Gartner calls the solution to these problems Cloud-Native Application Protection Platform (CNAPP). According to Gartner’s official description, CNAPPs should provide a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production. These solutions aim to make the process for developing, running, and maintaining software security in the cloud integrated and easier.
To make cloud security work effectively, we have to consider the whole application lifecycle, from initial creation, to testing and development, to production deployment. This makes it easier to detect potential issues within applications earlier and then prioritize remediation work.
We also must look at the cloud infrastructure that the applications will run on, and we need to be able to secure these platforms effectively. This covers multiple areas - the initial quality of the cloud environment configuration, cloud accesses and permissions, cloud deployments and long-term management.
Lastly, we have to look at our cloud environment as if it is running, before it runs. While we might be able to improve security by looking for potential vulnerabilities or misconfigurations prior to application deployment, this does not guarantee that every issue will be visible or that problems will be found in advance. We require real-time insight into what is happening in cloud environments and workloads over time.
All these efforts are interconnected, as cloud applications run on cloud infrastructure and might change over time to meet workload demands. The challenge here is how to join up all these different components and tool sets so that both security professionals and software developers alike can respond quickly and effectively to potential threats.
On the software side, security efforts begin in the software development stage. As new applications are created, a software composition analysis (SCA) tool checks software source code and binaries going through the development pipeline in order to spot potential issues or known vulnerabilities. At the same time, various application security testing (AST) techniques are used to find issues or misconfigurations in the applications themselves that could lead to security incidents.
On the infrastructure side, Cloud Security Posture Management (CSPM) is the most common tool that security professionals use to check that their environments are secure. CSPM looks for potential misconfigurations or vulnerabilities in the underlying cloud environments that are deployed and flags any risks for the IT Operations and IT Security teams to review. A Cloud Infrastructure Entitlement Management (CIEM) solution is also commonly used by security teams. They cover identities and access to applications, services, and workloads running in the cloud. Proper management of access rights, permissions, and privileges ensures that individuals can work on what they need to, but that there are no extraneous or unnecessary permissions to other workloads. This reduces the risk of accounts being used by attackers to move laterally or gain additional permissions.
Another consideration for cloud infrastructure is how services are implemented and managed. This is typically done in code, as it is easier to manage and apply version control this way. Infrastructure as Code (IaC) is used to automate deployment for new workloads or services, so this too needs to be checked regularly for security issues. Security checks here will show where and how deployed environments have changed or evolved from their original states, which could increase potential security risks if left unchecked.
Cloud Detection and Response (CDR) is another security solution used to manage potential issues and remediate security risks. CDR provides response actions for any potential or true positive incidents, so that remediation actions can be carried out quickly. Providing a prescriptive approach allows security teams to contain and respond to both risks and incidents and minimize impact quickly and effectively.
The last consideration is how to protect running environments in the cloud. Similar to how IaC environments can be changed once they are deployed, applications running in containers can access and download other software or code requirements for their workloads. These could be company-requested application security or feature updates, but these runtime changes are also commonly seen as an attack technique too. Monitoring for any changes in containers or applications during runtime can bring