CNAPP

Gartner’s hype cycle is relentless: once a new technology emerges, it must go through a series of defined stages before it becomes mature enough for widespread adoption. “For CNAPP, we are gradually moving beyond the disillusionment phase and entering the slope of enlightenment. High time, then, to reassess the solution,” says Koen Tamsyn, Business Unit Lead Cybersecurity at Inetum.

The name says it all: a cloud-native application protection platform, or CNAPP, is a platform designed to protect cloud-native applications. It consolidates various standalone tools into one holistic solution for managing security in the cloud.

CNAPP is maturing

In Gartner’s 2021 report on cloud security, CNAPP was still positioned near the beginning of the hype cycle. The new solution had just about passed the initial phase of promising innovation. It was on the verge of entering the peak of inflated expectations—Gartner’s second phase—meaning the bubble was close to bursting. “One single package, CNAPP, was said to solve all our cloud security problems,” recalls Koen Tamsyn of that period of overblown hype. An ambitious promise that this one package could not possibly fulfill at the time. The inevitable third phase then followed: that of deep disappointment.

However, even in its own hype cycle, Gartner indicated that CNAPP would require at least another five to ten years to reach the final stage—namely, that of increased productivity and widespread adoption. “We are now about four years down the road,” the cybersecurity expert calculates, “and I believe the downward spiral is largely behind us. CNAPP has gradually climbed out of the trough of disillusionment, bringing us to the slope of enlightenment.”

This is clearly reflected in several aspects of the solution that, in 2021, were not yet fully developed but have since been refined. “The solution is also seeing greater market penetration,” Koen Tamsyn notes. “And we are seeing clear signs of increased competition among CNAPP providers. That leads me to believe that in the coming years, we will see increasingly mature CNAPP solutions enter the market—solutions that could be highly useful and valuable for many organizations.”

Increasing complexity

To understand why a cloud security platform like CNAPP was ever developed, we need to go a bit further back in time, before 2021. “Back then, we were slowly starting to migrate workloads from the local data center to the cloud, even if just as a test,” says Koen Tamsyn. “To protect this new environment, we typically extended our existing on-premise security to the cloud. A virtual firewall and antivirus or other EDR tools on our virtual systems—that was our initial setup.”

But it soon became apparent that this was far from sufficient, especially as cloud usage evolved from Infrastructure-as-a-Service (IaaS) to Platform-as-a-Service (PaaS). As a result, more and varied cloud services emerged, including serverless functions and multiple authentication providers. The cloud suddenly looked completely different from the familiar on-premise data center. “All those appealing extras only made the cloud environment more complex—and harder to secure,” summarizes Koen Tamsyn. Because a firewall and antivirus were no longer enough, a new, more comprehensive security solution became essential.

Three core components

That solution came in the form of CNAPP: not a single, standalone tool, but a collective term for a bundle of tools aimed at securing cloud environments comprehensively. “Unfortunately, that also posed a challenge for many organizations. How do you determine which CNAPP is right for you? Every vendor interprets the concept differently and uses different components.”

Koen Tamsyn lists three components that form the foundation of every CNAPP solution. The first is Cloud Workload Protection (CWP): a typical DevOps scanning tool for developers. On the operational side, Cloud Security Posture Management (CSPM) is indispensable. “This module audits all settings in your cloud environment. Are there any misconfigurations in Azure, for example? Is there an exposed container? Are there patches that still need to be applied?” Finally, there is Cloud Infrastructure Entitlement Management (CIEM—not to be confused with SIEM), which focuses on managing and securing identities and access rights in cloud environments (IAM).

A CNAPP solution can include many more components, but these three modules—which have existed for some time and are also available as standalone tools—consistently form the foundation. “Today, we are already seeing the second or even third generation of CNAPP solutions,” Koen Tamsyn observes. Some providers have also expanded their offerings with Kubernetes Security Posture Management (KSPM), aimed at securing Kubernetes clusters.

Screening the offerings

“The core question remains: do you really need every part of a full CNAPP solution?” continues Koen Tamsyn. Core components like Cloud Workload Protection (CWP), Cloud Security Posture Management (CSPM), and Cloud Infrastructure Entitlement Management (CIEM) will serve as a solid foundation for many organizations. Additional features offered by some providers, however, must be carefully assessed. It is essential to determine which of these supplementary functions are truly relevant to your specific environment. At Inetum, we can expertly guide and advise you based on our years of experience in the field.

Need more information or non-binding advice?

In a constantly evolving environment, preventive security measures are unfortunately no longer sufficient. Continuously improving cloud security is therefore crucial to protecting your sensitive data and, by extension, your entire business. If you allow us to review and evaluate your security posture and environment, we will begin by providing you with a prioritized list of risks along with the actions needed to better protect against cyberattacks. In addition to such a Cybersecurity Assessment, we can also help you develop a comprehensive Cybersecurity Roadmap. This includes tailored improvement recommendations that we translate into a detailed action plan with clear timing, priorities, and the necessary resources. For more information, contact us at  info.belgium@inetum.com.