If you have read part one of this series, you will know by now that CNAPP is a combination of multiple security tools, used to consolidate data points and provide context that prioritizes the most important risks first. However, now that it has so many capabilities, customers need to evaluate much more to make sure they are choosing the right tool for their use cases. In part two, we are going to break down several of the categories that are important to consider when choosing a CNAPP.  

Agent-based vs. agentless approaches 

The market interest in CNAPP surged with the emergence of agentless scanning. Initially met with skepticism, concerns were raised about securing entire environments with lightweight data-gathering methods. While agentless solutions offer widespread visibility, they may not provide comprehensive security.  

In this context, we are typically talking about CSPM, CIEM, and CWPP, the core functionalities of CNAPP. Agentless scanning makes a lot of sense for CSPM and CIEM, because with these capabilities we are looking at configurations across multiple cloud environments, creating a baseline, and watching for any incorrect configurations, inappropriate permissions, or changes from the baseline. CWPP can be performed with agentless methods typically by taking a point in time snapshot of the disk attached to a VM and scanning that for vulnerabilities, malware, threats, etc.  

When used for CWPP, agentless scanning may lack visibility into active threats within a workload environment. Agent deployment, while sometimes unwanted, is essential for identifying active threats, tracking real traffic, and securing unique cloud resources (as long as those agents are adapted for the cloud). Most CNAPPs conduct agentless scanning every 24 hours, leaving gaps for potential suspicious activity. Agents provide insights into activities within workloads in real time, such as process execution and file access, offering a deeper understanding of threats, even if that workload was only active for 30 seconds.  

Vendors take different approaches to CNAPP with an emphasis on certain areas, often depending on where they began this journey, for example, agent-based detection and response or API-based scanning of cloud environments. This is another consideration when choosing a CNAPP. Always prioritize what your organization's top concerns are, rather than what might be most prevalent in the market. 

Container security 

Containers have become a highly impactful technology in the cloud due to their portability, efficiency, and scalability. However, securing containers is complex. This is partially due to their ephemeral nature but expands beyond that. Containers have layers (like an onion). In containerization, Kubernetes (K8s) is the most common orchestration platform. Within K8s, containers run on pods, which run on nodes within a cluster. Even with both agent installation and API collection, gaps may still exist between the numerous layers. CNAPP providers address these concerns differently, each balancing visibility and ease of use in their own way. Options may include queries to the K8s API, an eBPF agent, K8s admission controllers, audit log ingestion, and more. 

Image Source: Anthony Glackmeyer

Serverless containers, managed by cloud providers (i.e., AWS Fargate, Azure Container Instances, Google Cloud Run), present a different set of considerations. While some may say that this is a more secure way to deploy containers due to the infrastructure being managed by the cloud provider, that same reason causes less visibility and control. You are only able to see what the cloud provider exposes to you. Not to mention, agent installation becomes even more difficult. CNAPP can use its agentless scanning to proactively secure serverless containers by monitoring configuration and access controls, but there is not much room for any reactive security measures.  

Code security 

The cloud's flexibility benefits developers but poses challenges for security teams. Developers are revel in the fast nature of cloud, whereas security teams dread it. Fast typically means insecure, but at this day and age, companies can't risk moving slowly. A balance needs to be found between developers and security teams. 

The way CNAPP aims to solve this problem is through code scanning, primarily focusing on IaC and container image repositories, looking for vulnerabilities, exposed secrets, and more. The idea is to meet developers where they are. To implement security measures before their work is ever deployed in the first place, proactively eliminating clear risks, and reducing the burden of security on development cycles. Most commonly, we see scanning capabilities for VCSs, IDEs, and CI/CD pipelines via CLI integrations. In some cases, a CNAPP may even include ASPM capabilities where it is able to see the overall posture of the application and its dependencies, alongside the posture of the infrastructure it is running on. 

However, CNAPP is not a full code security or application security tool and should not be interpreted as such. Other tools are necessary, such as SAST/DAST and ASPM (if not included). While a CNAPP cannot solve all of your problems, it may be able to combine and prioritize those problems for you. The beauty of CNAPP is context, and prioritization based on that context. Because of this, 3rd party integrations are important to consider when choosing a CNAPP. It should be able to integrate with these other security tools to provide a bigger picture.  

Conclusion 

Considering each of these categories in regard to your internal processes, relations between teams who will be using the CNAPP, and overall goals and priorities are important to choosing the right tool. It is always best to break down the bigger picture, and focus on the individual pieces that make the most impact. 

Please reach out if you are interested in learning more!