Fifteen vendors. That’s the number of CNAPPs featured in analyst firm Frost & Sullivan’s recent radar for Cloud Native Application Protection Platforms, the first report to rank CNAPP solution providers to come out at this early stage of the market. Not surprisingly to us, Aqua came out on top (or rather, to the right) when it comes to rating the CNAPP product capabilities and roadmap, or, as Frost calls it, the Innovation Index.
So, why is it that Aqua was ranked as the Innovation Leader despite the presence of much larger vendors with deeper pockets? To understand this, let’s clear up the confusion around CNAPPs and delve into what innovation in this space really means to customers – both in terms of current selection criteria as well as future capabilities.
“Shift Left” and “Shift Right” are Inseparable
The joining of identifying issues early in the SDLC and runtime controls has been at the heart of cloud native security since before the definition of CNAPP two years ago. Aqua pioneered this concept in 2016, at first for containers, then extending it across all cloud native technologies. The reason is simple: the combination DevOps velocity with CI/CD and frequent updates, the use of open source, and the notion of immutable infrastructure necessitate an approach that embeds security into the dev cycle allowing for visibility, control, guidance, and quick fix cycles.
Finding an issue that’s already in production is not just risky. It leads to fewer issues getting fixed because it misses the best opportunity to fix them – at the very moment they are created. In other words, Shift Left is not just a reactive measure. It is and should be primarily a preventive measure.
At the same time, “shift left” provides much needed context for effective runtime protection – for example, by identifying drift or providing context to overall risk assessment.
Using separate solutions for scanning in development and runtime protections creates inefficiencies and false positives, reduces the effectiveness of security controls, and misses the opportunity for not just vendor consolidation but also for operational efficiency and risk reduction.
For these two parts to work effectively, you need a vendor that’s “at home” with both sides of the equation, and Aqua has constantly done exactly that with its investment in runtime protection on the one hand, and Software Composition Analysis (SCA), IaC security, vulnerability scanning, and software supply chain security on the other.
Visibility ≠ Compliance ≠ Security
One of the benefits of a CNAPP is that it can provide broad visibility across an entire cloud environment, identify areas of risk, and prioritize them. This is important. However, it does not by itself deliver on the promise of protection, the first “P” in CNAPP.
The nature of cloud native workloads is often dynamic and ephemeral. Unfortunately, so is the nature of attacks on cloud native applications. Merely looking at infrastructure configurations, or vulnerabilities, or taking a snapshot of your security posture once a day, does not protect you from attacks. It doesn’t even give you the knowledge that you were attacked, or how that happened. For that, you need runtime protection that works in real time and can at the very least detect attacks, stop them, or limit their impact with highly targeted responses. It’s no longer a question of whether to adopt agentless or agent-based approaches, but how to combine them effectively.
Unlike some vendors in this space, Aqua has been there to do what is ultimately the goal of any security solution – stop attacks. Our real-time detection and response capabilities are market-leading and combined with deep knowledge of what a cloud native attack looks like.
CNAPP is not just a collection of solutions
Although CNAPP has emerged through the realization that previously defined solution categories such as Cloud Workload Protection Platforms (CWPP), Cloud Security Posture Management (CSPM), Software Composition Analysis (SCA), etc. should not be managed separately but joined into a single platform, the benefits of CNAPP will be realized by doing a lot more than just smashing them together into a joint dashboard or user single sign-on.
Most of Aqua’s capabilities were organically grown, and we’ve been at it longer than most vendors on this report with a singular focus on cloud native security. Naturally, they were added to the platform and not created as separate solutions.
But with the recent launch of our software supply chain security solution as part of the Aqua platform, we’ve demonstrated our commitment to continue to assimilate new capabilities – even those obtained via acquisitions – into the Aqua platform. It’s a deliberate part of our strategy.
Continuous Innovation is Key
The CNAPP solution space is still evolving and has a long way to go before customers can realize its full potential, make their cloud native applications more secure than was previously possible, and do so efficiently.
The one constant in the cloud native space for the foreseeable future is change. There is a baffling array of technologies involved, and they are still getting frequently updated and augmented. Therefore, choosing a CNAPP vendor is not just about point-in-time capabilities but also about its ability to continuously innovate, and here too Aqua has unique advantages. I’d like to highlight two of them.
First, Aqua’s cyber threat research team Aqua Nautilus is the only such team dedicated to studying what real-world attacks on cloud native infrastructure look like, and they’ve been doing it for years. This knowledge isn’t only used for publishing reports and blogs, or issuing advisory alerts. It is translated into knowledge embedded into our product such as the Lightning Enforcer’s out-of-the-box capabilities that combine deep technology expertise (eBPF) and threat expertise (Indicators of Attack and Indicators of Compromise) to provide the most robust runtime protection with zero customer knowledge or configuration needed.
Second, Aqua’s long-standing investment in open source tools such as Aqua Trivy and Aqua Tracee gives us immediate and ongoing feedback from a vast user community, enabling us to deliver always up-to-date, high-quality outputs with a constantly expanding set of capabilities.
It is these investments that place Aqua on the shortlist of anyone considering a CNAPP for both present needs and future ones. For Frost’s assessment of Aqua and an overview of the CNAPP market, get the Frost Radar report here.