Cloud Security Framework

Have a structure approach to securing the cloud.

In a nutshell, CNAPP is an evolving product capability for the following:

• Cloud Security Posture Management (CSPM) - monitor the cloud provider APIs and make sure the controls you think are there actually covers all your accounts/subscriptions and are working effectively. Also automatically remediate things not done via code e.g. CLI or GUI, unexpected pipelines.

• Infrastructure as Code (IaC) scanning - preventative controls to stop insecure things being deployed via code.

• Run time protection - protect your compute workloads e.g. servers, containers, serverless functions from changing after deployment, in memory attacks etc.

• Software Composition Analysis (SCA) - scan your libraries, dependencies and binaries for vulnerabilities.

• Cloud Identity and Access analysis - aggregate your permissions in cloud regardless of how they are granted and analyse them for excessive permissions and whether they match what is actually used and approved e.g. in AWS:

  • IAM

  • Bucket permissions

  • S3 permissions

  • Are they accessible on the network?

• Continuous Integration / Continuous Deployment (CI/CD) pipeline health: evaluate your pipelines for cyber security risks.