BlogCloud SecurityCloud
Blog5 minute read

The State of Cloud Security, Part 1: Understanding CNAPP

In the dynamic IaaS landscape, cloud security is increasingly complex, with AI and rapid changes posing challenges. CNAPP offers a unified solution, integrating multiple security tools for enhanced compliance and protection. However, selecting the right CNAPP requires careful consideration of specific needs and existing technology ecosystems.

In the rapidly evolving world of Infrastructure as a Service (IaaS), providers are continuously reinventing their offerings through acquisitions and feature enhancements. While the pace of change was once predictable and manageable by security teams, the advent of artificial intelligence (AI) has transformed this landscape, making "Cloud Security" seem like an elusive goal. However, if we strip away the AI hype, the core of IaaS remains focused on placing data closer to customers for a faster and more pleasant experience. Consequently, cloud security efforts should prioritize the data, the workload processing it, and the processes building it.

A staggering 80 percent of all enterprise vulnerabilities are found in the cloud. This vulnerability arises from the speed of business, which demands constant changes to meet customer needs and maintain a competitive edge. IaaS providers facilitate the creation of new environments, the use of new and untested services, and the deployment of container images known to work with specific application stacks. However, questions remain: Are these images secure? Are the environments built with best practices? Are they properly segmented? Have new services been implemented securely, or do they open new data exfiltration paths?

Enterprises asking these questions are often reactive and already vulnerable. The ephemeral nature of the cloud and short life cycles make traditional posture assessments nearly obsolete. This is why the process of building cloud workloads is crucial. As enterprises mature towards a "security to the front" approach, ensuring nothing is instantiated in an IaaS environment without proper vetting, a Cloud Native Application Protection Platform (CNAPP) becomes the most cost-effective way to ensure continuous compliance from code to cloud.

The role of CNAPP in cloud security

CNAPP is a combination of cloud security tools that were originally standalone, including Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Cloud Infrastructure Entitlement Management (CIEM), and Infrastructure as Code (IaC) Scanning. CNAPP providers continue to expand their offerings, adding tools like Data Security Posture Management (DSPM), Application Security Posture Management (ASPM), AI Security Posture Management (AI-SPM), and Cloud Detection and Response (CDR). The combination of these tools and their capabilities merged into a single platform offers two major benefits: consolidation and context.

Consolidation addresses the issue of having too many disparate security tools for every problem. Customers are frustrated with the need to purchase many different tools solely for cloud security. CNAPP aims to solve this by creating a single platform to address most cloud security challenges. Context allows for a comprehensive view of security issues, piecing together the findings that would typically come separately. For example, with CSPM, misconfigurations can be identified; with CWPP, vulnerabilities are detected; and with CIEM, suspicious identities are flagged. When these issues are interconnected, prioritization becomes more accurate, avoiding the need to sift through thousands of findings manually.

While CNAPP is gaining popularity, there are concerns about whether too much is being combined into one platform. It is becoming a zoo of acronyms. Balancing the breadth of features with specialization and cost is crucial. Choosing a CNAPP depends on specific customer needs, meaning there isn't a one-size-fits-all solution. Instead, the best option varies per use case. Integrating CNAPP seamlessly with existing technology ecosystems is vital for a successful cloud security strategy. Considerations for necessary integrations include cloud providers (AWS, GCP, Azure), code pipelines (repositories, automation platforms, CI/CD), and other security tools (SIEM, SOAR, SAST/DAST).

Compliance in the cloud

One of the broader use cases that CNAPP addresses is alignment with regulatory and internal compliance standards. Cloud hosting introduces compliance considerations distinct from on-prem environments due to the shared responsibility model. Customers must manage control plane configurations, data security, and network architecture. CSPM, now a core CNAPP functionality, helps ensure compliance by breaking down frameworks into individual controls or policies, and highlighting specific points of misconfiguration to show what needs to be fixed to become compliant.

Many CNAPPs offer customization options, simplifying compliance for customers. They provide out-of-the-box frameworks, allow easy selection of frameworks to be used to assess overall environment compliance, and enable custom policy creation. For customers with significant compliance burdens, choosing a CNAPP with the most relevant regulatory frameworks is important.

This is one of the most basic features that come with a CNAPP platform, but it is foundational to what needs to be accomplished in cloud security. Compliant does not mean secure, but it is a step in the right direction.

 Conclusion

There is not a single CNAPP option that is best for everyone. It all comes down to compatibility in technology environments and organizational processes and priorities. WWT is happy to help with these conversations and align your organization with the best fit. If you are interested in learning more, please reach out to your WWT sales team.

In the next iterations of this series, we will explore specific technologies within CNAPP, including the types of scans required to cover the management plane, containers, and serverless. We will also highlight some of our partners.