A cloud-native app protection platform, or CNAPP, can help organizations simplify and integrate multiple cloud security tools into a single, unified command dashboard. While there’s many benefits to deploying a CNAPP, it’s important for organizations to think strategically about what is needed before committing wholesale to this path.
Here’s 5 steps that companies should consider taking to make sure a CNAPP can meet their cloud security requirements.
#1: Update cloud strategy to treat development and runtime as a security continuum
With the introduction of a CNAPP, organizations should cease treating development and runtime as separate security purviews requiring separate solutions. By integrating multiple cloud security functions into one platform, a CNAPP expands visibility and enriches context for improved identification of misconfigurations, whether early or later in the pipeline. It’s recommended that organizations update their cloud strategy to holistically address vulnerabilities across development and runtime, as well as reducing point solution tools that cover only one end of the spectrum.
#2: Establish and enforce DevSecOps
The ‘mileage’ of a CNAPP will vary depending on how well an organization has institutionalized DevSecOps practices. A DevSecOps approach uses automation to streamline security checkpoints in the software pipeline and reduce errors and other costs associated with manual scanning of vulnerabilities. As part of this approach, organizations should integrate security earlier into the developer toolchain so they can identify and triage misconfigurations or exposed containers during testing rather than later. With the aid of a CNAPP powered by DevSecOps, developers can finally enjoy frontrow permissions to proactively scan for security weaknesses in cloud-native artifacts, containers, and infrastructure as code, thus mitigating many of the friction points that have traditionally arisen between developers, ops, and security teams.
#3: Have an action plan for prioritizing and addressing risk
A CNAPP combines the functionality of multiple cloud solutions (such as CSPM, CWPP, CIEM) in a single package, significantly expanding visibility, insight and context into the status and interactions of cloud assets. More data can hardly be called a bad thing, though it can be overwhelming for organizations that do not understand how to interpret such data and prioritize between competing alerts. Instead of trying to achieve perfect security (which is impossible), companies should assume vulnerabilities will happen regardless – and then be able to prioritize the ones that present greater risk than the others.
#4: Find opportunities to scale back vendor dependencies and reliance on point solutions
The cloud security market is packed with vendors and solutions that each promise to address some type of vulnerability in their own way, whether that be exposed S3 buckets, insecure APIs, unauthorized access, or limited visibility. This sheer diversity of products have left many organizations ‘locked’ into licenses with multiple vendors or saddled by a small army of point solutions that don’t play well together. As existing contracts with CSPM and CWPP vendors expire, organizations should take steps to reduce these dependencies and focus on consolidating solutions where possible.
#5: Carefully vet CNAPP vendors to ensure your cloud-native security needs are met
Organizations shouldn’t blindly rush out to acquire a CNAPP. The concept itself is still fairly new, and it’s unlikely that any one vendor has perfected the CNAPP package just yet. Therefore, it’s in an organization’s best interest to do research on vendors offering CNAPP capabilities. As part of this vetting, Gartner recommends companies sign one to two year contracts because the market could change considerably in the span of just a few years. It’s also a good idea to request a demonstration of a CNAPP first, to make sure it can scan for vulnerabilities and compliance in all – not just some – cloud-native artifacts, including source code, containers, VM images, APIs and infrastructure as code scripts.