Gartner® just published its 2023 Market Guide for Cloud-Native Application Protection Platforms (CNAPPs), in which it shares important insights about the capabilities of a CNAPP and what cloud security leaders should look for when selecting one.
CNAPPs are cloud security platforms that have been designed to secure cloud-native applications built using technologies such as containers, microservices, and serverless computing. Cloud-native applications have greatly risen in popularity because they simplify building and deploying applications, enabling organizations to innovate faster. However, their immense scalability and speed of deployment also pose security risks that are substantially different from those of traditional applications and networks. Hence, the need for CNAPPs.
In this blog we will discuss the Gartner report and share our top five takeaways.
Securing cloud-native applications presents new challenges
In the report, Gartner expands on how the cloud security needs of modern organizations have evolved significantly with the rise of cloud-native applications, bringing developers and DevOps teams increasingly into the ‘security’ picture. Security controls need to be applied much earlier in the software development lifecycle, rather than just bolted on after production. In addition, security teams are increasingly reliant on developers and DevOps teams to fix issues in underlying code that is used to deploy Infrastructure as Code and containers.
This changed environment requires a consolidated cloud security platform that can be used by developers, DevOps and security practitioners alike, integrates into the CI/CD process, and keeps up with the agility of modern development teams without slowing them down.
“Until recently, comprehensively securing cloud-native applications required the use of multiple tools from multiple vendors that are rarely well-integrated and often only designed for security professionals, not in collaboration with developers. This lack of integration creates fragmented views of risk with insufficient context individually making it difficult to prioritize the actual risk. As a result, fragmented tools create excessive alerts, wasting developers’ time and making remediation efforts confusing to target roles.”2023 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs)
What is a CNAPP and how does it address these challenges?
According to Gartner, “Cloud-native application protection platforms (CNAPPs) are a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production. CNAPPs consolidate a large number of previously siloed capabilities, including container scanning, cloud security posture management, infrastructure as code scanning, cloud infrastructure entitlement management, runtime cloud workload protection and runtime vulnerability/configuration scanning.“
Further expanding on this, a CNAPP is a consolidated platform that offers deep insights into cloud workloads, configurations, and identities from a single administration point, is built to fit into existing developer and security workflows, and gathers centralized data to provide the necessary context to prioritize risks.
CNAPPs deliver security spanning the Build, Deploy, and Run phases of the application lifecycle. In the diagram above, Gartner highlights the key areas that CNAPPs address.
Key Takeaways From the Gartner CNAPP Report
When reading through the Gartner report, these are the top ‘nuggets’ that stood out to us here at Orca Security:
1. An agentless architecture is needed for visibility and agility
In a modern DevOps-style organization, cloud-native application security must be scalable and not slow teams down. An agent-based security approach is simply not able to keep up in these fast-paced environments. An agentless cloud security platform is needed to provide streamlined security and avoid countless wasted hours spent installing and maintaining agents before teams can even get visibility into an asset. Instead, DevOps teams can spend their time on risk remediation and deploying new functionality.
“Security teams are perceived as slowing down modern DevOps style development. Security controls weren’t designed for the speed and scale of cloud-native applications and weren’t designed with the developer as the central customer (not security). The result historically has been poorly integrated testing that required the developer to leave their development environment, slowed development and often wasted developer time with false positives or asking them to remediate low-risk vulnerabilities.”2023 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs)
2. Full lifecycle capabilities make remediation easier and prevent risks
By integrating cloud security early into the software development lifecycle, organizations increase the security of their applications and address issues pre-production when they are easier and less costly to fix. Gartner states that “CNAPP offerings allow an organization to use a single integrated offering to identify risk across the entire life cycle and disparate elements of a cloud-native application, and one that collaboratively puts the developer at the core of the application risk responsibility”.
3. Look for completeness instead of best-of-breed
CNAPPs should include a comprehensive range of security capabilities, going beyond the ‘required’ Cloud Workload Protection and Cloud Security Posture Management functionality, but also spanning API Security, Data Security Posture Management, Cloud Detection & Response, and Cloud Infrastructure & Entitlements Management. Not only does this significantly reduce complexity and avoid blind spots, but this also means that the platform possesses a treasure trove of information of all the different risks in the cloud environment, enabling advanced attack path analysis and risk prioritization.
