Over the last several years, targeted, “boutique” cloud security solutions have consolidated into one-stop shops, known as Cloud-Native Application Protection Platforms (CNAPPs).
This blog discusses the evolution of the CNAPP and its predecessors:
- Cloud Access Security Broker (CASB)
- Cloud Workload Protection Platform (CWPP)
- Cloud Security Posture Management (CSPM)
- Cloud Infrastructure Entitlement Management (CIEM).
We’ll then explore what’s missing in the broader cybersecurity landscape – Application Security Posture Management (ASPM).
Cloud Access Security Broker (CASB)
The aptly named CASB is the “broker” or middleware between cloud service consumers and cloud service providers. CASBs combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs can be deployed through proxies (reverse or forward) or APIs. Per Gartner, the four main functions of a CASB are:
- Data security
- Threat protection
CASBs can consolidate multiple types of security policy enforcement, including API authentication, SSO, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, and malware detection/prevention.
- Complexity. Both proxy and API deployments are complex and require expertise to administer.
- Cost. In addition to the salary of the expert who administers a CASB, organizations will incur licensing costs, which typically include per-user and per-application fees. As the number of applications organizations use continues to rise, so does the cost of CASBs.
- Limited visibility. CASBs can help secure SaaS, but can’t secure IaaS or PaaS.
- Performance. CASBs require log collectors, proxy auto-configs, and other components that can slow network performance.
Sample CASB Vendors
Cloud Workload Protection Platform (CWPP)
CWPPs protect workloads across modern hybrid, multi-cloud, and on-prem environments. CWPPs scan for known vulnerabilities at runtime to protect workloads from attacks.
Typically, CWPPs use a combination of system integrity protection, identity-based microsegmentation, application control, memory protection, behavior monitoring, host-based intrusion prevention, and optional anti-malware protection.
For example, if a CWPP detects a vulnerable component, it can use micro-segmentation to isolate and protect the affected workloads using automated policies.
CWPPs offer consistent visibility into their workloads regardless of the environment. This is particularly advantageous for companies transitioning to the cloud or continuing with hybrid environments. Another key benefit of CWPP is that it covers runtime, something that other tools under the CNAPP umbrella lack.
Many CWPPs use agents, which requires teams to install and administer those agents. Furthermore, agents can slow network performance and can be intrusive to the services it is trying to protect.
Sample CWPP Vendors/Products
- CrowdStrike (Falcon Platform)
- SentinelOne (Cloud Workload Protection, Container Protection)
- Sysdig (Sysdig Secure)
Cloud Security Posture Management (CSPM)
Per Gartner, CSPM is “a continuous process of cloud security improvement and adaptation to reduce the likelihood of a successful attack.” It is focused on finding, fixing, and ultimately preventing cloud misconfigurations, which continues to be the leading cause of data breaches.
For example, if a developer provisions a cloud storage service, like an AWS S3 bucket, but doesn’t limit access or permissions, anyone with an AWS account and an internet connection could access the S3 bucket and the data stored within it.
CSPM helps organizations provision cloud infrastructure and services while greatly reducing the likelihood of cloud misconfiguration. CSPMs provide visibility into an organization’s presence across cloud service providers. They are particularly valuable because they enforce standard policies across CSPs, which makes them instrumental in complying with regulations(GDPR, HIPAA, PCI DSS, etc.) and adhering to best practices and frameworks (NIST, ISO, etc.)
While CSPM helps secure the cloud infrastructure on which applications run, they do not apply security at the operating system, application, or data levels.
Sample CSPM Vendors/Products
- Palo Alto Networks Prisma Cloud
Cloud Infrastructure Entitlement Management (CIEM)
CIEM is a ‘specialized identity-centric solution’ focused on managing identity access risk, which is exponentially more complex in the cloud than it is in legacy environments.
CIEM offers an easier, more scalable way for organizations to understand and manage identity and access to cloud infrastructure and services.
Many older role-based access control (RBAC) solutions define a set of resources that a user can access based on their role. CIEM expands this concept to the cloud, where identity includes not just users but entities, like compute functions.
In addition, CSPs add new services all the time, making it hard, if not impossible, to keep up manual identity and access permissions. In addition to having more complex user/entity identities and more services to manage, the way in which access is determined is far more complex in the cloud. AWS, for example, has a seven-step process that determines access.
CIEM also offers a way to achieve least privileged access, or giving only the minimum necessary permissions to perform a given role.
While CIEM is the most sophisticated way to monitor and address access and entitlement risks, it doesn’t offer the ability to detect misconfigurations or protect workloads at runtime.
Sample CIEM Vendors
Tying it all together is the CNAPP. Gartner offers the following definition:
Cloud-native application protection platforms (CNAPPs) are an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production.
CNAPPs consolidate a large number of previously siloed capabilities, including container scanning, cloud security posture management, infrastructure as code scanning, cloud infrastructure entitlements management and runtime cloud workload protection platforms.
CNAPPs are really about securing the platforms applications run on (e.g. cloud infra/services) as opposed to securing the applications that run on those platforms.
CNAPPs bring together the benefits of many tools into one. If done correctly, it can save organizations money and reduce the number of tools they’re using.
There are several vendors who claim to offer CNAPPs. In reality, many platform solutions are disparate tools stitched together with some common branding, offering users a disjointed experience with little to no context.
Sample CNAPP Vendors/Products
- Palo Alto Networks Prisma Cloud
The tools that have evolved into the modern-day CNAPP have mostly focused on protecting cloud platforms and infrastructure. But what about the applications running on those platforms and infrastructure? While CNAPPs can see traffic going into and out of workloads, they do not have visibility into what’s happening within the application (e.g. microservices, functions, APIs) while it’s running in production.
This matters because no matter how secure your cloud configuration, there are way too many factors that can influence the security of your application when it’s out in the wild. Third-party dependencies, exposed APIs, sensitive data flows, and late-breaking or zero-day vulnerabilities are incredibly hard to understand, let alone manage, when you’re pushing code to production at scale, every day.
ASPM Fills the Gap
Bionic offers an innovative approach to understanding your application security posture as it exists in production (we call this ASPM). Building on the secure foundations that CNAPPs establish, ASPM helps organizations understand which risks pose the greatest threat of exploitation and business impact right now.