What is a CNAPP and why is it the future of cloud security?
With the advent of cloud native application architectures, such as containers, Kubernetes, and serverless, it is now even easier for organizations to deploy their applications in the cloud, reducing costs and increasing agility. Yet in a recent survey conducted by 451 Research, 46% of respondents said that security and compliance concerns represent the top concern of using cloud-native technology.
CNAPP is a category coined by Gartner and stands for ‘Cloud-Native Application Protection Platforms’. In the recent Gartner® report, Innovation Insight for Cloud-Native Application Protection Platforms, the analyst firm highlights the benefits and uses of a CNAPP.
CNAPPs solve a number of challenges that security teams are facing with current security approaches, including:
- Gaps in coverage from traditional security tools that require agents on all workloads
- Difficulties in deploying and maintaining scanners and agents
- Alert fatigue caused by ineffective risk prioritization
- Lack of security integration throughout the development lifecycle
- Multiple disparate tools create overhead for security teams
To address these challenges and more, Gartner advises Security and Risk Management leaders to “evaluate emerging cloud-native application protection platforms that provide a complete life cycle approach for security.” – Gartner, Inc., Innovation Insight for Cloud-Native Application Protection Platforms, Neil MacDonald and Charlie Winckless, August 25, 2021
With this new CNAPP category, Gartner is recognizing that cloud-native applications need cloud-native security that is robust yet as agile as the cloud. Instead of security that gets bolted on after applications are deployed, security needs to be seamlessly integrated into the CI/CD process.
In addition, Gartner encourages moving towards tool consolidation—particularly combining CSPM and CWPP capabilities into one platform—to reduce complexity and benefit from contextual insights. Instead of siloed views, CNAPPs have full coverage and visibility into cloud estates and can detect risks across the technological stack, including cloud configuration, workload, and identity. By combining vulnerabilities, context, and relationships, true CNAPPs can recognize how seemingly unrelated low severity risks can be combined to create dangerous attack vectors.
In this guide, we outline the 5 most important points to consider when selecting a CNAPP for your organization.
The most significant benefit of a CNAPP approach is better visibility and control of cloud-native application risk.
Criteria #1: Multiple tools in one
One of the primary goals of a CNAPP is to consolidate multiple cloud security tools into one platform, providing the ability to:
- Detect IAM and resource misconfigurations and compliance violations in your public cloud estates (as performed by Cloud Security Posture Management (CSPM) tools)
- Detect misconfiguration and compliance violations in Kubernetes (as performed by Kubernetes Security Posture Management (KSPM) tools)
- Detect vulnerabilities, security misconfigurations, insecure secret management, and active compromises in cloud workloads, whether they are VMs, containers, or serverless functions (as performed by Cloud Workload Protection Platforms (CWPP) solutions)
- Assess the permissions configuration of your cloud environment against least privilege and other identity and entitlement management best practices (as performed by Cloud Infrastructure Entitlement Management (CIEM) solutions)
- Scan containers and images as early as possible in the application development pipeline for risks such as security vulnerabilities, misconfigurations, insecure secrets management, and more (as performed by Infrastructure as Code (IaC) tools)
Tool consolidation, however, is only part of the overall objective. Even more important is the comprehensive detection of risks and vulnerabilities in your cloud estate—including malicious activity from cloud events—to help facilitate cloud security and compliance. For example, malware detection, the detection of lateral movement risk, surfacing identity and access management (IAM) misconfigurations, and the identification of insecurely stored sensitive data are critical cloud security capabilities. Look for a CNAPP that includes these capabilities to avoid having to deploy point solutions.
There is synergy in combining CWPP and CSPM capabilities, and multiple vendors are pursuing this strategy. The combination will create a new category of CNAPPs.
Questions to ask:
- Does the vendor detect vulnerabilities in cloud plane resources as well as in workloads?
- Does the vendor detect PII and Sensitive data on internet exposed assets?
- Does the vendor detect unknown malware and not only signatures of existing malware?
- Does the vendor detect lateral movement and privilege escalation risk for cloud assets and workloads?
