How Does Gartner Define CNAPP? 

According to Gartner, CNAPP is a security solution that provides consistent visibility and control over all cloud-native applications. It does this by integrating multiple security capabilities into a single platform, including Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), infrastructure-as-code (IaC) scanning, cloud infrastructure entitlement management (CIEM), runtime configuration scanning, and vulnerability scanning. 

Rani Osnat
January 22, 2024

CNAPP is a security solution designed to protect modern applications that are built with cloud native technologies like microservices, containers, and serverless computing. By bringing together a range of security capabilities under one roof, CNAPP can effectively protect cloud native environments in one unified solution.

In this article:

The Rise of CNAPP

Drivers of CNAPP Adoption

The adoption of CNAPPs is being driven by several key factors. First is the recognition that traditional security measures are insufficient for cloud native environments. Old security tools and techniques are incompatible with cloud native technologies, and also can’t keep pace with the speed and scale of modern cloud native applications.

Secondly, there’s the shift towards DevSecOps, a movement that seeks to integrate security into every stage of the software development lifecycle. CNAPP fits well into this paradigm, providing a platform that allows developers, operations teams, and security teams to collaborate more effectively and ensure security is addressed from day one.

Finally, there is a growing understanding that cloud native security tools need to be consolidated and packaged together as one solution. Organizations are deriving value from solutions like CSPM and CWPP, but there is a cost and complexity of integrating and maintaining these disparate tools. CNAPP provides a “one stop shop” for cloud native security needs.

How Many Organizations are Adopting CNAPP?

The adoption of CNAPPs is still in its early stages, but it’s clear that this solution category is on the rise. According to Gartner’s 2023 CNAPP Market Guide, 60% of enterprises will have consolidated cloud workload protection platform (CWPP) and cloud security posture management (CSPM) capabilities to a single vendor, up from 25% in 2022.

Key CNAPP Capabilities 

While different vendors might include different capabilities in their CNAPP offerings, here are the primary security solutions included in a CNAPP:

Cloud Security Posture Management (CSPM)

CSPM helps organizations to maintain a strong security posture by continuously monitoring their cloud environments for potential risks such as misconfigurations and vulnerabilities.

CSPM is particularly valuable for organizations that have a large cloud footprint spread across multiple providers, cloud services, accounts and environments. By providing a unified view of the entire cloud environment, CSPM makes it easier to identify and address potential security issues before they can be exploited.

Artifact Scanning

Artifact scanning is a critical component of CNAPP, which ensures the security of software artifacts, including code, binaries, and dependencies, throughout their lifecycle. This includes:

  • SAST and DAST: Complementary approaches for identifying vulnerabilities in application code. SAST analyzes source code at rest to detect security flaws without executing the program. It’s useful early in the development cycle. DAST tests applications in their running state, simulating external attacks to identify security weaknesses that manifest only in running applications.
  • API Scanning: Involves analyzing API contracts and actual API traffic to detect security vulnerabilities and misconfigurations that could lead to data leaks or unauthorized access.
  • Software Composition Analysis (SCA): Focuses on identifying and managing open-source components within the codebase. It scans dependencies for known vulnerabilities and licensing issues, helping organizations manage the risks associated with third-party code.
  • Exposure Scanning: Assesses the application’s external attack surface. It identifies publicly exposed resources such as databases, storage buckets, and web servers, checking for misconfigurations or unnecessary exposure that could be exploited by attackers.

Infrastructure-as-Code (IaC) Scanning

IaC scanning allows organizations to automatically check the code they use to automatically provision their infrastructure for potential security issues. This makes it possible to catch and fix problems before they make it into production. 

Security vulnerabilities in IaC templates are particularly dangerous because they could impact a large number of cloud resources created from those templates. With IaC scanning integrated into their CNAPP platform, organizations can ensure that their infrastructure is secure from the outset.

Cloud Workload Protection Platform (CWPP)

CWPP is designed to safeguard workloads in the cloud environment. It provides comprehensive protection across all types of workloads, including virtual machines, containers, and serverless workloads.

CWPP offers a range of security capabilities, including vulnerability management, system hardening, monitoring, behavioral analysis, detection and response, and antimalware protection. These features ensure the integrity of workloads, helping businesses prevent breaches and maintain compliance with industry regulations.

