Clearing visibility and unifying security tools with a cloud-native application protection platform (CNAPP)

Cybersecurity has develop into a posh and quickly evolving recreation. To maintain up with cyber-criminals, enterprises proceed to tack on new, typically disparate instruments.

However disconnected instruments and platforms make visibility hazy — even opaque — leaving safety groups in a relentless recreation of catch-up.

Cloud-native utility safety platforms (CNAPPs) goal to declutter and streamline this panorama. A CNAPP pulls a number of safety and safety capabilities collectively into one single platform to assist establish threat throughout a cloud-native utility and its infrastructure.

“Cloud-native safety requires a elementary shift in considering with regards to managing the safety of purposes and workloads,” mentioned Rani Osnat, SVP for technique and enterprise improvement at Aqua, which offers cloud-native safety instruments. “CNAPP is the chance for enterprises to attach the dots throughout the cloud utility lifecycle and create extra environment friendly and efficient safety.”

Quickly rising phase

Greater than three-quarters (76%) of enterprises now use two or extra cloud suppliers, and one-third have greater than 50% of their workloads within the cloud. Cloud funding is barely anticipated to extend within the coming years, with Gartner predicting that end-user spending on public cloud providers will attain practically $600 billion this yr. 

However consultants warning that this elevated cloud use vastly expands the assault floor. The truth is, Crowdstrike reviews that there was an estimated 95% increase in cloud exploitation in 2022. 

“The assault floor of cloud-native purposes is rising,” Gartner analysts Charlie Winckless, Neil MacDonald and Dale Koeppen write in a CNAPP market guide. “Attackers are focusing on the misconfiguration of cloud infrastructure (community, compute, storage, identities and permissions), APIs and the software program provide chain itself.”

Elevated reliance on open-source software program continues to place software program provide chains in danger. One report revealed a 300% year-over-year increase in provide chain assaults; one other reported a record-breaking 742% soar in open-source software program provide chain assaults perpetrated by cybercriminals seeking to exploit malicious code launched into industrial purposes.

“Rising dependence on the open-source software program ecosystem that sits on the coronary heart of recent software program improvement implies that software program provide chains are more and more liable to compromise,” mentioned Osnat. 

All these elements proceed to stoke the worldwide CNAPP market. One prediction places the market at $19.3 billion by 2027. That’s up from $7.8 billion in 2022, representing a compound annual development charge (CAGR) of practically 20%. 

Industries together with banking, monetary providers and insurance coverage (BFSI), healthcare, retail and ecommerce, and telecommunications are notably demanding CNAPP options, and high distributors together with Pattern Micro, Palo Alto Networks, Crowdstrike, Fortinet, Proofpoint, Sophos and Aqua are rolling out instruments to satisfy these calls for. 

Finally, as CNAPP positive factors increasingly more traction, Gartner expects that cloud-native safety will consolidate from the ten or extra instruments/distributors that organizations make the most of as we speak to a extra viable two to a few in just some years.

As Osnat put it, “CNAPP is projected to be one of many largest safety classes ever.”

Safety and compliance as a continuum

Winckless of Gartner factors out that as an alternative of utilizing completely different level options that clear up particular safety points and have to be stitched collectively, enterprises ought to view safety and compliance as a continuum throughout improvement and operations.

“Till just lately, comprehensively securing cloud-native purposes required using a number of instruments from a number of distributors which can be not often well-integrated and sometimes solely designed for safety professionals, not in collaboration with builders,” write Winckless, MacDonald and Koeppen.

Lack of integration ends in fragmented views with out adequate context, making it troublesome to prioritize threat, they level out. This could create extreme alerts that waste builders’ time and make remediation efforts complicated. With CNAPP, in contrast, the developer is on the core of the applying threat duty.

A CNAPP ought to have the capabilities of a number of current cloud safety classes, Gartner advises. Primarily, these are “shift left” artifact scanning, cloud safety posture administration (CSPM) and Kubernetes safety posture administration (KSPM), IaC scanning, cloud infrastructure entitlements administration (CIEM), runtime cloud workload safety platform (CWPP) and software program provide chain safety capabilities.

In trying to find the best instrument for his or her enterprise, safety leaders ought to assemble an analysis crew of these with expertise throughout cloud safety, workload safety (together with containers), utility and middleware safety, and improvement safety in addition to builders, Gartner advises. 

This crew ought to then look to built-in CNAPP choices that present full life-cycle visibility and safety, and establish the best particular person/crew to place accountable for figuring out threat.

Additionally, safety leaders ought to favor distributors that present quite a lot of runtime visibility methods. It will present essentially the most flexibility at deployment, in line with Winckless. These methods embrace conventional brokers, prolonged berkeley packet filter (eBPF) assist, snapshotting, privileged containers and Kubernetes (K8s) integration.

“To make sure a profitable analysis, rank the CNAPP providing necessities,” write Winckless, MacDonald and Koeppen. “No single vendor presents best-of-breed capabilities throughout all capabilities.”

CI/CD embedding, flexibility crucial

Osnat identifies a number of key options in a CNAPP that “organizations can’t afford to miss.” 

First, a instrument have to be embedded into the continual integration/steady supply (CI/CD) pipeline and built-in with trendy DevOps tooling. It’s because “figuring out the applying context is crucial,” he mentioned.

CNAPP instruments should additionally be capable to scan artifacts within the construct part and preserve their integrity from construct to deployment. This could inform granular selections about their deployment — that’s, forestall unvetted photographs from working in manufacturing.

A CNAPP instrument should additionally present safety, mentioned Osnat. This implies not simply offering visibility or posture evaluation, however detecting points and assaults and providing remediation strategies. Platforms needs to be accessible as each SaaS and on-premises to cater to extremely regulated industries, and have intensive role-based entry controls that assist separation of duties (SoD) throughout a number of purposes, groups and roles. This may also help to guard the most important cloud-native environments.

Different vital options embrace assist for multicloud and hybrid cloud, and runtime insurance policies that present real-time safety for containers, VMs and serverless workloads. 

“Cloud-native purposes are complicated and current the problem of a brand new assault floor,” mentioned Osnat. Additionally, “cloud-native assaults transfer on the identical pace as cloud-native apps.”

CNAPP: An built-in, holistic safety method

Osnat identified that the majority organizations have some type of runtime cloud workload safety platform (CWPP) for his or her digital machines. However with elevated adoption of containers and serverless computing, conventional CWPPs will not be efficient as a result of they don’t seem to be constructed for cloud-native purposes’ expertise stacks.

Organizations additionally have a tendency to pick out one scanning instrument for container photographs in improvement and one other for CSPM. Moreover, many organizations have a number of distributors for various (or typically overlapping) capabilities, thus creating silos of customers and findings.

“This makes it troublesome to create a unified image of threat,” mentioned Osnat. 

CISOs have to be conscious that utilizing separate instruments for shifting left and for runtime safety creates safety gaps and leaves safety professionals “endlessly chasing vulnerabilities and runtime occasions with no context to prioritize and mitigate these quickly,” he mentioned.

Finally, “conventional safety instruments weren’t designed for cloud-native architectures and might solely provide restricted visibility and management,” he mentioned. CNAPP “presents a strategy to scale back complexity whereas enhancing safety and the developer expertise.”