Why choose Panoptica?
Four reasons you need the industry’s leading cloud-native security solution.
By Paul Nashawaty, Principal Analyst; and Melinda Marks, Senior Analyst
Enterprise Strategy Group
This Enterprise Strategy Group White Paper was commissioned by Cisco
and is distributed under license from TechTarget, Inc.
White Paper: Enhance Security and Gain Comprehensive Visibility with a Cloud-native Application Protection Platform
As the demand for cloud-native applications has increased, so have the challenges around developing and managing them. Cloud-native applications are complex and designed to be highly scalable, but managing the scale can be challenging, especially when applications are distributed across multiple data centers and cloud providers. And because cloud-native applications are often built and deployed on a microservices architecture and deployed using containers and Kubernetes for orchestration, new security challenges can be easily introduced into these complex environments.
Organizations are all too aware of the negative impacts a security breach can have on the business, ranging from financial, reputation, downtime, customer loyalty, and intellectual property theft. Modern organizations are recognizing the need to take a proactive and more holistic approach to monitoring, managing, and protecting their cloud-native applications to prevent security issues and to respond quickly to them if they do occur.
Cloud-native application protection platforms (CNAPPs) are unified and tightly integrated sets of security and compliance capabilities designed to secure and protect cloud-native applications across development and production. CNAPPs consolidate a large number of previously siloed capabilities, including container and configuration scanning, cloud security posture management, infrastructure-as-code scanning, cloud infrastructure entitlement management, runtime vulnerability assessment, and cloud workload protection.
Established security tools and methods created to protect on-premises data centers and endpoints do not necessarily work for a cloud infrastructure, which is a very different architecture. Until recently, securing cloud-native applications was challenging, requiring multiple tools from multiple security vendors that were not typically wellintegrated. Without a highly integrated approach, organizations only have a partial view of risk. In addition, those point solutions are often designed by security professionals not in collaboration with developers, which can unintentionally add unnecessary friction and delays to an agile development process. Clearly, cloud-native technologies require a complete lifecycle approach to simplify security, including reducing the number of security vendors.
This paper looks at how a leading-edge CNAPP can solve key challenges that organizations face with cloud-native application environments by providing a centralized platform for managing security policies and controls and by using automation to identify and remediate threats in real time. This single integrated offering identifies risk across the entire lifecycle and the various elements of a cloud-native application and puts the developer at the core of application risk responsibility. In addition to security threats, a CNAPP can provide real-time visibility into application performance and resource utilizations for faster issue resolution. Compliance with regulations such as HIPAA, PCI, and GDPR is another challenge that a CNAPP can address through automated compliance monitoring and reporting and enforcing security policies tied to those regulatory requirements.
A CNAPP is a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production.
CNAPPs consolidate a large number of previously siloed capabilities, including:
CNAPP offerings integrate visibility, assessment, and remediation for modern, agile organizations leveraging DevOps strategies that need to address unknown and unexpected risks. These risks arise from the increased complexities that emerge at the intersection of automation, deployment, and orchestration of cloud-native applications. The core value of CNAPPs is their ability to identify security issues and vulnerabilities earlier in the development cycle, accelerate their remediation, and provide consistent and continuous security and compliance monitoring.
Most CNAPPs are cloud-based, as-a-service offerings, with integration into the runtime cloud environments and development pipeline tools used by the development organization. CNAPP solutions deliver an integrated set of capabilities spanning runtime visibility and control, cloud security posture management (CSPM) capabilities, software composition analysis capabilities, and container scanning. Additional capabilities may include API testing and monitoring, traditional static application security testing/dynamic application security testing, runtime web application, and API protection.
A leading-edge CNAPP solution is a cloud security solution that provides full-stack security through three or more main components:
Cloud-native applications are typically built using a microservices architecture, which can be complex to deploy and manage. These applications consist of many independent services that need to be deployed, monitored, and managed separately, sometimes across multiple clouds, which can make it difficult to get a complete picture of the application's overall health.
According to research from TechTarget’s Enterprise Strategy Group on cloud-native applications, most respondents (89%) said providing developer-ready infrastructure is essential for application deployment, with more than one in
five categorizing it as critical.1When respondents were asked about the kind of infrastructure their organization primarily used for its cloud-native applications, it was roughly evenly split, with 33% using containers, 31% using serverless functions (such as framework-as-a-service), and 34% using serverless databases (see Figure 1). 2 Looking ahead, not much change is expected. Because developers are creating containers, serverless functions, and cloud infrastructure, CNAPP tooling needs to “shift left” into the development lifecycle in addition to providing comprehensive runtime visibility. Shifting risk visibility left requires a deep understanding of the development pipeline and artifacts and an extension of vulnerability scanning earlier into the development pipeline as these artifacts are being created.
Figure 1. Infrastructure Used for Cloud-native Applications
A CNAPP can simplify an IT environment in several ways:
As CNAPPs simplify the cloud-native environment, improve the efficiency of IT operations, and reduce the workload for IT staff, they enable the organization to focus on higher value activities.
New cloud-native architectures enable teams to develop and deploy software more quickly to keep up in a fastpaced marketplace. However, this speed is not without risk to security.
