What is a CNAPP and How to Choose the Right One
A prospect’s CISO recently asked me: “I’m facing a growing stream of vulnerabilities coming from our CI/CD pipelines on the one hand, while our SecOps team is flooded with alerts and configuration issues from our production environment. How do I reconcile those separate streams and focus on what’s really important?”
“Well,” I responded, “funny you should ask because this is what we’ve been doing for our customers these past five years, and now it has a named category.” A cloud native application protection platform, or CNAPP, is an emerging category of security solutions recently defined by Gartner to help identify, assess, prioritize, and adapt to risk in cloud native applications, infrastructure, and configurations.
The prevalence of large-scale cloud native deployments is forcing enterprises to combine “shift left” DevSecOps, intelligent automation, CSPM (cloud security posture management) and CWPPs (cloud workload protection platforms), to bring efficiency and speed to cloud native security — but doing it on their own is proving to be very challenging.
What problem do CNAPPs solve?
Gartner describes the challenge of securing cloud native applications thus: “Rather than treat development and runtime as separate problems — secured and scanned with a collection of separate tools — enterprises should treat security and compliance as a continuum across development and operations, and seek to consolidate tools where possible”. *
That’s where CNAPP comes in. The goal of CNAPP is to provide complete end-to-end security for cloud native environments. Instead of using different point solutions that only solve specific security issues and need to be manually stitched together, organizations should use an integrated platform approach.
According to the Gartner innovation insight report, CNAPP is “an integrated set of security and compliance capabilities designed to help secure and protect cloud native applications across development and production” *.
There are several major benefits of this. Critically, by sharing context between development and production, CNAPP is able to gain a full view of application risk to consistently secure applications across their entire life cycle.
CNAPP is a unified platform that combines the capabilities of several existing cloud security categories, mainly “shift left” artifact scanning, cloud security posture management (CSPM) and Kubernetes security posture management (KSPM), IaC scanning, cloud infrastructure entitlements management (CIEM), and runtime cloud workload protection platform (CWPP).
But what are the essential attributes that a Cloud Native Application Protection Platform must possess in order to qualify as a true CNAPP? Let’s examine.
‘CN’ stands for cloud native
It might sound obvious, but solutions that were not built for cloud native cannot be considered CNAPPs. The reality is that you can’t rely on any old EDR, host-based, or firewall solution in a cloud native environment. With the distributed nature of cloud native applications, ephemeral workloads are dynamically orchestrated, which leaves traditional network-based security tools simply irrelevant.
Being cloud native means that the solution is aware of, and capable of analyzing, tracking, monitoring and controlling different types of cloud native workloads — such as containers, serverless functions, and VMs. It must also work within and interface with the full stack of cloud native infrastructure — Kubernetes, infrastructure-as-code (IaC) tools, multiple public cloud providers, and more. By definition, a CNAPP needs to be cloud native itself. Thus, if you scan for container vulnerabilities but are oblivious to other aspects of cloud native, you’re not a CNAPP.
The ‘CN’ in CNAPP stands for cloud native
Being cloud native means that the solution is aware of, and capable of analyzing, tracking, monitoring and controlling different types of cloud native workloads.
From the start, Aqua was created to handle the security challenges in the new cloud native application stack. Born in the early days of the container revolution, we continue to lead the market with continuous technology innovation, such as the invention of KSPM, Kubernetes security posture management, now part of the scope of CNAPP.
‘A’ stands for application
CNAPPs protect applications. In order to do that, CNAPPs must identify and understand the application context. This means tracking the artifact throughout the application lifecycle and applying security controls that address contextual risk. In practical terms, it’s not enough to just notice that “container 4c01db0b339c executed ps”. You need to know which application that container belongs to, which image it originated from, whether executing ps is normal or not for that container in the specific application, and whether executing ps in that context is legitimate or an IoC (Indicator of Compromise).