“Most organizations already have some form of runtime CWPP in their virtual machines. Many have also selected a scanning tool for containers in development and a solution for CSPM. Most organizations have several vendors for different (or sometimes similar overlapping) functions, creating silos of users and findings, making it difficult to create a unified picture of risk. As organizations shift to a CNAPP-based approach, the synergy of an integrated platform will provide more benefits than a best-of-breed strategy that is difficult to scale.”2023 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs)
4. Context is King
Cloud environments are complex. In order to truly understand cloud risks, organizations cannot just use siloed tools where each one is only looking at part of the puzzle. CNAPPs that offer a unified data model that collects all information in one place, allow contextualization across all layers, enabling advanced risk prioritization.
“The most significant driver is the need to unify risk visibility across the entire hybrid application and across the entire application life cycle. This simply cannot be achieved using separate and siloed security and legacy application testing offerings.CNAPP offerings operationalize cloud-native application risk (a concept referred to as RiskOps and introduced in Seven Imperatives to Adopt a CARTA StrategicApproach) by “connecting the dots” to help understand the effective risk across the multiple layers of a modern cloud-native application. Risk-prioritizing the findings is critical as developers and security professionals are overloaded with alerts and findings of siloed tools.”2023 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs)
By unifying risk visibility across all cloud layers and across the entire development life cycle, CNAPPs can utilize attack path analysis and graph visualization to accurately pinpoint which risks endanger the organization’s most critical assets and are part of the most severe attack paths, so these can be remediated first.
Orca’s interactive Attack Path Analysis view to see interconnected cloud risks
5. A CNAPP should be truly consolidated, not stitched together
Some vendors in the space offer an ‘integrated’ platform but are actually just offering separate products under the same name. These ‘integrated’ products do not share telemetry, nor do they share the same administration console. This type of integration does not provide the synergy benefits of a platform that was built as one consolidated solution from the ground up.
“All services should be fully integrated, not loosely coupled independent modules(typically resulting from a vendor’s internal silos, poorly integrated OEM componentsor those added from an acquisition). Integration should include the front-endconsole, unified policy across multiple points of inspection and a unified back-enddata model.”2023 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPPs)
Notable requirements for securing your cloud and applications
In the report, Gartner highlights critical requirements that enterprises need to address comprehensive cloud security. Here at Orca Security, we have chosen to highlight several of the requirements that we think are important:
- Cloud security posture management, including all leading hyperscale providers and their managed Kubernetes offerings (Kubernetes security posture management [KSPM])
- Infrastructure as code (IaC) scanning, including for major IaC scripting languages and YAML/Helm for Kubernetes, including drift detection from expected state
- Workload detection and response
- Cloud infrastructure entitlement management
- Scanning of containers and container registries for risk
- Expanded cloud detection and response (CDR) capabilities beyond just workload monitoring (for example, looking at event logs, network logs and DNS lookups)
- API discovery and scanning for correct configuration in development and API discovery in development and monitoring at runtime
- Visibility into securing VMs, containers, Kubernetes, and serverless functions
How Orca is Delivering a Modern Cloud Security Platform
From the beginning, Orca has delivered a Cloud Security Platform that is true to our core principles that we believe an effective cloud security platform should be built on: 100% coverage of assets, comprehensive security incorporating all cloud risks, contextual intelligence to surface the most critical risks, and finally, consumable security to empower teams to take action and remediate issues.
Learn More About CNAPP
Although we hope you have enjoyed reading our take on the report, we do highly recommend that you read the entire 2023 Gartner CNAPP Market Guide Report so that your organization will be fully equipped to select the CNAPP that works best for your organization. If you are interested in learning more, feel free to view our latest recorded demo of the Orca Platform.
Gartner, Market Guide for Cloud-Native Application Protection Platforms, 14 March 2023, Neil MacDonald Et Al.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.