Choosing the best Cloud Native Application Protection Platform (CNAPP)
Find the best CNAPP capability for your company.
What is Cloud Native Application Protection Platform (CNAPP)
In a nutshell, CNAPP is an evolving product capability for the following:
Cloud Security Posture Management (CSPM) - monitor the cloud provider APIs and make sure the controls you think are there actually covers all your accounts/subscriptions and are working effectively. Also automatically remediate things not done via code e.g. CLI or GUI, unexpected pipelines.
Infrastructure as Code (IaC) scanning - preventative controls to stop insecure things being deployed via code.
Run time protection - protect your compute workloads e.g. servers, containers, serverless functions from changing after deployment, in memory attacks etc.
Software Composition Analysis (SCA) - scan your libraries, dependencies and binaries for vulnerabilities.
Cloud Identity and Access analysis - aggregate your permissions in cloud regardless of how they are granted and analyse them for excessive permissions and whether they match what is actually used and approved e.g. in AWS:
IAM
Bucket permissions
S3 permissions
Are they accessible on the network?
Continuous Integration / Continuous Deployment (CI/CD) pipeline health: evaluate your pipelines for cyber security risks.
I already have actually cloud native controls (e.g. AWS config rules) why do I need CNAPP?
In 20 years of working in global fortune 100 organizations, we have never seen cloud actually be secure.
Most organizations have:
Sprawling cloud use e.g. official is AWS, innovation team is using GCP for “analytics”, Azure for M365 “SaaS”.
Started organically with little planning. Concepts such as organizations, in AWS control tower, are not in use or were bolted on.
Brown fields are very hard to remediate.
Business still has to function.
Don’t be the next:
Optus - risk of a developer leaving an unauthenticated API that is Internet accessible connected to production data.
Medibank - all our customer information, including sensitive medical details about operations and lifelong illnesses kids under 18 have, if women have had abortions, gets exfiltrated.
Colonial Pipeline - petrol and diesel shortages across the United States because your accounting system got hacked..
The threat landscape is obviously bad and getting worse. So are the fines.
Most of what the cloud providers like Amazon do are badged open source. They are not “enterprise grade”. Pay peanuts…
Choosing the best CNAPP for your company
If you haven’t read these, maybe do so now:
Cloud Security Framework
I’m the co-founder of Identity Revive. We can help you: Build a business case for Cyber Security. Understand your requirements and help you with securing all your cloud systems. Architect, design, deliver and run your cyber security controls in code so you are compliant with regulation and don't suffer from a cyber incident.
Automating Cloud Security
TLDR; Native tools in all the major cloud providers AWS, GCP and Azure are not enough to protect your workloads and cost too much in resources to implement and maintain. If you run any sensitive infor…
Here is a global best practice set of functional and non functional requirements for choosing a CNAPP that right for you:
Baseline CNAPP functional and non functional requirements Excel Link
These are a great starting point. Add, remove, change. Please read all the caveats here: https://rakkhi.substack.com/i/138401581/caveats-and-limitations