The Importance of CNAPP in Cloud Security and Key Differences Between Platforms

The Importance of CNAPP in Cloud Security and Key Differences Between Platforms
January 10, 2023
Author:

With the blistering adoption of the cloud, combined with increased complexity due to multi-hybrid and SaaS architecture, and the exploding use of containers, serverless and other forms of cloud-native architectures, we need new strategies for securing these complex multi and hybrid-cloud environments. This post will explore the importance of adopting a cloud-native application protection platform (CNAPP) as part of your cloud security strategy, along with some key benefits and differences between platforms in this particular segment of the cybersecurity industry.

WHAT IS CNAPP?

CNAPPs consolidate a large number of previously siloed capabilities. Organizations demanded consolidation from vendors in an attempt to reduce cloud security alerts and cover the fundamental security controls and protections needed in cloud environments with more success. Gartner defines CNAPP as an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production. These capabilities include:

  • Cloud workload protection platforms (CWPP)
  • Cloud security posture management (CSPM)
  • Cloud infrastructure entitlement management (CIEM)
  • Vulnerability management, detection and response (VMDR)

THE BENEFITS OF CNAPP

The consolidated CNAPP feature capabilities often include container scanning, cloud security posture management, infrastructure as code scanning, and runtime cloud workload protection platforms.

  • Consolidated security management of new cloud-native architectures. Containers, serverless, and hyperscaling resources all require technology-specific solutions to secure these new attack vectors. CNAPP consolidates the security tools necessary to secure these environments. This has the additional benefit of reducing operational complexity for security teams as well as the cost of technologies and platforms they are licensing from other vendors.
  • Enhanced visibility and observability
    CNAPP can provide organizations with greater visibility, by giving them the ability to monitor and analyze activity in real-time, and by enabling them to set and enforce security policies. This can help companies detect and respond to potential threats based on the most exploitable attack paths, visualizable by overlaying runtime information about the environment over your vulnerability scans and creating risk profiles for different assets. 
  • Improve continuous compliance
    Many organizations are required to comply with various regulations and standards when it comes to data protection and security. CNAPP can help companies meet these requirements by providing a range of security controls and features that support continuous compliance.
  • Enhanced scalability and performance - CNAPPs are designed to be scalable and performant and can help ensure security measures do not negatively impact the performance of cloud-native applications. They can read encrypted traffic without intrusive processes.
  • Delivers on the promise of DevSecOps - CNAPPs create a common platform for development and security teams to understand and visualize risk within your environment. Because risk is approached based on exploitability and not just severity, development teams have more context for why they need to quickly patch and remediate vulnerabilities within the environment and it gives security teams a reduced attack surface for monitoring for potential threat actor activity within the environment.

CNAPP - THE TECHNOLOGY 

There is a divisive debate in the security community between the need for Agent-based approaches for detection and response vs agentless-based solutions within cloud-native application protection platforms. We will tackle what the approaches are, their pros and cons, and how this affects the CNAPP space.

Agentless - What Is It:

It refers to security operations where no service, daemon or process needs to run in the background on the machine being monitored. They harness the power of the cloud, APIs, and other metadata to make security monitoring decisions.

A few quick benefits of the Agentless approach to security include:

  1. Quick Deployment - agentless technologies prioritize time to initial security scan and the first deployment. 
  2. Breadth of Visibility - agentless tech often goes for a mile-wide approach to scanning the cloud as opposed to going deep on particular host-based security issues.
  3. Lower Maintenance Costs - this is side effect of point A.
  4. Continuous Sec and Compliance for Cloud Services - agentless approaches continuously monitor configuration changes that might affect regulatory or security posture in the cloud. This allows for organizations to drive to more continuous security and compliance frameworks across their varied environments.

Some cons of the Agentless approach to security include:

  1. Lack of Runtime Protection - remediation stops at configuration changes, as opposed to network or host-based security policy that can take action based on threat actor TTPS. 
  2. Lack of Visibility in Hybrid cloud  - limited to public cloud mostly due to the reliance on cloud service provider APIs.
  3. Prioritize Deployment Speed Over Security Posture Tuning - while initial maintenance and deployment costs are lowered the lack of ability to do deep packet inspection (DPI) in the cloud and detect and respond to threat actor TTPs leaves the security posture lacking after the initial deployment. It also prioritizes cloud-wide policy versus being able to define granular security policy at the host-level. 

