If your company develops cloud-native applications—especially if they reside in a hybrid or multicloud environment—security is probably high on your list of priorities. These applications and environments are characteristically complex, with a multitude of moving parts (microservices, APIs, Kubernetes clusters, and more), each of which can present an attack surface. There are often layers of abstraction, such as AWS Lambda, which may free you from some management tasks but simultaneously obscure visibility. You may be using open source software (OSS) components, which can heighten supply-chain security risks (more on this later). The rapid pace of development and accompanying deadline pressure may leave little time for rigorous security testing.
All of these factors augment the need for end-to-end automated cloud-native security to protect the entire software-development lifecycle, from development to deployment to production, and across multiple clouds.
That said, choosing the solution that's appropriate for you and your environment is anything but straightforward. The market is replete with cloud-native security solutions. How do you know which one is right for you? Adding to the confusion is the proliferation of buzzwords and acronyms that imply standardization (but are often more arbitrary than precise).
For example, in 2021, the analyst firm Gartner published a report that popularized the term Cloud-Native Application Protection Platform, or CNAPP (I'll go deeper into its definition a little later in this blog). You'd think that all CNAPP solutions would have the same (or at least very similar) features and capabilities. But this is not necessarily true. For example, Palo Alto Networks' Prisma Cloud only provides data classification, malware scanning, and data governance for Amazon Web Services. Ermetic's CNAPP does not include a threat-intelligence feed. Cyscale has no cloud infrastructure entitlement management (CIEM) module. Some products provide more comprehensive compliance features. Most (but not all) provide both agents and agentless scanning features. And yet all of them are marketed as CNAPPs.
The bottom line is that regardless of how they are labeled, you'll have to dig deeper than a product's classification to determine whether it will meet your needs. To help you get started, the following is a list of the most common cloud-native security product acronyms (in alphabetical order) and what they mean.
CASB: cloud access security broker
CASBs let you set policies for both managed and unmanaged cloud services. For example, they may be set to allow access to a suite of business tools but to block unauthorized software that could present a threat. They are also useful in ensuring compliance (for HIPAA, PCI, and so on) since they can be used to enforce data safekeeping. The basic checklist for a CASB solution is that it provides visibility, data security, threat prevention, compliance, and protects against shadow IT. CASBs were conceived with the goal to protect proprietary data stored in the cloud. They provide policy and governance across multiple clouds.
CIEM: cloud infrastructure entitlement management
CIEMS are automated cloud security solutions that help protect against data breaches in public cloud environments. They continuously monitor the permissions and activities of entities to ensure that their access controls are appropriate. CIEM tools provide comprehensive reporting help with access management and strengthen cloud-security posture. With a CIEM, an organization can monitor usage and entitlement data in real time. It allows them to detect high risk changes, mitigate threats, and optimize permissions.
CNAPP: cloud-native application protection platforms
Here's how Gartner's "Market Guide for Cloud-Native Application Protection Platforms" defines and describes a CNAPP: "Cloud-native application protection platforms (CNAPPs) are a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production. CNAPPs consolidate a large number of previously siloed capabilities, including container scanning, cloud security posture management, infrastructure as code scanning, cloud infrastructure entitlement management, runtime cloud workload protection and runtime vulnerability/configuration scanning."
The analyst firm goes on to say that these offerings typically integrate into runtime cloud environments and development pipeline tools and that they include cloud security posture management (CSPM) capabilities, offer software composition analysis (SCA), and container scanning. Lastly, it notes that CNAPPs may include API testing and monitoring, static application security testing (SAST), dynamic application security testing (DAST), and runtime web application and API protection.
CSPMs: cloud-security posture management
The National Institute of Standards and Technologies defines security posture as the "status of an enterprise's networks, information, and systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes." CSPM tools continuously manage infrastructure as a service (IaaS), software as a service (SaaS) and platform as a service (PaaS) security posture through prevention, detection, and response to cloud infrastructure risks. Gartner specifies that these tools should apply common frameworks, enterprise policies, and regulatory requirements to "proactively and reactively discover and assess risk/trust of cloud services configuration and security settings." It also proposed that CSPM should provide for automated or human-driven remediation of identified issues.
CWPPs: cloud workload protection platforms
As opposed to CSPMs, CWPPs focus on protecting server workloads in hybrid, multicloud datacenter environments. They provide visibility for all workloads, whether they reside on physical machines, VMs, containers, or are serverless. Gartner (who, as you can see, has defined most of these security terms) says "CWPP offerings protect workloads using a combination of system integrity protection, application control, behavioral monitoring, intrusion prevention and optional anti-malware protection at runtime. CWPP offerings should also include scanning for workload risk proactively in the development pipeline." If your organization relies on cloud infrastructure or platforms such as IaaS or PaaS, a CWPP can help protect your workloads and applications running on those platforms. If you have a complex IT infrastructure that spans across multiple cloud providers or combines both cloud and on-premises resources, a CWPP can provide unified security management and protection across these environments.
SCA: software composition analysis
While SCA is not specific to cloud-native software, I'm including it here because Gartner mentions it in its CNAPP definition. SCA is a methodology for keeping track of OSS components. Although OSS is not inherently insecure, these components are often not authored in-house, making it hard to know whether a library is sustainably maintained. For example, if a security problem arises, how quickly will it be fixed? How quickly are problems disclosed? SCA lets dev teams track and analyze open source components, discover their supporting libraries, and identify their direct and indirect dependencies (including those that may have deprecated dependencies, vulnerabilities, and potential exploits). Once they've scanned and inventoried the above, they generate a software bill of materials (SBOM), which is a critical tool in conducting audits, providing transparency and visibility into the software supply chain, and enabling organizations to understand the various open-source and third-party components incorporated into their software. When CVEs are discovered, an SBOM makes it faster to recognize where the OSS component is used in an application, so security teams can quickly apply patches.
A rose by any other name
Acronyms and buzzwords aside, the important thing for cloud-native security is to have end-to-end lifecycle protection for cloud-native application environments that cover every stage and element—from development to deployment to production. You need to ensure that your tool can identify risks, help prioritize alerts, and remediate vulnerabilities with powerful attack path analysis.
Here are some elements to look for:
- Code and CI/CD security
- The ability to scan IaC templates and scripts for security risks
- SBOM generation
- Deep visibility, including alerts with detailed context to assist with root-cause analysis and remediation
- Scanning for containers, APIs, serverless functions, and Kubernetes workloads
- Attack-path analysis
- An intuitive dashboard to visualize clusters and multicloud environments
If you'd like to try out the functionality I've covered in this article, consider Outshift's Panoptica. You can use its free tier to protect 15 nodes and one Kubernetes cluster (forever!)—no credit card required. You can also check out the OSS projects that underpin Panoptica in the OpenClarity umbrella of tools.
Top comments (0)