Depending on the maturity level of cloud adoption in your organization, you may be trying some services in the cloud, as a PoC, just running a few applications, or totally embracing this new era of cloud. Whether you are in the early stages or running all of your workloads in production, you probably already noticed that cloud-native security is different from IT-managed data center security.
A recent Gartner survey found that 50 percent of participating organizations indicated that there is a lack of internal knowledge about cloud-native security.
While this happens, security teams are trying to figure out the right security solution to use in the cloud, but categories and terms keep arising. So, what are those terms you keep hearing from vendors, cloud providers, and security training courses? What are the things you should focus on?
Gartner, Forrester, IDC, and 451 Group are some of the most well-known analyst firms that strive to describe emerging trends in the market and create definitions for new technologies. They have coined terms like SIEM, CRM, and WAF… but also CSPM, CWPP, and CIEM, among others.
Speaking of which, one of the latest categories mentioned in Gartner’s Emerging Technologies: Future of Cloud-Native Security Operations is CNAPP. Where does this new term fit in? Let’s give a brief description of CNAPP – we can think of CNAPP as the convergence of CWPP, CSPM, and CIEM, plus some other optional goodies. I know, that’s not a very helpful definition, since you may not know what CWPP, CSPM, and CIEM mean yet, right?
Let’s try to find out step by step.
It all started with DevOps teams moving their workloads to the cloud.
In order to secure the whole DevOps workflow, security leaders need to fulfill some specific use cases, and that’s what Cloud Workload Protection Platform (CWPP) tools focus on. They secure workloads, typically providing cloud-based security solutions that protect instances on AWS, Microsoft Azure, Google Cloud Platform (GCP), and other cloud vendors.
What are these use cases?
- Runtime detection: Prevent and detect suspicious behavior at runtime in containers and microservices. Automate response for container threats.
- System hardening: Detect anomalous activity inside of Linux hosts or VM-based workloads running on top of the host.
- Vulnerability management: Detect OS and non-OS vulnerabilities from container images stored in CI/CD and registries before deploying to production.
- Network security: Visualize network traffic inside containers and Kubernetes, and enforce Kubernetes-native network segmentation.
- Compliance: Validate container compliance and ensure File Integrity Monitoring inside containers.
- Incident Response: Conduct forensics and incident response for containers and Kubernetes even after the container is gone.
Those are basically the use cases that would fall under a Cloud Workload Protection Platform (CWPP) solution, aka CWPP, and what a CWPP solution will handle, securing workloads across the application lifecycle.
Visit our Cloud Native Learning Hub if you want to learn more about containerized applications security.
As the workloads moved to the cloud and DevOps teams started to provision their own infrastructure, security teams that were used to having a controlled environment in local data centers realized their perimeter had widened.Thus, security teams in charge of securing cloud infrastructure need a different approach. They must also quickly adapt to the dynamic nature of the ephemeral infrastructure.
Cloud-bound teams must also quickly adapt to the new paradigm of the cloud infrastructure environment (immutable infra, the policy as code, and identity as the new perimeter, among others).
Like in local data centers, security professionals had to be sure to meet compliance in the hosts instances, user accounts, and data privacy. But the lack of visibility to know what assets they have in the cloud makes it really difficult to keep track of misconfigurations in those assets.
Cloud Security Posture Management (CSPM) is the solution that unifies the different use cases aimed to protect the cloud control plane, basically tracking cloud resources and verifying the static configuration of the cloud. Some CSPM solutions will add extended capabilities, like providing remediation.
Also, one of the main use cases of CSPM is to check that cloud settings are following best practices. Having mapped out-of-the-box frameworks controls and benchmarks can save cloud teams time when addressing things like:
- Data storage exposed directly to the internet.
- Lack of encryption on databases.
- Lack of multi-factor authentication enabled on critical system accounts.
Getting notified if a violation occurs lets teams take action to prioritize its remediation.
Identity Management and data privacy are also important aspects of a cloud security program.
As mentioned before, when the perimeter was the local data center, it was easier to control who had access to what. Now, even serverless functions can act like users who access data.
To address the cloud permissions gap, we have Cloud Infrastructure Entitlement Management (CIEM). With CIEM, you would not only know which human and non-human identities can access which resource, but what permission they are using on a daily basis, and suggest policy modifications to enforce least privilege access.
Let’s say we have a group of users who are part of a project. These users are responsible for uploading images into an ECR repository and running those containers in EC2 instances, as well as for a number of auto-scaling actions. There’s no need for them to have all the permissions an administrator has, even though that approach may be the simplest to configure. Are they going to be deleting VPCs? That is not one of their tasks. Getting rid of excessive permissions is the first step to reducing collateral damage from credential theft.
If you make it here, congratulations, you are about to uncover the figure after connecting the dots. :)
So, we were saying CNAPP is the combination of different use cases that fall into the CWPP, CSPM, and CIEM categories, but let’s go to the source:
“Cloud-native application protection platform (CNAPP) provides more than CWPP-CSPM convergence: There are two important drivers for CNAPP. Firstly, CWPP vendors are looking to posture to provide workload context. Secondly, CSPMs are challenged to provide more and more visibility while “drilling down” into the workload. CNAPP integrates CSPM and CWPP to offer both, and potentially augments them with additional cloud security capabilities.”
Gartner, Inc., How to Protect Your Clouds with CSPM, CWPP, CNAPP, and CASB, 2021, Richard Bartley, May 6, 2021
I hope CNAPP and the rest of the terms make more sense now than when you started reading the article.
CNAPP solutions will promote collaboration between teams (SecDevOps, DevOps, and cloud security operations) by incorporating common workflows, data correlations, meaningful insights, and remediation that’d reduce friction between the personas.
True CNAPP solutions will provide interrelationships between the different insights of the use cases. It’s totally useless to have a nice UI that provides vulnerability scanning if you don’t enrich it with the cloud context of where those images are stored/running. We are not talking about isolated tools put together to call it a day.