Kubernetes Security Posture Management (KSPM)

KSPM is designed to manage and enhance the security posture of Kubernetes, the most popular container orchestration system. Kubernetes is becoming a mainstream platform for running mission critical business applications, so ensuring its security is paramount.

KSPM provides visibility into the security posture of Kubernetes clusters, helping businesses identify and address vulnerabilities and misconfigurations. It offers features like policy enforcement and anomaly detection, which help companies improve their Kubernetes security posture over time.

Cloud Infrastructure Entitlement Management (CIEM)

CIEM manages and monitors access entitlements in the cloud environment, helping businesses prevent unauthorized access and reduce the risk of breaches.

CIEM provides capabilities like identity and access management, role-based access control, and privileged access management. These features ensure that only authorized individuals can access specific resources, adding an extra layer of security to the cloud environment.

Selecting and Implementing CNAPP in Your Organization: Recommendations for Security Leaders

These recommendations are summarized from Gartner’s CNAPP Market Guide.

Initial Planning

  • Develop a DevSecOps strategy that centers on enhancing the developer’s experience, striving to reduce friction and improve risk identification.
  • Build a CNAPP strategy group within the organization that includes members from cloud security, container security, application security, and DevSecOps/development divisions.
  • Evaluate the CI/CD pipeline tools used in your business from a security perspective.
  • Use the CNAPP adoption process to merge vendors, reducing complexity and possibly eliminating redundancies.

Solution Evaluation

  • Establish a cooperative team of developers and security specialists to define and prioritize required functionality.
  • Prioritize CNAPP providers with deep relationship graph analytics, which is vital for understanding connections between different components of cloud native applications.
  • Conduct a functional test run involving actual developers and real-life applications to check if a single-vendor CNAPP solution would satisfy all requirements.

Deployment

  • Initially, focus on applying the CNAPP in cloud native applications where fast development velocity and risk identification are critical.
  • Assign a high level of priority to scanning containers, open source software (OSS) libraries, and dependencies for known risks.
  • Take a practical approach to CNAPP roll-out; consider using agentless snapshots in cases where agents are not viable, to retain some degree of risk visibility.

How to choose a CNAPP: Tips from the experts

Gartner notes that no CNAPP solution has all possible capabilities and is best at every single feature. When looking for a CNAPP and evaluating different solutions, we recommend prioritizing offerings that:

  • Cover the entire application lifecycle: CNAPPs must secure applications across their full lifecycle—starting early in development, spanning the entire DevOps pipeline, and extending protection all the way into production.
  • Have robust runtime controls: CNAPPs are not simply visibility, monitoring, or observability solutions. A CNAPP should provide active protection for running workloads and be able to stop attacks as they happen.
  • Are built for cloud native: CNAPPs must be able to analyze, track, monitor and control different types of cloud native workloads, such as containers, serverless functions, and VMs.
  • Seamlessly integrate with enterprise systems: A CNAPP solution must be embedded into the CI/CD pipeline and deeply integrate with modern DevOps, cloud, and security tooling.
  • Built for enterprise scale: CNAPPs should be able to rapidly scale up and down with the organization needs and growth of the environment they protect.

CNAPP with Aqua Security

Aqua Security enables organizations to unify cloud native application protection and detect, prioritize, and reduce risks across every phase of their software development life cycle.

The Aqua Cloud Native Security Platform is a Cloud Native Application Protection Platform (CNAPP) solution that secures your cloud native applications from day one and protects them in real time. With its fully integrated set of security and compliance capabilities, you can discover, assess, prioritize, and reduce risk in minutes across the full software development life cycle while automating prevention, detection, and response.

Rani Osnat
Rani is the SVP of Strategy at Aqua. Rani has worked in enterprise software companies more than 25 years, spanning project management, product management and marketing, including a decade as VP of marketing for innovative startups in the cyber-security and cloud arenas. Previously Rani was also a management consultant in the London office of Booz & Co. He holds an MBA from INSEAD in Fontainebleau, France. Rani is an avid wine geek, and a slightly less avid painter and electronic music composer.