Why Now Is the Time for CISOs to Embrace CNAPP for Cloud Native Security

By: Ran Ilany

Apr 20 2022

“Breaking down silos” is a common phrase in the world of DevOps and DevSecOps.

Ironically, though, if you look at how many DevOps and DevSecOps cloud native security tools actually work, you realize that the tools used are very siloed. In other words, they serve only a single function. This is inefficient for engineers, and it increases the security risks that companies face.

That’s why we need a new approach to cloud native security – one rooted in a Cloud Native Application Protection Platform, or CNAPP, approach, instead of siloed, compartmentalized tools.

The siloed state of cloud native security tools

The problem facing DevOps and DevSecOps teams today isn’t that they don’t have good cloud native tools. It’s that their tools are segmented. Many teams use completely siloed tools to address different types of risks.

They might use a Cloud Security Posture Management (CSPM) solution to detect risks in their cloud workload configurations, for example. They then use a different tool for Cloud Infrastructure Entitlements Management (CIEM), which addresses access control risks. A third category of tool – Cloud Workload Protection Platform (CWPP) – is required to secure cloud applications and data. And if you use containers or Kubernetes, you probably rely on separate Kubernetes Security Posture Management (KSPM) tools to secure that layer of your stack. All this adds complexity and increases the risk of security and integration issues.

Each of these tools has to be set up and managed separately. You also have to correlate their reports manually because the tools lack efficient ways of integrating their findings or interpreting how risks at one layer of your stack (like your cloud configuration), may relate to threats at another layer (like within cloud workloads). The fact that many tools are “agent-based” and require a tedious deployment processes contributes, only further, to inefficiency.

By extension, the siloed nature of cloud native security makes it easy to overlook threats, leading to a weaker overall security posture.

The cloud native security gap in practice

To understand why the siloed nature of cloud native security tools is so risky, consider the example of securing a relatively simple type of resource – a virtual machine hosted in a public cloud that has access to a sensitive service. A vulnerable VM that has access to a sensitive service could lead to various forms of ransomware attacks, as well allowing hackers to gain code execution on the host.

To secure this VM using traditional tools, you’d need at least two different types of tools. One would be a CSPM scanner, which would validate the configuration of your cloud VM instance firewall (or security group). The second would be a CWPP solution, which would look for internal risks within the VM itself, such as an access credential user/password within a script used by app VM/Instance (potentially enabling access to a sensitive service).

Not only is it more work to deploy both types of tools for your VM, but this approach also leaves you at a higher risk of missing a security issue. Your team might assume that the VM is secure because it has passed CSPM checks, for example, when in fact a vulnerability exists within the workload layer.

Matters can become even more complicated when you are dealing with more complex types of workloads – such as containerized applications running in a managed Kubernetes service on a public cloud. In that context, you have to deal with things like multiple layers of access rules – the ones you configure in your cloud’s IAM service, and those you set up via Kubernetes RBAC. This makes it even harder to ensure you don’t miss anything when scanning for risks.

CNAPP: A better approach to cloud native security

These problems are why modern teams need a Cloud Native Application Protection Platform (CNAPP). But first, what exactly is a CNAPP? According to the Gartner Innovation Insight Report, CNAPP is “an integrated set of security and compliance capabilities designed to help secure and protect cloud native applications across development and production”

Even if you have multiple sources of compromise to protect against, a CNAPP lets you evaluate and respond to those sources comprehensively. Your team doesn’t have to deal with the inefficiency of juggling multiple tools, or worry about oversights that could leave workloads vulnerable.

Now, it’s worth noting that the CNAPP tool market is still very young compared to the ecosystems surrounding better-established tool categories, like CSPM. But as CNAPP tools mature, selecting the right one is poised to become a hot topic for CISOs in the near future.

Conclusion

Gartner believes that by 2025, more than 95 percent of workloads will be cloud native, compared with just 30 percent in 2021.

That means that organizations today have a very important choice to make. As they migrate more and more workloads to a cloud native environment, will they stick with siloed, inefficient security tools that leave them prone to oversights and risks? Or will they streamline their approach using CNAPP, which provides a much more efficient and reliable means of mitigating cloud native security threats?

The choice is clear. It’s just a matter of finding the right CNAPP tool and integrating it into your environment. Read about Cisco’s ET&I initiative to learn more about cloud native security, and how that future is being formed.

And don’t forget to follow us on Twitter and LinkedIn to stay up to date with the latest developments!