To know these things, a solution must be embedded into the CI/CD pipeline and integrate with a broad suite of modern DevOps tooling. Scanning artifacts in the build phase and maintaining their integrity from build to deployment are critical for the application context, which in turn, helps make granular decisions about their deployment (e.g., prevent unvetted images from running in production). Again, if a solution doesn’t do that, it simply can’t be a CNAPP.
The ‘A’ in CNAPP stands for application
CNAPPs must identify and understand the application context. This means tracking the artifact throughout the application lifecycle & applying security controls that address contextual risk.
Back in 2015, Aqua pioneered the container security space with the concept of full lifecycle security. As we stated in our first-ever blog, our mission was (and still is) to “provide scalable security for the complete development-to-deployment lifecycle of containerized applications”. Hundreds of enterprise deployments later, it’s very clear that our customers and the market at large understand that a unified full lifecycle approach is the only effective way to secure cloud native applications. Using separate solutions for shifting left and runtime protection is ineffective, creates security gaps, and leaves organizations endlessly chasing vulnerabilities and runtime events with no context to prioritize and mitigate them rapidly.
‘P’ means protection
There’s a reason why “protection” is used here. CNAPPs are not simply visibility, monitoring, or observability solutions. Simply put, protection means that a CNAPP should be able to stop attacks as they happen. Even the most robust ‘shift left’ protection and hardening of the environment won’t protect you from zero-day exploits or runtime attacks using sophisticated evasion techniques. Prevention is not enough, and a CNAPP should be able to detect and respond to attacks in progress in real time.
The high speed of DevOps and code moving through the CI/CD pipeline is why conventional, older security tools are unable to handle cloud native applications. Unfortunately, cloud native attacks move at the same speed as the cloud native apps themselves. It’s not enough to know today that you were breached yesterday – by today the attackers will have vamoosed, having gotten what they came for within minutes, if not within seconds of the attack.
The ‘P’ in CNAPP means protection
CNAPPs are not simply visibility, monitoring, or observability solutions. Simply put, protection means that a CNAPP should be able to stop attacks as they happen.
The runtime piece is where most CNAPPs fall short today, and where Aqua excels with granular runtime controls, such as drift prevention. This means we monitor running workloads and deterministically prohibit any changes to a container that was authorized to be deployed. With our new CNDR capability, we can identify other suspicious behaviors observed in the wild and prevent that as well. On top of that, Aqua can block any suspicious activity without killing containers and with no application downtime.
And the other ‘P’ stands for platform
Yes, there are two Ps in CNAPP. Due to the breadth of capabilities required from a CNAPP — both across the application lifecycle, and in supporting multiple types of workloads, stacks, and cloud environments — this must be a platform with multiple integrations, tied into multiple teams and processes within the organization.
What about other requirements? A platform must provide a unified, consistent experience. Many existing solutions on the market are either partial, covering only one piece of the puzzle (runtime only, scanning only, infrastructure only), or are made up of several acquired products that aren’t integrated and can’t provide a truly seamless experience.
Beyond that, a platform must be available as SaaS or on-prem (self-hosted) to suit the needs of highly regulated industries, such as finance and healthcare.
Today, Aqua is the most integrated platform on the market, with the broadest platform support from clouds to platforms (such as Red Hat OpenShift or VMware Tanzu Application Service), as well as Windows containers, and with consistent controls across an entire application lifecycle, up and down the stack.
Additionally, Aqua is the only CNAPP with extensive role-based access controls that supports separation of duties (SoD) across multiple applications, teams, and roles, enabling true enterprise-wide implementations that protect some of the largest cloud native environments out there.
With a deeply integrated platform, Aqua is the gold standard for CNAPP, embedding controls early in the development and seamlessly baking them in all the way into production, protecting your applications wherever they’re deployed — on-prem, in the public cloud, or in a hybrid environment. Not only did we pioneer and help shape the CNAPP category, but we’re also constantly driving innovation and pushing the boundaries of what is considered the best-in-class CNAPP.
* Gartner, Innovation Insight for Cloud-Native Application Protection Platforms, Neil MacDonald, Charlie Winckless, 25 August 2021
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.