More

    Cloud Security Woes Give Rise to Integrated CNAP Platforms

    A core cybersecurity issue that organizations of all sizes are now struggling with is the rate at which applications are being deployed on cloud computing platforms is outpacing their ability to secure them. Developers today regularly make use of a wide range of tools to provision IT infrastructure to build and deploy applications without any intervention on the part of a centralized IT operations or cybersecurity team being required.

    The trouble is most developers have little to no security expertise. Cloud applications are today rife with misconfigurations that cybercriminals regularly exploit. It’s not uncommon for organizations to discover sensitive data has been exfiltrated from a cloud computing environment because a developer left a port open.

    This issue has resulted in the rise of a set of best DevSecOps practices through which developers will be provided with both the education, tools, and processes needed to build more secure applications. The challenge is that it takes time to institute that level of cultural change among developers. As a result, IT organizations are turning to a new class of Cloud-Native Application Protection (CNAP) platforms that continuously scan workloads and configurations both during the application development process and after the application has been deployed in a production environment.

    What is CNAP?

    As a category of security platforms coined by Gartner, a CNAP platform at its core aggregates two types of security platforms. Cloud Security Posture Management (CSPM) platforms are already employed by many organizations to surface misconfigurations and other vulnerabilities that cybercriminals could potentially exploit. The second core capability comes in the form of some type of Cloud Workload Protection Platforms (CWPP) that makes use of agent software to protect a workload running on either a virtual machine or encapsulated in a container.

    The degree to which any application workload is cloud native is open to interpretation. In the case of CNAP, the security policies can be applied to any workload regardless of whether it is a microservices-based application built using containers or a legacy monolithic application running on top of virtual machines. The term cloud-native is meant to simply describe the fact that the security platform deployed on a cloud platform is built on top of a modern IT framework such as the Kubernetes container orchestration engine.

    Read more about CNAP, CSPM, and CWPP: 6 Cloud Security Must-Haves – with Help from CSPM, CWPP or CNAPP

    Centralizing Security Management

    Regardless of terminology employed, the need to centralize the management of security, especially in cloud computing environments, is becoming more apparent as the rate at which applications are being developed and deployed continues to increase. Theoretically, of course, organizations could opt to slow the rate at which applications are being developed and deployed to conduct more security reviews. In practice, however, organizations are looking for ways to make sure applications are more secure without materially impacting the rate at which they are built. As more organizations realize how dependent they are on new applications and subsequent updates to drive revenue in the age of digital business transformation the less inclined they are to slow down application development.

    The paradox is the faster applications are deployed the larger the attack surface that needs to be defended becomes. Many of those applications are now driving mission-critical digital processes that revolve around highly sensitive data. In the absence of any willingness to slow down the rate at which applications are being deployed the next best thing is to increase the ability of cybersecurity teams to keep pace with that level of innovation. CNAP platforms promise to unify security processes in a way that instruments applications by making use of agent software to enforce security policies and then continuously scanning application environments for any violation of the policies defined by the cybersecurity team. That approach essentially relies on automation to place guardrails around the cloud platform developers are employing to build and deploy their applications.

    Building a Unified CNAP Platform

    Naturally, the race is now on to integrate CSPM and CWPP offerings to create a unified CNAP Platform. It’s still early days so IT organizations should expect to see a raft of CNAP platform launches in the week and months ahead. In many cases, vendors are simply responding to a larger trend toward consolidation of security management that is already underway. A recent survey of 383 IT and security professionals  conducted by Enterprise Strategy Group (ESG) on behalf of Lacework, a provider of an IT security platform, finds more than a third (35%) have already consolidated security controls, with another 50% reporting they are moving in that direction over the next two years. In that sense, CNAP is only the latest manifestation of an ongoing convergence of a wide range of security functions that is being driven by the need to reduce the total cost of security even as application environments become more complex.      

    There will never be any such thing as perfect security any time soon. However, many organizations have concluded that when it comes to security they are often their own worst enemy. The challenge and the opportunity now is to modernize security platforms in a way  that allows both developers and security teams to accomplish their core missions without continually having to get in each other’s way.

    Read next: Detecting Vulnerabilities in Cloud-Native Architectures

    Mike Vizard
    Michael Vizard is a seasoned IT journalist, with nearly 30 years of experience writing and editing about enterprise IT issues. He is a contributor to publications including Programmableweb, IT Business Edge, CIOinsight and UBM Tech. He formerly was editorial director for Ziff-Davis Enterprise, where he launched the company’s custom content division, and has also served as editor in chief for CRN and InfoWorld. He also has held editorial positions at PC Week, Computerworld and Digital Review.

    Latest Articles