- Does the vendor scan all workloads and scaling groups (i.e., VMs, Containers) in your cloud estate or use representative samples?
Criteria #2: Agentless
Until recently, cloud security was largely powered by CWPPs that required an agent on each workload. Newer CSPM solutions do not require agents but only provide visibility into cloud misconfigurations without any insight into workloads. While agents can provide visibility into issues within the OS, applications, and data by looking into files, processes, and registry data, they have several disadvantages:
- To be effective, agent-based solutions require agents to be deployed on each and every asset, an impractical task when operating in the cloud.
- Deploying and maintaining agents is a tremendous operational burden for IT and security teams.
- The partial deployment of agents results in serious blind spots, making it impossible to get an accurate view of your cloud security risk posture.
- Using agents for near real-time protection — especially in critical production environments — can impact performance or even crash critical applications.
- Because they do not adhere to the principle of least privilege, agents put the organization at risk for supply chain attacks.
- Team dependencies for agent installation and maintenance creates organizational friction.
There are many CNAPPs that still require agents. However, newer, fully agentless CNAPPs lead the way in terms of innovation and ease of use. These CNAPPs collect data externally, reviewing workloads’ runtime block storage out of band, to instantly provide complete and in-depth coverage, without the disadvantages associated with agents. In addition, agentless solutions offer several other advantages, including faster and easier deployments that adapt much more easily as your cloud estate evolves, wider coverage of assets (including those that run older and customer operating systems), reduced organizational friction, and lower operational costs.
Cloud-native workloads are usually ephemeral, and traditional stand-alone protection that requires agent deployment will be operationally challenging.
Questions to ask:
- Does the vendor offer agentless cloud workload protection?
- Does the vendor support VMs, containers and Kubernetes, and serverless across major clouds?
- If vendors say they are agentless, is that just for the control plane (CSPM) or on the workload side as well?
- Does the vendor’s agent support older or end-of-life operating systems and even all your current ones?
- Does the agentless vendor also capture events from the cloud vendor logs for malicious activity?
Criteria #3: Context-aware risk prioritization
The biggest value that a CNAPP brings is the ability to view risks holistically in a single, unified data model instead of just a series of siloed risks. This will, if done correctly, formulate a highly contextual view of all the different risks of the cloud environment and prioritize them based on severity, access, and business impact— allowing security organizations to immediately understand and remediate their most critical issues.
Many tools prioritize risks based only on the CVSS score and ignore other relevant factors, such as whether the asset is connected to the Internet or whether it enables lateral movement to sensitive data. As a result, risks are not appropriately prioritized and security teams risk remediating low-risk threats while missing high-risk threats. For example, malware found in a powered-off VM doesn’t warrant urgent attention, but the malware-infected, internet-facing workload housing a secret key that unlocks sensitive data in an adjacent workload should be addressed immediately.
By visualizing risks in an attack path, a CNAPP allows security teams to see how a combination of seemingly unrelated issues— identities, permissions, networking and infrastructure configuration—can be leveraged to access their most valuable assets.
When evaluating CNAPPs, beware of vendors repackaging tools into one SKU with no single pane of glass or integration. It’s not uncommon for vendors to “bolt” together previously separate tools (often acquired through acquisition) and rebrand them as a CNAPP.
Gartner specifically cautions companies against these strategies:
Maximize the use of one third-party vendor across cloud security capability areas to reduce tool complexity. However, be cautious: many third-party vendor “suites” consist of independent acquisitions and may not actually provide coherent control from one single administration point. Set expectations accordingly and assess the reality of integration claims.
Questions to ask:
- Can the vendor detect attack paths to crown jewels and determine business impact with MITRE ATT&CK visualization?
- Can the vendor discover sensitive data/PII and prioritize risks accordingly?
- Can the vendor distinguish between risks on internet-facing assets (high risks) versus risk on non-internet facing assets (low risk)?
- Can the vendor detect and prioritize risks based on lateral movement risk?
- Does the vendor leverage a unified data model, or does each tool have its own data model?
