Addressing the Need for Integrated Cloud Native Security with CNAPP

Cloud native application development has matured to the point where certain assumptions can be taken more or less as facts. One early realization was that cloud environments are inherently diverse, disparate and distributed. For the professionals responsible for managing these dynamic, complex environments, a natural response was to turn around and impose consistency and uniformity. The logic is that managing risk in these environments would be made more difficult when coordinating a large set of point products suited to a specific set of requirements.

This line of reasoning is why forward-thinking members of the security community—including those of us at Prisma Cloud—have been focused on integrated cloud native security platforms since the beginning. With the recent introduction of the Cloud Native Application Protection Platform (CNAPP) category from Gartner, this trend is finally becoming the mainstream approach.

Cloud Native Application Protection Platforms (CNAPP) combine functionality for Cloud Security Posture Management (CSPM), Cloud Workload Protection (CWP), Cloud Infrastructure Entitlement Management (CIEM), and CI/CD security into a single, seamless solution to secure the full cloud native application lifecycle. These integrated capabilities allow DevOps, cloud infrastructure, and security teams to effectively and efficiently achieve successful cloud security outcomes amid the complex, shifting cloud environments.

Why Do You Need a Platform Like CNAPP?

The problem we have seen at many organizations is that responses to cloud native security have been reactive, rather than proactive—they are often forced to deal with issues as one-off problems, rather than addressing cloud security more holistically. They have adopted individual solutions or tools for each issue that comes up, and end up with a patchwork approach that introduces even more problems, like:

• Point solutions create more work: Managing a growing stack of tools eventually becomes its own workstream. And because most solutions don't communicate with each other without yet more work, teams get limited visibility and protection.
• You can't apply consistent protections: Dozens of security tools can perform a check at single points in the application lifecycle. But without consistent controls across development, deployment and runtime, security and risk teams are stuck comparing disparate vulnerability and misconfiguration findings.
• Separation creates blind spots: Most cloud security teams need to analyze threats across cloud services, workloads or applications, networks, data, and permissions. Without a single tool, blind spots emerge in the gaps between solutions.

For all these reasons, integrated cloud native security platforms like CNAPPs offer a number of clear benefits.

Distributed Problems Need Integrated Solutions

One of the primary drivers for a comprehensive, integrated security platform is that cloud security requires multiple teams to navigate a difficult combination of both granular and overlapping duties across functional areas:

Infrastructure

Teams need to understand where their responsibilities begin and end regarding the shared responsibility model—data consistently shows that organizations tend to overestimate the protections and alerts that their CSP will provide on their behalf. In addition, there are overlapping needs from networking, storage, and compute instances for CSPM, but each of those environments also need controls for access and permissions that stem from CIEM (highlighted just below).

Workloads and Applications

Similarly, the workloads and applications on that infrastructure require vulnerability management, compliance monitoring, policy enforcement, and runtime protection. These are traditionally areas where either security teams or DevOps teams are expected to ensure protections are in place. However, those tools must be integrated with the data coming from CI/CD pipelines and extending into runtime for web applications and APIs.

Data Security

Every team in the organization has data somewhere, much of it stored across cloud storage accounts. Data owners and security teams both share responsibility for securing this data, and need to be able to scan it, and understand where sensitive data resides, if there is inappropriate public exposure, and whether there is malware present.

Networks

These applications require a network that delivers reliable and safe connectivity. Securing network communications requires least-privilege access for workloads accessing other workloads and inline threat prevention.

Identity and Permissions

Underlying all of these areas, entitlements and permissions for cloud infrastructure and services must balance the need for distributed access with risk management to ensure there aren't excessive or outdated permissions that undermine all of your other efforts.

Coding and Development

Developers and DevOps teams are responsible for delivering high-quality code, which in most cases also means secure code. But it's up to security teams to provide the insights that DevOps needs to create secure code. Injecting security guardrails as early as possible requires cohesive tools that can cross the entire application lifecycle.

Each team needs to work closely to ensure these protections are consistently enforced, and CNAPPs are the integrated tools that help break down the silos that currently separate them.

Prisma Cloud Has Always Been a Platform

However, we also know from working with customers that most of today's teams are not integrated like this yet—enterprise teams reflect the needs of yesterday's problems. We understand that different teams often have their own objectives, but organizations still need comprehensive security.

So while Prisma Cloud combines code security, workload protections, security posture management, network security, and identity security in a single, unified platform, we also provide unmatched flexibility to deploy protections that fit your specific needs, no matter your tech stack, cloud provider, or cloud maturity level.

Our extensible platform is built around APIs, which lets you configure custom integrations for your cloud security needs. It ingests cloud data from flow logs, configuration logs, and audit logs over an encrypted connection to provide more granular telemetry and maintain historical context for incident investigation and forensics. Teams can then use the console or APIs to interact with this data to configure policies, investigate and resolve alerts, set up external integrations and forward alert notifications.

While other solutions might only cover a few hundred cloud services or only work for a few of the larger public cloud providers, Prisma Cloud provides granular coverage for nearly 1,000 distinct services, across major providers including AWS, Azure, Google Cloud, Oracle Cloud Infrastructure, and Alibaba Cloud. In addition, we protect a wide range of environments including Docker and Kubernetes, Red Hat OpenShift, VMWare Tanzu and more.

And when it comes to workload protection across those environments, Prisma Cloud is the only solution that offers both agentless scanning and agent-based protection within the same console. As a platform must be comprehensive, it's important that actual CNAPPs provide both visibility and proactive protections. Several platforms on the market provide quick visibility but offer nothing when it comes time to operationalize protection.

Exploring Security Platforms in Depth

You can learn more about the industry trends that highlight the needs for CNAPPs by downloading the 2021 Gartner® Innovation Insight for Cloud-Native Application Protection Platforms.

For an in-depth exploration of the ways Prisma Cloud helps enterprises secure better outcomes in their cloud security, you can request a free trial.