Agents - What Are They?

Agents are specialized software components that are installed on machines for performing security-related actions and operations. A few quick benefits of the Agent-based approach to security include:

  1. Enable Deeper Inspection on Hosts - agents can perform specialized scanning at the process level, which is key for determining certain tactics, techniques, and procedures (TTPs) of threat actors.
  2. Runtime Protection - agent-based approaches to security allow the blocking of traffic at the network and/or host level based on the identified TTPs in the DPI of network traffic.
  3. Attack Path Modeling and Protection - can occur across hybrid-cloud deployments and isn’t limited to public cloud APIs. It can detect threats against a variety of infrastructure including containers, Linux hosts, serverless, Kubernetes, etc.

Some cons of the Agent-based approach to security include:

  1. Prioritize Tunability and Config of Security Posture Over Deployment - initial setup takes time but has deep granularity of control once setup. Agent-based technologies can also be baked into scripts that deploy every time a deployment occurs in a hyperscale environment.
  2. Maintenance Costs - managing upgrades, changes to deployment scripts, and OS upgrades is often more of an operational hassle with agent-based technologies.
  3. Performance Impacts on Host can sometimes occur if agents are not optimized for high-performance cloud environments.

Luckily, the sanest of the security industry have come to the conclusion that you need both to adequately secure the cloud. You can read more about the agent technology Deepfence uses and its use cases in security, particularly its ability to provide deep observability of runtime traffic.

WHAT MAKES DEEPFENCE DIFFERENT?

These ideologies are still prevalent when looking at the CNAPP space. Platforms have consolidated feature sets but still prioritize one approach over another. Deepfence believes one needs to be a mile deep on key security controls (vulnerability management, CSPM, malware, secrets, etc.) before spreading yourself thin.

This requires agent-based data to be correlated with agentless scans to get a deep understanding of attack vectors in the cloud! Only by identifying attack vectors can we accurately update our security posture in hybrid cloud environments to effectively implement security protections and controls to eliminate modern-day TTPs threat actors are utilizing to move throughout our environments!

The extra CONTEXT agents provide in the cloud have tangible benefits to organizations:

  1. Cost Management - Better tune security controls and spend based on extra context such as exploitability of particular risk within your environment.
  2. Alert Reduction - alert fatigue causes turnover; this context is critical to reducing alerts and ensuring security professionals can focus on higher-order activities such as threat hunting and security policy writing, rather than mundane alert triage.
  3. Consolidation of Security Features - this allows for orgs to achieve a better ROI on remediation efforts of critical cloud security alerts but gaining efficiencies with a singular platform to detect and respond to threats within their cloud.

Early vendors in the space prioritized speed/ease of deployment and opted to lead with "agentless" implementations of these services. These entrants were CSPM-heavy in their approach to CNAPP and relied on cloud API controls to alert on security misconfigurations and remediations. These types of CNAPP platforms are a mile wide and an inch deep in their coverage of cloud security threats. They also prioritized ease of management and cloud platform services coverage over the workloads companies were putting in the cloud.

Other CNAPP platforms chose to implement CSPM capabilities as an agentless control plane in the cloud, but argued that deeper inspection of workloads was important to the cloud security conversation! They are CWPP-heavy and focus on going a mile deep on fundamental security controls. They argue that agentless scanning can merely help you find risk within your environment; they cannot help you measure the exploitability of that risk because they don't have an understanding of the runtime traffic/context - what's going in, what's coming out, what's changing!

Also being deeper on the CWPP side of CNAPP allows you to enact protection at the process, workload, and TTP level, rather than just at the API level of cloud services. This is important in zero-day scenarios or scenarios where compromise may have already occurred.

If you want to learn more about CNAPP, see a demo of Deepfence's offering in the space, and/or have a discussion around the focus of CNAPP's detection and response efforts schedule a demo to learn more.