Securely developing applications in the cloudRapid7 Cloud Risk Complete
A cloud native application protection platform (CNAPP) is a cloud security archetype that takes an integrated, lifecycle approach, protecting both hosts and workloads for truly cloud-native application development environments. These environments have their own unique demands and challenges, so it should come as little surprise that new security product categories have arisen to address those concerns.
Gartner introduced CNAPP as an official cloud security category in 2021, saying at the time that “optimal security of cloud-native applications requires an integrated approach that starts in development and extends to runtime.” DevOps organizations building applications within an ephemeral environment like the cloud need complete and real-time visibility into the process in order to catch misconfigurations or vulnerabilities as they emerge. Many see CNAPP security as synonymous with shifting left and integrating security in the development lifecycle as tightly as possible.
In considering end-to-end application security in the cloud, organizations can begin to realize benefits like more deeply layered defenses and more frequent access to workloads. A CNAPP also features significant automation capabilities, which – if calibrated correctly – can vastly improve the efficiency of cloud admins. Previously siloed approaches to application security are unified in a CNAPP and have raised the bar for vendors that tout next-gen application security solutions and tooling.
Breaking out the components and capabilities of a CNAPP solution can be a moving target, but Gartner does have minimum requirements a solution must meet. Below, let’s look at some of the core capabilities that define those requirements:
A CSPM solution is one that identifies and remediates threats in an enterprise cloud environment. It uses automation to handle security risks as quickly as possible, working in concert with developers and IT security teams. Other critical functions of CSPM include security risk assessment, incident response, and DevOps integration. CSPM solutions are compatible with hybrid and containerized cloud environments, but are most effective when used in multi-cloud environments. It’s here that they can provide unparalleled visibility into an organization’s cloud assets and their respective configurations
A CWPP solution must provide the ability to manage any workload currently deployed on a company’s cloud platforms. Development organizations are able to integrate CWPPs into the automated processes in their CI/CD pipeline, typically as part of the build process. This approach is becoming commonplace in organizations following the DevOps or DevSecOps methodologies. Any CWPP must seamlessly integrate with other parts of the enterprise SecOps infrastructure, but it does enhance the capabilities of the security operations center (SOC), helping it detect and analyze complex cloud-based cyberattacks more effectively.
A CIEM solution is identity-centric and focused on managing cloud access risk. CIEM leverages administration-time controls for managing entitlements and data governance in hybrid and multi-cloud IaaS architectures. These tools handle identity governance for dynamic cloud environments, typically following the least privilege principle, where users and entities are able to access only what they need at the right time and for the right reason.
Container security is the practice of implementing mechanisms and processes to secure containerized applications and workloads on platforms such as Kubernetes. It’s critical in today’s cloud environments to have maximum visibility into aspects like container-host location, identifying running or stopped containers, spotting container hosts not in compliance with CIS benchmarks, and performing vulnerability assessments. Container security should be implemented as early on in the CI/CD pipeline as possible to expose application risks faster, and reduce as much friction in the development process as possible.
Infrastructure as code (IaC) is the practice of leveraging code – in the form of pre-built templates – to provision infrastructure resources necessary to support cloud-based applications. Developers can leverage this highly reproducible practice to write, test, and release code that will create the infrastructure on which applications run. Securing that process is critical, as the later in the application-development process security controls are implemented, the more likely there will be misconfigurations or vulnerabilities that could be exploited by attackers.
In a recent market guide for CNAPP, Gartner outlined a more exhaustive and categorized list of core, recommended, and optional capabilities.
A CNAPP solves problems like visibility across the complete application lifecycle, cloud risk management challenges, and prioritization of detected vulnerabilities. Let's take a look at some specific use cases:
Visibility across the development lifecycle has long been the most critical challenge facing security teams. This is why it’s so critical to try and shift security left as much as possible in order to catch missteps earlier in the process and prior to deployment. Post-deployment and into runtime should not be forgotten from a visibility standpoint, which is why it’s important for a CNAPP vendor to place emphasis on the entire lifecycle. Quantifying and prioritizing risks for remediation can be difficult without the enhanced visibility a CNAPP can provide.
The magic solution would be one in which all issues were caught in the development process, aided by total visibility and contextual prioritization. No CNAPP offering will be able to do this perfectly, 100% of the time. But a good vendor should be able to offer a solution that can keep pace with the rapid cloud growth goals of DevOps, tailoring security around developers without continually breaking up the process.
Gartner says that “CNAPPs can improve the developer experience by integrating into their native development toolset as seamlessly and transparently as possible by reducing false positives and noise, by risk prioritizing their remediation efforts and by providing specific remediation guidance to resolve the identified risk.” The idea here is to be complementary to the development process without being a drawback to the speed that was one of the primary drivers of cloud adoption in the first place. It’s just as important for SecOps to understand the development environment, identifying key areas to move vulnerability scanning earlier into the process.
A CNAPP solution can provide a more holistic picture of risk in the application development process. Its capabilities are expansive, but shouldn’t be overstated. As mentioned above, there isn’t a magic solution, but a capable CNAPP platform should be able to provide the following benefits:
Reducing complexity isn’t a concept limited to the cybersecurity space. The speed of innovation, however, necessitates a continuous culling of outdated and legacy solutions that no longer have real impact and can be a financial drain on the company. Prospective CNAPP customers are increasingly looking to simplify operations by consolidating security into a solution from a single vendor that can bundle solutions, save the customer money, and provide complete lifecycle visibility.
At its best, a CNAPP solution should be a comprehensive approach to cloud security – both from the technology provided by vendors and the strategy executed by practitioners – that simplifies the process of monitoring and remediating risks from end to end within vast, complex cloud environments. Dispersed services, to a large extent, can be a thing of the past when looking at a CNAPP solution that can simplify the security of microservices-based architectures.
We covered a bit of this above, but truly partnering with a DevOps organization to ensure securing the development lifecycle feels organic is really the best way to mitigate risk in that process. To that end, a CNAPP can leverage advanced analytics to obtain greater visibility into risk, which makes it possible for security practitioners to get a better sense of where to look and how to do that faster. This can help create a DevSecOps culture of faster remediation and prioritization.
CNAPP can aid in providing guardrails for the development process and also aid in the organic integration of security. In this way, developers can go as fast as they want, automating, building, deploying, as long as it's within the constraints of the security guardrails tailored to the environment. Leveraging this framework, innovation and speed don’t have to be held in as much check – they can truly be an asset for the developer.