In the fast-changing world and quick adoption of cloud computing forcing organizations to look at ways to protect cloud hosted applications. It is not just about availability, resilience, scalability, flexibility which is brought by this transformation in technology but it brought with us a greater responsibility towards cloud native application protection platform as well. The question arises now is how to protect and secure your cloud native applications?
In today’s topic we will learn about Cloud Native Application Protection Platform(CNAPP), its purpose, problems it can address, its key components, why do we need CNAPP? its architecture, features and capabilities.
What is Cloud Native Application Protection Platform (CNAPP)
It is a cumulative set of security and compliance capabilities designed to help in securing and protecting cloud native applications across production and development as stated by Gartner. This term is coined by Gartner who recognized the need of securing applications in the cloud ecosystem. CNAPP solutions aim to address configuration and workload security by application scans in runtime. CNAPP is a culmination to automate workload and environment security both. The purpose of CNAPP is to unify and orchestrate 3rd party solutions and architectures to enforce application behaviour in line with developer’s intent.
Cloud Native Platform is combination of Cloud Native, security tools such as code analysis, workload protection and cloud posture management, data sources both logs and telemetry, coding practices such as CI/CD pipeline etc. it is convergence of multiple technologies having combined the existing cloud security solutions – Cloud security posture management (CSPM), cloud workload protection (CWP), Cloud infrastructure entitlement management (CIEM), Kubernetes security posture management (KSPM), API protection, microservices, code repository integration etc.
Why do we need CNAPP?
The shift towards cloud has brought a wide range of new security requirements. Cloud complexity and unpredictable interactions have risen due to the rise of dynamic and ephemeral environments within the cloud. Traditional security approach not able to provide the required coverage to keep up with containerized and ephemeral, serverless environments.
Apart from this the second element is the ‘Application protection’. Earlier focus was more on protection of infrastructure but in cloud the question is ‘How secure is my application?’. There are many ways in which cloud hosted application risks exposure by excessive permissive access rights, unintentional public exposure and more.
Purpose of CNAPP
- Comprehensive protection of application starting from development to runtime
- Real time threat mitigation with continuous monitoring and threat detection
- Containerization of application security to ensure container images do not carry any vulnerabilities
- Microservices communication protection via authentication and encryption
- Complete security of API, guards against injection and data leak attacks
- Audit and reporting capabilities to adhere to compliance requirements
- Protection against access risks with IAM controls implementation
Key Components of CNAPP
CNAPP combines several security solutions into a comprehensive bundle of solution as under:
- Cloud security posture management (CSPM) is used for monitoring, identification, and remediation of misconfigurations in cloud posture of cloud resources, tracking compliance to different controls and frameworks such as CIS, GDPR, NIST etc.
- Cloud Infrastructure Entitlement Management (CIEM) manages permissions and rights
- Cloud workload protection (CWP) is used to identify and alert security threats. It detects and prevents suspicious behaviour in containers at runtime. Protects Linux hosts or VM based workloads by reduction in vulnerability surface with restrictive configurations. Vulnerability detection in container images
- Kubernetes Security Posture Management (KSPM) is used to secure Kubernetes containers. Enforces kubernetes native network policies – segmentation, network traffic visualization etc. validate container compliance to ensure file integrity monitoring.
- Infrastructure as Code Security Scanning (IaC) is used to scan and identify misconfigurations in code during its development and testing.