Skip to main content
Back to Questions

What is a Cloud Native Application Protection Platform (CNAPP)?

Cloud-Native Application Protection Platform (CNAPP) is a simplified security architecture that enables enterprises to holistically benefit from the cloud-native ecosystem. It enables them to leapfrog the cost and complexity of siloed security products to a continuous security fabric without major investments in tools or developer talent. Today, the ROI for digital transformation is business survival vs. merely business growth as it was pre-pandemic. All organizations wish to leverage the agility and innovation velocity of the public cloud to enable their digital transformation mandate, either solely or in concert with private data centers. However, in order to do that, organizations need a cloud-native platform to address the unique security needs of this new environment.

What are the key challenges of Cloud-Native Application Security? And why is it important to have a CNAPP?

Lack of Visibility into Cloud-Native Applications and Workloads

The modern enterprise is a complex conundrum. Since the beginning of 2020, there has been a 50% increase in cloud usage. Modern Enterprises have grown organically, migrating to the cloud as needed often ending up with a heterogeneous mix of siloed security products managed by siloed security teams. Further, the infrastructure environment is ephemeral. A new persona has emerged such as DevSecOps. Enterprises can only secure what they see, and they need comprehensive visibility across all cloud-native workloads and applications.

Inability to Measure Cumulative Risk for Cloud-Native Applications and Workloads

Cloud-Native Applications are continuously developed and deployed (CI/CD), and modern enterprises lack a way to measure cumulative risk. This includes risks related to misconfigurations and mismanagement that lead to 99% of cloud security breaches for example lack of Identity and Access Management policy-related errors, unnecessary privileges, leaving default public access to sensitive services like MongoDB, Databases, etc.

Beginning in March 2020, there is a 630% increase in third-party attacks on cloud services. The kind of attacks that bad actors are going after are identifying the location of sensitive data, finding out how to exploit misconfigurations (users, identity, and infrastructure configuration), and exploiting vulnerabilities in software as a launching pad to expand and exfiltrate data.  Security and Risk Management leaders need a cumulative risk measure across all vectors of cloud-native applications and workloads.

DevOps Transition to DevSecOps for Cloud-Native Application Security

The spotlight is shining brightly on developers whose role has evolved and expanded from simply CI/CD to enable strategic business outcomes. Enterprises want to unleash their developers to develop compelling and compliant applications to enable strategic business outcomes. Security now needs to be integrated into the software development life cycle (SDLC), breaking the traditional silo’s between Security and DevOps teams. Enabling Infrastructure-as-Code best practices includes vulnerability assessment of images as soon as they are built so that only attested images are deployed, continuous monitoring, automated checks, version control, etc. This adds significantly to the complexity of managing cloud-native resources, and enterprises need a simpler way to leapfrog this complexity without significant investment in developer time and talent.

Components of Cloud-Native Application Protection Platform

According to Gartner, “There is synergy in combining CWPP and CSPM capabilities, and multiple vendors are pursuing this strategy. The combination will create a new category of Cloud-Native Application Protection (CNAPs) that scan workloads and configurations in development and protect workloads and configurations at runtime.”

  • Cloud Security Posture Management (CSPM):
    The biggest cloud breaches are caused by customer misconfiguration, mismanagement, and mistakes. CSPM is a class of security tools to enable compliance monitoring, DevOps integration, incident response, risk assessment, and risk visualization. It is imperative for security and risk management leaders to enable cloud security posture management processes to proactively identify and address data risks.
  • Cloud Workload Protection Platforms (CWPP):
    CWPP is an agent-based workload security protection technology. CWPP addresses unique requirements of server workload protection in modern hybrid data center architectures including on-premises, physical and virtual machines (VMs) and multiple public cloud infrastructure. This includes support for container-based application architectures.