Criteria #4: CI/CD security and integrations
Two important factors in choosing the right CNAPP is how well it fits into current workflows and provides protection for cloud-native applications throughout the development lifecycle. Look for a CNAPP that provides capabilities to build security into the CI/CD process, allowing you to shift left and discover issues early on. The goal is to reduce friction between engineering, DevOps, and cloud security teams, encouraging collaboration both before and after production, while reducing the number of tools in the security stack.
CNAPPs should have the ability to scan development artifacts, source code, containers, serverless functions, virtual machines, and IaC.
Furthermore, CNAPPs should include a wide variety of technology integrations to increase automation, improve efficiency, and expedite remediation. These integrations should enable security teams to prioritize, customize, and integrate automated alerts into existing workflows.
Implement an integrated security approach that covers the entire life cycle of cloud- native applications, starting in development and extending into production.
Questions to ask:
- Can the vendor scan code repositories, such as GitHub?
- Does the vendor offer IaC capabilities as well as the ability to scan images for vulnerabilities, and misconfigurations in pre-production?
- What is the process for integrating the security vendor offering into the CI/CD process?
- Does the vendor offer a wide range of third-party Integrations; e.g., repository tools (DockerHub, JFrog Artifactory), CI/CD tools (Jenkins, Gitlab CI, GitHub), ticketing systems (Jira, Azure DevOps, ServiceNow), SIEMs (Splunk, SumoLogic, AzureSentinel, Datadog), SOARs (Cortex XSOAR), notification offerings (Slack, PagerDuty), and remediation orchestration (Torq)?
Criteria #5: Vendor support & ratings
As with any security solution, when evaluating CNAPPs, it is important to consider the quality of customer support and whether the vendor can accommodate your particular business needs. Depending on the size of your team and the learning curve involved in using the solution, verify that the vendor provides the appropriate level of customer support you need to get the value promised. Verify through the evaluation process that the vendor is responsive and focused on customer needs.
Look at how many reviews a vendor has received and what the ratings are on common peer-to-peer review websites, such as Gartner Peer Insights, PeerSpot, and G2 Crowd.
Case studies are another valuable source of third-party validation. The quantity and breadth of the available case studies points to a wide install base of satisfied customers.
Thanks to Orca, within hours we were able to quickly identify Log4j in our cloud estate. Orca is much more than a product but is also a trusted partner that has our back in difficult situations.
Questions to ask:
- Does the vendor have a significant number of published case studies on their website?
- Does the vendor have a customer success engineering team?
- What are the vendor’s support hours?
- Can we speak to a reference customer in an industry similar to ours?
- How is the CNAPP solution priced to secure cloud resources, workloads, data and identities?
- Does the vendor offer a PoC to test out the solution?
Summary
CNAPPs combine cloud workload and configuration intelligence, allowing the holistic insight that you just can’t get with separate solutions. By seeing the bigger picture, a CNAPP is able to pinpoint exactly which issues are critical and which ones are not, as well as recognize when seemingly unrelated issues can be combined to create dangerous attack paths.
Remember, a primary objective of a CNAPP is to consolidate cloud security tools in one platform, reducing the complexity and cost of managing disparate tools, and combining context with risk detection to effectively prioritize the most critical issues.
One final suggestion from us. What better way to find out if a solution is the right one for your organization than to try it out for free? If the vendor is confident of their platform, they will provide a free trial or risk assessment since they know that once an organization can see the value that their platform brings, they will want to purchase the solution. In short, the ‘proof is in the pudding’.
By integrating vulnerabilities, context and relationships across the development life cycle, excessive risk can be surfaced, enabling development teams and product owners to focus on remediating the areas of the application that represent the most risk.
We sincerely hope this buyer’s guide is helpful in your CNAPP journey. Wishing you and your security team success.
Artigo traduzido e disponibilizado pela DigitalSkills Consulting - Distribuidora oficial de soluções de cibersegurança do fabricante Orca Security. Para mais informações: www.digitalskills.pt | [email protected] | 21 418 05 21
Artigo original no site do fabricante em https://orca.security/resources/blog/5-considerations-for-evaluating-cnapp-vendors/