Lock down cloud applications with a CNAPP
Jun 02, 2022
CNAPP consolidates and automates core cloud security functions
As cybersecurity continues to evolve, one of the more considerable developments in recent years is the emergence of the cloud-native application protection platform (CNAPP).
CNAPP, first popularized by Gartner, can be considered a logical extension of DevSecOps into the cloud. Just as DevSecOps puts security at the heart of the software development lifecycle, CNAPP puts security at the heart of cloud-based application infrastructures rather than tagging it on as an afterthought. CNAPP capabilities span every application lifecycle stage, from code design to testing and debugging to deployment into production and subsequent updates.
CNAPP also consolidates many different security capabilities into a single elegant framework. The result is a reduction of tools security teams use and the time required to correlate events across different contexts, determine which events are actual breaches (or could lead to breaches), and take relevant action to address problems.
CNAPP uses deliberate and extensive automation to look for common issues, vulnerabilities, and misconfigurations in cloud architectures. They either notify cybersecurity teams of the problem or remediate them. The average window of security exposure falls substantially because automated scans of this type span both the development and operations side of the application lifecycle.
Impressive benefits for any application infrastructure
As different CNAPP approaches evolve in the marketplace, the goal of each is typically to allow security teams to:
- Transcend the hub-and-spoke, perimeter-centric security model, delivering superior security for any network topology, including but not limited to any cloud computing model (public, private, or hybrid).
- Deliver exceptional, context-rich insights into application security at every logical point in creating and deploying the application, cradle to grave.
- Bring development and operations teams into tighter alignment on security goals and best practices. However, applications are not deployed on-premises, and some or all team members may be working remotely.
- Shift attention and resources up a layer or two of abstraction. While cybersecurity teams are still responsible for monitoring and resolving security developments and complexities, they can be more concerned with discovering, prioritizing, and solving security problems. Asking which technical platforms host a given application, which tools are apt for that platform, or whether any two tools are integrated becomes a thing of the past.
A range of crucial features apply to various levels of app execution
CISOs who have read this far may wonder what capabilities they can expect. CNAPPs typically incorporate some or all of the following feature clusters:
- Cloud security posture management (CSPM). These features deliver automated scanning of cloud architectures, looking for misconfigurations and helping ensure common vulnerabilities are detected and resolved quickly. An additional benefit is simplified compliance; the terms of government mandates are not always easy for security teams to implement and verify, but automated CSPM capabilities help bridge the gap. CSPM capabilities are pertinent to the application lifecycle's development and operations side. For instance, both reduce the odds of code being accessed by malicious actors and compromised before it's deployed (a supply-side attack) and spot many types of server vulnerabilities in the production environment. Finally, thanks to their continual scanning, CSPM tools collect information about applications wherever they exist and provide continuously updated details on those applications – essential intel for security purposes. If a rogue application has been deployed, or an older application needs updating, CSPM tools let teams know.
- Cloud service network security (CSNS). These features focus on the production side by securing/protecting deployed apps from many attack types, particularly for the logical perimeter inside the cloud. Toward that end, CSNS capabilities may address next-generating firewalling, providing detection and mitigation of denial of service (DoS) attacks that might otherwise slow performance to a crawl, real-time inspection of encrypted traffic such as secure socket layer (SSL) packets, and load balancing, typically as applied to Web servers.
- Cloud workload protection platform (CWPP). This feature secures cloud workloads by locating them, then securing core assets at different stages. Typical examples include SQL and NoSQL databases, application programming interface (API) code, virtual servers, and containers like those associated with Kubernetes.
- Cloud infrastructure entitlement management (CIEM). In a cloud, just as in any other computational architecture, there are many logical services, users, and groups, each with associated app and endpoint permissions, ideally assigned on a least-privilege basis. CIEM capabilities help determine who has which privileges and ensure they are appropriate for business context and job roles to minimize risk. They monitor and manage application access rights by correlating them against policies, reducing or eliminating inappropriate access, detecting and resolving rogue accounts, and ensuring only the right people or services have access and privileges.
Additional capabilities are sometimes available. For instance, infrastructure-as-code (IaC) scanning are usually used to detect misconfiguration of popular serverless computing frameworks like AWS CloudFormation. Your team will want to consider these and other core capabilities described above to assess whether they're applicable in your particular case.
Our own CNAPP solution, Zscaler Cloud Protection, can help you bolster security and perhaps add entirely new security classes to any cloud-hosted application environment.
What to read next