Cloud-native applications are complex and present the challenge of a new attack surface,” said Osnat. Also, “cloud-native attacks move at the same speed as cloud-native apps.”

CNAPP: An integrated, holistic security approach

Osnat pointed out that most organizations have some form of runtime cloud workload protection platform (CWPP) for their virtual machines. But with increased adoption of containers and serverless computing, traditional CWPPs are not effective because they are not built for cloud-native applications’ technology stacks.

Organizations also tend to select one scanning tool for container images in development and another for CSPM. Additionally, many organizations have several vendors for different (or sometimes overlapping) functions, thus creating silos of users and findings.

“This makes it difficult to create a unified picture of risk,” said Osnat. 

CISOs need to be aware that using separate tools for shifting left and for runtime protection creates security gaps and leaves security professionals “endlessly chasing vulnerabilities and runtime events with no context to prioritize and mitigate these rapidly,” he said.

Ultimately, “traditional security tools were not designed for cloud-native architectures and can only supply limited visibility and control,” he said. CNAPP “offers a way to reduce complexity while improving security and the developer experience.”