By Andreas Dann | August 30, 2021
Cloud Security Term: Cloud-Native Application Protection Platform (CNAPP)
The cloud security community is filled with different acronyms and it can be hard to keep track of every single term. A relatively new addition is cloud-native application protection platform (CNAPP).
Table Of Contents
Gartner recently coined the term Cloud-Native Application Protection Platform (CNAPP) to refer to a new category of cloud security tools combining Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP). Generally speaking, CNAPP tools scan cloud configurations for security issues during the development and aim to protect their runtime workloads. Thereby, the tools enrich found security issues with context (e.g., which cloud resources they affect) and increase visibility on cloud environments using runtime agents.
Since the shift to cloud-native technologies, like Infrastructure-as-Code, containers, serverless functions, etc., traditional security tools struggle to provide the coverage to protect complete cloud environments. To cope with that, CNAPP focuses on the holistic protection of such cloud-native applications, including the detection of cloud misconfigurations, Therefore, CNAPP tools aim to correlate and identify high priority risks instead of producing a long list of security warnings - as it is often the case when using separate solutions that focus only on a specific type of security issue. CNAPP help you to solve the following challenges in cloud development:
- Like CSPM tools, they check for cloud security misconfigurations, e.g., open S3 buckets, databases, and open network ports.
- Like CWPP tools, they monitor your cloud workloads and detect anomalies at runtime.
- Like CWPP tools, they provide you an overview of your security workload and allow the automated detection of vulnerabilities within containers, VMs, or serverless functions by runtime inspection.
- A novel feature of CNAPP tools is that they correlate the findings of CSPM and CWPP tools to identify high-priority risks.
Like CSPM tools, CNAPP tools must be directly integrated into CI/CD pipelines and directly connected to the cloud environment to automatically and continuously scan your development and production environments.
A problem with CSPM and CWPP tools is their lack of context - both tools produce a large amount of warnings that need to be manually triaged, rated, and assessed for their introduced risk. CNAPP tools, on the other hand, support security teams by providing context for each warning, helping to better assess the associated risk.
CNAPP tools help security teams that are drowning in security alerts by providing context and, thereby, help to triage security issues more effectively.