In a cloud-native application development and deployment environment, containers are used to package and deploy applications. This can introduce new security challenges because containers can be vulnerable to attack, such as the injection of malicious code being injected if not properly secured. Kubernetes uses APIs to manage and orchestrate container deployments, which can also be vulnerable to attackers who are trying to gain access to the Kubernetes cluster and the containers running on it. In addition, the complex network architecture used to manage container communication can be difficult to secure. To manage access to containers and the cluster, Kubernetes also requires complex identity and access management that can lead to unauthorized access if not configured correctly. Organizations need to take proactive steps to secure their Kubernetes deployments, such as implementing security controls, conducting regular vulnerability assessments, and ensuring compliance with regulatory requirements. Enterprise Strategy Group research shows that most organizations have increased their efforts to secure open source software, containers, and third-party software components (see Figure 2).3
Figure 2. Most Organizations Have Increased Efforts to Secure Open Source Software, Containers, and Third-party Software Components
Yes, we have increased our efforts slightly, 27%
Yes, we have increased our efforts significantly, 73%
Source: Enterprise Strategy Group, a division of TechTarget, Inc.
In spite of these efforts, organizations are under a lot of pressure to optimize and move quickly when it comes to releasing code. As a result, according to Enterprise Strategy Group research, many developers are pressured to push code to production, even with known vulnerabilities, to meet deadlines (see Figure 3).4
Figure 3. Almost Half of Developers Surveyed Say They Regularly Push Code to Production with Known Vulnerabilities
Source: Enterprise Strategy Group, a division of TechTarget, Inc.
Compounding this internal vulnerability, decentralized cloud-native architectures mean the attack surfaces are increasing. In addition, changes in the computing landscape have raised the risk of catastrophic security breaches. Attackers are targeting the misconfiguration of cloud infrastructure (network, compute, storage, identities, and permissions), APIs, and the software supply chain itself. Enterprise Strategy Group research shows 97% of organizations said they had experienced a cybersecurity incident related to internally developed cloud-native applications in the previous 12 months (see Figure 4).5
Figure 4. Types of Cybersecurity Incidents Related to Internally Developed Cloud-native Applications in the Previous 12 Months
Attacks that resulted in the loss of data due to the insecure use of APIs
Exploit(s) that took advantage of known vulnerabilities in internally developed code
Compromised services account credentials
Exploit(s) that took advantage of known vulnerabilities in open source software
Exploit of a misconfigured cloud service
Secrets stolen from a source code repository
“Zero day” exploit(s) that took advantage of new and previously unknown vulnerabilities in open source software
“Zero day” exploit(s) that took advantage of new and previously unknown vulnerabilities in internally developed code
Compromised privileged user credentials
We haven’t experienced one of these incidents in the last 12 months
Source: Enterprise Strategy Group, a division of TechTarget, Inc
Security is often viewed as an obstacle to developers, so it is critical to prioritize identified risks and provide sufficient context for the developer to remediate them. CNAPP offerings bring together multiple security and protection capabilities into a single platform focused on identifying and prioritizing excessive risk of the entire cloudnative application and its associated infrastructure. As developers become increasingly responsible for operational tasks, such as addressing vulnerabilities, deploying infrastructure-as-code, and managing lifecycle implementations in production, they require tools that address this expanded scope.
In the same way that Kubernetes open source software needs to be considered as a source of vulnerability, developer-ready infrastructure, such as serverless functions, databases, and containers, needs to be considered a source of vulnerability, as well.
A CNAPP enables a streamlined approach to security and compliance testing. By integrating testing transparently into modern DevOps (to DevSecOps), developers are able to balance security and speed in a way that doesn’t unnecessarily slow down innovation, freeing developers to innovate at their desired speed with little or no friction from security unless a critical risk issue is identified. With faster testing speed comes reduced developer cost and faster speed to market.
Using a CNAPP supports a DevSecOps CI/CD pipeline by providing insights throughout the development cycle and learning from the production environment. Because risk analysis is integrated throughout cloud-native development, teams can improve not only their application’s overall security posture but that of the larger team and enterprise. As lines between environments and teams blur further, a CNAPP provides an end-to-end cloud-native solution that seamlessly addresses security concerns in one source of truth and transforms an organization’s IT team into a more cost-effective, efficient engine.
A CNAPP should provide the following benefits:
A CNAPP should work across all applications, microservices, APIs, and cloud resources deployed and provide the needed level of artifact and exposure scanning. It should provide a single dashboard that spans all public cloud service providers. The platform should also prioritize mitigation, reporting on the automated steps available, as well as the actions that should be handled manually.
A cloud-native application protection platform enables threat and vulnerability detection earlier in the software development lifecycle. This allows for actions to be taken earlier in the development engineering process. Alerts and data visualizations should be easy to set up and change and should trigger automated and/or manual mitigation activities.
A CNAPP should easily detect and manage vulnerabilities and security misconfigurations but also carry out runtime protection, network-based behavioral monitoring, automated compliance and governance over data, identity-based controls, and configurations.
The implementation of a cloud-native application protection platform allows organizations to address development, runtime, and compliance issues as a continuum across development and operations. Additionally, it brings together insights from a wide range of data sources, visualizing those risks that should be prioritized for development, operations, and security teams. Panoptica is a leading-edge CNAPP that makes it easy to secure containers. It integrates Panoptica’s core security capabilities from each stage of the software development lifecycle in unique, gateway will permit based on specific app components. In addition, Panoptica lets risky APIs that don’t adhere to specifications be disabled.
Panoptica benefits include:
Cisco Panoptica offers unique features and value to protect today’s expanded and complex application architectures. The decision to move to a “shift left” mentality with DevSecOps and modern data security focuses on protecting applications that run on containers, workloads, and microservices, which are foundational to cloud-native development. CNAPPs identify security issues and vulnerabilities earlier in the development cycle, accelerate their remediation, and offer consistent and continuous security and compliance monitoring.