A CNAPP is an end-to-end cloud-native security solution. It provides a central control plane that unifies all security capabilities to protect cloud environments, making your security cloud native.
Secure cloud workloads and configurations using a single control plane
CNAPPs centralize the capabilities offered by cloud security posture management (CSPM) products and cloud workload protection platforms (CWPPs), providing centralized access to both workload and configuration security capabilities.
Leverage cloud-native security capabilities
A CNAPP provides multiple security capabilities via a single control plane. Notable capabilities include automation, identity-entitlement management, orchestration security, and API identification and protection. These capabilities are especially useful for securing Kubernetes workloads.
In this article:
The term CNAPP consists of two elements that explain its importance:
Organizations should approach security holistically, considering cloud-application security in addition to the underlying infrastructure. There are many ways applications can be exposed to risk in the cloud, including unintentional public internet exposure and excessively permissive access rights.
Organizations should prioritize major risks and focus on mitigating these. Individual point solutions typically have a narrow focus and struggle to correlate signals between different parts of a cloud environment. Therefore, they generate a large number of low-priority alerts, leading to alert fatigue. A CNAPP can monitor and enforce security across an entire cloud application profile, giving organizations visibility into security issues that have real business impact.
Related content: Read our guide to cloud native architecture
Here are three benefits of CNAPP:
1. Cloud-native security
Cloud native has several aspects: securing cloud-native infrastructure, securing cloud platforms, and continuous security for cloud applications. Cloud-native security is necessary because modern organizations using cloud-native workloads cannot rely on conventional security solutions. These traditional solutions are for networks with clearly-defined parameters.
CNAPP is built with modern cloud-native infrastructure in mind, encompassing containers and serverless security. CNAPP integrates with CI/CD pipelines and offers protection across private and public clouds and on-premises.
2. Improved visibility
There are many cloud-native monitoring and scanning tools available for cloud-based workloads. However, CNAPP stands out because it can contextualize information. It also provides end-to-end visibility across an organization’s application infrastructure.
A CNAPP solution provides granular details and end-to-end visibility on technology stacks, identities, and configurations. These capabilities can allow organizations to prioritize alerts that present the most risk.
3. Tighter controls
A common risk to enterprise applications is the misconfiguration of secrets, containers, cloud workloads, or Kubernetes clusters. Organizations can enable CNAPP platforms to proactively detect, scan, and readily remediate compliance and security risks caused by misconfigurations.
A Cloud Access Security Broker (CASB) is, in essence, a firewall for cloud services. CASB offers a security policy enforcement gateway. This gateway ensures users’ actions are authorized and meet organizational security policy requirements.
Here are key attributes of a CASB:
Gartner defines a Cloud Workload Protection Platform (CWPP) as a workload-centric security solution. In other words, CWPP offers security protection for all workload types—virtual machines (VMs), physical servers, serverless workloads, and containers. This tool delivers a single view across cloud and on-premises environments.
Here are eight levels of controls offered by CWPP, as defined by Gartner:
CWPP solutions discover vulnerabilities early on in the CI/CD process. They isolate exploits and active threats more readily, offering more investigative capability and greater context for incident responses. They can map observed activity to the MITRE ATT&CK framework, providing additional context and helping investigators and analysts understand incident severity.
Related content: Read our guide to CWPP
While CWPP secures workloads from the inside, Cloud Security Posture Management (CSPM) secures workloads from the outside. It achieves this by evaluating compliant and secure configurations of the cloud platform’s control plane.
Here are key attributes of a CSPM:
Organizations must devise policies to define the required state or configuration for the cloud infrastructure. They can use a CSPM product to manage such policies, identifying and attending to configuration issues affecting their cloud environments.
The Cloud-Native Application Protection Platform (CNAPP) combines the capabilities of CASB, CSPM, and CWPP. CNAPP scans configurations and workloads in development and secures them at runtime.
By combining these solutions into one platform, CNAPP can:
Calico Cloud is the industry’s only SaaS for active security for cloud-native applications running on containers, Kubernetes, and cloud. It enables organizations to prevent attacks using zero trust, and to detect, troubleshoot, and automatically remediate exposure risks from security issues in build, deploy, and runtime stages across multi-cloud and hybrid deployments.
Calico Cloud offers unique features for the following use cases:
Get updates on blog posts, workshops, certification programs, new releases, and more!