CNAPP helps companies replace multiple security tools with a single system.

February 28, 2022

5 Min Read
Positioning Cloud-Native Application Protection to Clients
Shutterstock

By Coletta Vigh

Vigh-Coletta_Check-Point-author-150x150.jpg

Coletta Vigh

Gartner popularized the cloud-native application protection platform (CNAPP) with the release of its Innovation Insight for Cloud-Native Application Protection Platforms report. But CNAPP isn’t just the next shiny new security object; it’s a platform intended to replace multiple tools with a single holistic security solution for enterprises with cloud-native workloads.

Gartner saw a need for enterprises to consolidate security and tooling platforms. In this light, CNAPP is a straightforward evolution not only for DevSecOps but also “shift left” security — and it represents an opportunity for channel partners like you to help improve your clients’ approach to security and compliance.

Why Implement CNAPP?

Disjointed solutions inherently have complex integration requirements and gaps in visibility. This often means more work for your clients’ DevSecOps teams, lower observability across enterprise workloads and inconsistent application of security parameters. By advising your clients to use CNAPP, they will gain the following security benefits:

  • “Cloud-native” security: Traditional solutions designed for “castle-and-moat” networks aren’t ideal for enterprises with cloud-native workloads. By integrating with continuous integration/continuous delivery (CI/CD) pipelines and providing protection across public and private clouds and on-premises data centers, CNAPP is built with “cloud-native” infrastructure – including containers and serverless security – in mind.

  • Improved visibility: Many security scanning, monitoring and observability tools are available for cloud-native workloads, but CNAPP has the unique ability to contextualize information, providing end-to-end visibility across an enterprise’s application infrastructure. Delivering granular detail on configurations, technology stacks and identities, CNAPP can prioritize alerts that pose the most risk.

  • Tighter controls: Misconfigurations of secrets, cloud workloads, containers or Kubernetes (K8s) clusters are common risks facing enterprise applications. CNAPP enables enterprises to proactively scan, detect and quickly remediate these security and compliance risks.

The Key Components of Cloud-Native Application Protection

At a high level, there are three key components of CNAPP:

  • Cloud Security Posture Management (CSPM)

  • Cloud Service Network Security (CSNS)

  • Cloud Workload Protection Platform (CWPP)

CSPM: Visualizations and Security Assessment

Cloud Security Posture Management (CSPM) enables enterprises to automate the detection and remediation of security risks using security assessments and automated compliance monitoring. CSPMs can also detect misconfigurations that can lead to data breaches. Further, CSPMs provide deep cloud visibility by helping enterprises classify and inventory assets across as-a-service platforms.

CSNS: Security for Cloud-Native Networks

Cloud Service Network Security (CSNS) is a vital aspect of overall cloud-native security and true CNAPP solutions. CSNS provides cloud network security functions designed for the dynamic network perimeters common with cloud-native workloads. CSNS provides granular segmentation and protects both …

… north-south and east-west traffic. Common examples of CSNS functions include:

  • Next-generation firewall (NGFW)

  • Load balancers

  • Denial of Service (DoS) protection

  • Web application and API protection (WAAP)

  • SSL/TLS inspection

CWPP: Modern threat protection for workloads

Cloud Workload Protection Platform (CWPP) solutions deal with protecting workloads deployed across public, private and hybrid clouds. CWPP makes it possible for enterprises to shift security left and integrate security solutions continuously throughout the application development life cycle. CWPP solutions discover workloads within an enterprise’s cloud and on-premises infrastructure, then scan them to detect security issues and provide options to address the vulnerabilities. Additionally, CWPPs provide security functions for workloads such as runtime protection, network segmentation and malware detection.

Integration Sets CNAPP Apart

While many cloud-native security tools exist, CNAPP is unique because it integrates end-to-end cloud-native security across all enterprise workloads. Here are a few of the security functions CNAPP may provide from “code” to “deploy” across a CI/CD pipeline:

  • Code and commit: Infrastructure-as-code (IaC) scanning (a CSPM function) and third-party library scans (a CWPP function)

  • Build: Container image assurance (CWPP)

  • Deployment and beyond: Kubernetes runtime assurance and virtual machine protection (CWPP), posture management and entity behavior analytics (CSPM), and API protection and automated micro-segmentation (CSNS)

Performing these functions in a holistic platform removes friction from DevSecOps processes, enables insights with context and improves overall security posture.

What to Look For in a CNAPP Solution

When recommending a CNAPP strategy for your clients, there are a few vendors that provide many cloud-native security functions to tick most or all of the CNAPP boxes. The strength of security and the breadth of components should be key considerations, depending on your organization’s needs.

  • CSPM: Look for a solution that combines automated remediation with cloud-native security posture management and account-level threat detection across multicloud environments. Offerings that automatically detect misconfiguration, enforce security policies and compliance frameworks, and visualize their overall security posture will deliver a more effective CNAPP implementation.

  • CSNS: Consider solutions that work across multicloud, hybrid and on-premises environments, ideally with a single control center to eliminate security gaps. Enterprises should be able to macro- and micro-segment their assets across cloud providers and on-premises infrastructure with advanced features such as DoS protection, NGFW, API protection, and SSL/TLS inspection.

  • CWPP: Solutions should integrate with CI/CD pipelines, implementing source code and IaC scanning and protecting workloads running on virtual machines, containers and serverless platforms.

  • WAAP (web application and API protection): Again, automation is the crux of effective implementation for application and API security; enterprises shouldn’t manually modify security rules when applications are updated. Instead of a rule-based security approach, look for solutions with contextualized AI analysis to deliver precise and up-to-date threat protection without constant human intervention.

  • Intelligence, visibility and reporting: Consider solutions featuring intrusion detection, threat hunting, anomaly detection and remediation. Enterprises often need security context, correlating information from cloud inventory and configuration, account activity, network traffic logs and additional threat feeds, such as threat, IP reputation and geo databases to portray a complete and accurate picture.

As Gartner continues to recommend consolidating a spaghetti tangle of single-purpose cloud security tools into a holistic platform, channel partners have a great opportunity to build trust and provide expertise to their customers. A quality CNAPP experience combines effective posture management, network security, workload protection and tightly integrating with cloud providers’ services. This kind of offering is an effective way to provide customer value as a trusted partner in the areas of both cloud and security.

Coletta Vigh is head of worldwide channel strategy at Check Point Software Technologies, where she drives channel enablement around managed security and cloud security initiatives. Her diverse experience across channel functions helps her design a cohesive strategy and deliver scalable programs for the partner ecosystem. You may follow her on LinkedIn or @CheckPointSW on Twitter.

Read more about:

MSPsVARs/SIs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like