Share
IN-DEPTH TECH
6 min read
Share
“Breaking down silos” is a common phrase in the world of DevOps and DevSecOps.
Ironically, though, if you look at how many DevOps and DevSecOps cloud native security tools actually work, you realize that the tools are very siloed. In other words, they serve only a single function. This is inefficient for engineers, and it increases the security risks that companies face. That’s why we need a new approach to cloud native security – one rooted in a Cloud Native Application Protection Platform, or CNAPP, approach, instead of siloed, compartmentalized tools.
Let’s weigh the concepts of CNAPP vs CSPMS to better understand why now is the time to embrace CNAPP for cloud native security. But first, let’s explore their definitions.
The key difference between CNAPP vs. CSPM is coverage. CSPM focuses on one aspect of cloud security while a CNAPP provides end-to-end cloud native security.
A CNAPP, or a cloud-native application protection platform, is designed to thrive in cloud-native environments. CNAPPs consolidate tooling and security platforms and provide visibility across multi-cloud environments in a way legacy tools cannot.
A CSPM monitors, identifies, and alerts to compliance risks and misconfigurations in cloud environments. It is one piece of the cloud security puzzle.
To put it simply, CNAPPs gather together formerly disconnected tools, including CSPMs, into one solution for code-to-cloud security coverage.
The problem facing DevOps and DevSecOps teams today isn’t that they don’t have good cloud native tools. It’s that their tools are segmented. Many teams use completely siloed tools to address different types of risks. They might use a Cloud Security Posture Management (CSPM) solution to detect risks in their cloud workload configurations, for example. They then use a different tool for Cloud Infrastructure Entitlements Management (CIEM), which addresses access control risks. A third category of tool – Cloud Workload Protection Platform (CWPP) – is required to secure cloud applications and data. And if you use containers or Kubernetes, you probably rely on separate Kubernetes Security Posture Management (KSPM) tools to secure that layer of your stack. All this adds complexity and increases the risk of security and integration issues.
Each of these tools has to be set up and managed separately. You also have to correlate their reports manually because the tools lack efficient ways of integrating their findings or interpreting how risks at one layer of your stack (like your cloud configuration), may relate to threats at another layer (like within cloud workloads). The fact that many tools are “agent-based” and require a tedious deployment process contributes, only further, to inefficiency. By extension, the siloed nature of cloud native security makes it easy to overlook threats, leading to a weaker overall security posture.
To understand why the siloed nature of cloud native security tools is so risky, consider the example of securing a relatively simple type of resource – a virtual machine hosted in a public cloud that has access to a sensitive service.
A vulnerable VM that has access to a sensitive service could lead to various forms of ransomware attacks, as well as allowing hackers to gain code execution on the host. To secure this VM using traditional tools, you’d need at least two different types of tools. One would be a CSPM scanner, which would validate the configuration of your cloud VM instance firewall (or security group). The second would be a CWPP solution, which would look for internal risks within the VM itself, such as an access credential user/password within a script used by app VM/Instance (potentially enabling access to a sensitive service).
Not only is it more work to deploy both types of tools for your VM, but this approach also leaves you at a higher risk of missing a security issue. Your team might assume that the VM is secure because it has passed CSPM checks, for example, when in fact a vulnerability exists within the workload layer. Matters can become even more complicated when you are dealing with more complex types of workloads – such as containerized applications running in a managed Kubernetes service on a public cloud. In that context, you have to deal with things like multiple layers of access rules – the ones you configure in your cloud’s IAM service, and those you set up via Kubernetes RBAC. This makes it even harder to ensure you don’t miss anything when scanning for risks.
These problems are why modern teams need a Cloud Native Application Protection Platform (CNAPP).
Let’s briefly review what a CNAPP is. According to the Gartner Innovation Insight Report, CNAPP is “an integrated set of security and compliance capabilities designed to help secure and protect cloud native applications across development and production” Even if you have multiple sources of compromise to protect against, a CNAPP lets you evaluate and respond to those sources comprehensively. Your team doesn’t have to deal with the inefficiency of juggling multiple tools, or worry about oversights that could leave workloads vulnerable.
It’s worth noting that the CNAPP tool market is still very young compared to the ecosystems surrounding better-established tool categories, like CSPM. But as CNAPP tools mature, selecting the right one is poised to become a hot topic for CISOs in the near future.
Gartner believes that by 2025, more than 95 percent of workloads will be cloud native, compared with just 30 percent in 2021. That means that organizations today have a very important choice to make. As they migrate more and more workloads to a cloud native environment, will they stick with siloed, inefficient security tools that leave them prone to oversights and risks? Or will they streamline their approach using CNAPP, which provides a much more efficient and reliable means of mitigating cloud native security threats?
The choice is clear. It’s just a matter of finding the right CNAPP tool and integrating it into your environment. Read about Outshift, formerly Cisco’s ET&I, to learn more about cloud native security, and how that future is being formed.
And don’t forget to follow us on Twitter and LinkedIn to stay up to date with the latest developments!
Get emerging insights on innovative technology straight to your inbox.
Outshift is leading the way in building an open, interoperable, agent-first, quantum-safe infrastructure for the future of artificial intelligence.
* No email required
The Shift is Outshift’s exclusive newsletter.
Get the latest news and updates on agentic AI, quantum, next-gen infra, and other groundbreaking innovations shaping the future of technology straight to your inbox.
