What is a Cloud Native Application Protection Platform (CNAPP)? 

云原生应用保护平台(CNAPP)是一种集成的云安全原型, lifecycle approach, protecting both hosts and workloads for truly cloud-native application development environments. These environments have their own unique demands and challenges, 因此,出现新的安全产品类别来解决这些担忧就不足为奇了.

Gartner introduced CNAPP as an official cloud security category in 2021, 当时他说:“云原生应用程序的最佳安全性需要一种从开发开始并扩展到运行时的集成方法.“在像云这样的短暂环境中构建应用程序的DevOps组织需要对流程进行完整和实时的可见性,以便在出现错误配置或漏洞时捕获它们. 许多人将CNAPP安全视为左倾和在开发生命周期中尽可能紧密地集成安全的同义词.

In considering end-to-end application security in the cloud, 组织可以开始实现更深层的防御和更频繁地访问工作负载等好处. A CNAPP also features significant automation capabilities, which – if calibrated correctly – can vastly improve the efficiency of cloud admins. 以前孤立的应用程序安全方法在CNAPP中得到了统一,并提高了兜售下一代应用程序安全解决方案和工具的供应商的标准.

Key Components of CNAPP

Breaking out the components and capabilities of a CNAPP solution can be a moving target, but Gartner does have minimum requirements a solution must meet. Below, let’s look at some of the core capabilities that define those requirements:

Cloud Security Posture Management (CSPM)

A CSPM solution is one that identifies and remediates threats in an enterprise cloud environment. It uses automation to handle security risks as quickly as possible, working in concert with developers and IT security teams. Other critical functions of CSPM include security risk assessment, incident response, and DevOps integration. CSPM solutions are compatible with hybrid and containerized cloud environments, but are most effective when used in multi-cloud environments. 正是在这里,它们可以提供对组织的云资产及其各自配置的无与伦比的可见性

Cloud Workload Protection Platform (CWPP)

A CWPP 解决方案必须提供管理当前部署在公司云平台上的任何工作负载的能力. Development organizations are able to integrate CWPPs into the automated processes in their CI/CD pipeline, typically as part of the build process. 这种方法在遵循DevOps或DevSecOps方法的组织中变得越来越普遍. Any CWPP must seamlessly integrate with other parts of the enterprise SecOps infrastructure, but it does enhance the capabilities of the security operations center (SOC), helping it detect and analyze complex cloud-based cyberattacks more effectively.

Cloud Infrastructure Entitlement Management (CIEM)

A CIEM solution is identity-centric and focused on managing cloud access risk. CIEM利用管理时间控制来管理混合云和多云IaaS架构中的权利和数据治理. These tools handle identity governance for dynamic cloud environments, typically following the least privilege principle, 用户和实体只能在正确的时间和正确的理由访问他们需要的内容.

Container Security 

Container security 在平台上实现保护容器化应用程序和工作负载的机制和流程的实践是否如下 Kubernetes. 在当今的云环境中,最大程度地了解容器主机位置等方面是至关重要的, identifying running or stopped containers, spotting container hosts not in compliance with CIS benchmarks, and performing vulnerability assessments. 容器安全性应该尽可能早地在CI/CD管道中实现,以便更快地暴露应用程序风险, and reduce as much friction in the development process as possible.

Infrastructure as Code (IaC) Security 

Infrastructure as code (IaC) 利用代码(以预构建模板的形式)来提供支持基于云的应用程序所必需的基础设施资源的做法是否存在. Developers can leverage this highly reproducible practice to write, test, and release code that will create the infrastructure on which applications run. Securing that process is critical, as the later in the application-development process security controls are implemented, 就越有可能出现被攻击者利用的错误配置或漏洞.

In a recent market guide for CNAPP, Gartner outlined a more exhaustive and categorized list of core, recommended, and optional capabilities.

What Problems Does a CNAPP Solve? 

A CNAPP solves problems like visibility across the complete application lifecycle, cloud risk management challenges, and prioritization of detected vulnerabilities. Let's take a look at some specific use cases: 

Enhanced visibility and quantifying risks 

整个开发生命周期的可见性一直是安全团队面临的最关键的挑战. 这就是为什么尽可能多地尝试和转移安全性是如此重要,以便在过程的早期和部署之前捕获错误. Post-deployment and into runtime should not be forgotten from a visibility standpoint, which is why it’s important for a CNAPP vendor to place emphasis on the entire lifecycle. 如果没有CNAPP所能提供的增强可见性,对风险进行量化和优先级排序是很困难的.

Integrated cloud security solution

The magic solution would be one in which all issues were caught in the development process, aided by total visibility and contextual prioritization. No CNAPP offering will be able to do this perfectly, 100% of the time. 但是一个好的供应商应该能够提供一个能够跟上DevOps快速云增长目标的解决方案, tailoring security around developers without continually breaking up the process.

Secure software development 

Gartner表示:“通过减少误报和噪音,CNAPPs可以尽可能无缝和透明地集成到其本地开发工具集,从而改善开发者体验, 通过对他们的补救工作进行风险优先级排序,并通过提供特定的补救指导来解决已识别的风险.“这里的想法是对开发过程的补充,而不是对速度的缺点,这是云采用的主要驱动因素之一. It’s just as important for SecOps to understand the development environment, identifying key areas to move vulnerability scanning earlier into the process.

CNAPP Benefits 

A CNAPP solution can provide a more holistic picture of risk in the application development process. Its capabilities are expansive, but shouldn’t be overstated. As mentioned above, there isn’t a magic solution, but a capable CNAPP platform should be able to provide the following benefits:

Cost savings and simplification 

Reducing complexity isn’t a concept limited to the cybersecurity space. The speed of innovation, however, 需要不断淘汰过时的和遗留的解决方案,这些解决方案不再具有实际影响,并且可能对公司造成财务损失. 潜在的CNAPP客户越来越希望通过将安全整合到单一供应商的解决方案中来简化操作,从而可以捆绑解决方案, save the customer money, and provide complete lifecycle visibility.

Comprehensive coverage 

At its best, CNAPP解决方案应该是一种全面的云安全方法——包括供应商提供的技术和从业者执行的策略——它简化了在大范围内从端到端监控和修复风险的过程, complex cloud environments. Dispersed services, to a large extent, 当我们着眼于能够简化基于微服务架构的安全性的CNAPP解决方案时,是否会成为过去.

Keeping pace with developers

We covered a bit of this above, 但真正与DevOps组织合作,确保确保开发生命周期的有机性,确实是降低该过程中风险的最佳方式. To that end, a CNAPP can leverage advanced analytics to obtain greater visibility into risk, 这使得安全从业人员能够更好地了解在哪里查看以及如何更快地完成此操作. This can help create a DevSecOps culture of faster remediation and prioritization.

Security guardrails 

CNAPP可以帮助为开发过程提供护栏,也有助于安全的有机集成. In this way, developers can go as fast as they want, automating, building, deploying, as long as it's within the constraints of the security guardrails tailored to the environment. Leveraging this framework, 创新和速度不需要受到太多的限制——它们可以成为开发者真正的资产.