What Are Cloud-Native Application Protection Platforms (CNAPP)?

A CNAPP is an end-to-end cloud-native security solution. It provides a central control plane that unifies all security capabilities to protect cloud environments, making your security cloud native.

Secure cloud workloads and configurations using a single control plane
CNAPPs centralize the capabilities offered by cloud security posture management (CSPM) products and cloud workload protection platforms (CWPPs), providing centralized access to both workload and configuration security capabilities.

Leverage cloud-native security capabilities
A CNAPP provides multiple security capabilities via a single control plane. Notable capabilities include automation, identity-entitlement management, orchestration security, and API identification and protection. These capabilities are especially useful for securing Kubernetes workloads.

In this article:

• The Need for CNAPP
• CNAPP Benefits
• What Is The Difference Between CASB, CWPP, CSPM, and CNAPP?
  • CASB (Cloud Security Access Broker)
  • CWPP (Cloud Workload Protection Platform)
  • CSPM (Cloud Security Posture Management)
  • CNAPP (Cloud-Native Application Protection Platform)
• CNAPP with Calico

The Need for CNAPP

The term CNAPP consists of two elements that explain its importance:

• Cloud native – Cloud environments introduce a variety of new security challenges. These environments are dynamic and transient, often involving unique and unpredictable interactions. Traditional agent-based security approaches are insufficient for protecting these temporary, containerized, and serverless environments.
• Application protection – While cloud security tools typically focus on helping security teams understand and manage cloud infrastructure, security tools today also need to secure cloud applications.

Organizations should approach security holistically, considering cloud-application security in addition to the underlying infrastructure. There are many ways applications can be exposed to risk in the cloud, including unintentional public internet exposure and excessively permissive access rights.

Organizations should prioritize major risks and focus on mitigating these. Individual point solutions typically have a narrow focus and struggle to correlate signals between different parts of a cloud environment. Therefore, they generate a large number of low-priority alerts, leading to alert fatigue. A CNAPP can monitor and enforce security across an entire cloud application profile, giving organizations visibility into security issues that have real business impact.

Related content: Read our guide to cloud native architecture

CNAPP Benefits

Here are three benefits of CNAPP:

1. Cloud-native security
Cloud native has several aspects: securing cloud-native infrastructure, securing cloud platforms, and continuous security for cloud applications. Cloud-native security is necessary because modern organizations using cloud-native workloads cannot rely on conventional security solutions. These traditional solutions are for networks with clearly-defined parameters.

CNAPP is built with modern cloud-native infrastructure in mind, encompassing containers and serverless security. CNAPP integrates with CI/CD pipelines and offers protection across private and public clouds and on-premises.

2. Improved visibility
There are many cloud-native monitoring and scanning tools available for cloud-based workloads. However, CNAPP stands out because it can contextualize information. It also provides end-to-end visibility across an organization’s application infrastructure.

A CNAPP solution provides granular details and end-to-end visibility on technology stacks, identities, and configurations. These capabilities can allow organizations to prioritize alerts that present the most risk.

3. Tighter controls
A common risk to enterprise applications is the misconfiguration of secrets, containers, cloud workloads, or Kubernetes clusters. Organizations can enable CNAPP platforms to proactively detect, scan, and readily remediate compliance and security risks caused by misconfigurations.

What Is The Difference Between CASB, CWPP, CSPM, and CNAPP?

CASB (Cloud Access Security Broker)

A Cloud Access Security Broker (CASB) is, in essence, a firewall for cloud services. CASB offers a security policy enforcement gateway. This gateway ensures users’ actions are authorized and meet organizational security policy requirements.

Here are key attributes of a CASB:

• Identifies all cloud services – Finds all cloud services in use within an organization. Such services include unmanaged or unapproved PaaS and SaaS products, sometimes known as shadow IT.
• Enables cloud usage reporting and logging – Provides cloud usage event monitoring and tracking. It assesses the risk presented by shadow IT, eliciting alerts when needed.
• Provides reporting and auditing tools – Ensures regulatory compliance by enabling user authorization and authentication, message filtering, and policy enforcement.
• Offers threat protection – Protects cloud services, providing access to authorized applications and users only.
• Provides data security – This is achieved through policy-based encryption. It also monitors data access and enforces data-centric security policies via granular access controls.

CWPP (Cloud Workload Protection Platform)

Gartner defines a Cloud Workload Protection Platform (CWPP) as a workload-centric security solution. In other words, CWPP offers security protection for all workload types—virtual machines (VMs), physical servers, serverless workloads, and containers. This tool delivers a single view across cloud and on-premises environments.

Here are eight levels of controls offered by CWPP, as defined by Gartner:

• Configuration, hardening, and vulnerability management, which includes scanning for vulnerabilities before software reaches production.
• Network firewalling, microsegmentation, and visibility.
• System integrity guarantees.
• Allowlisting and application control.
• Memory protection and explicit prevention.
• Behavioral monitoring, server workload endpoint detection and response (EDR), and threat identification and response.
• Host-based intrusion prevention systems (IPS) plus vulnerability shielding.
• Anti-malware scan capabilities.

CWPP solutions discover vulnerabilities early on in the CI/CD process. They isolate exploits and active threats more readily, offering more investigative capability and greater context for incident responses. They can map observed activity to the MITRE ATT&CK framework, providing additional context and helping investigators and analysts understand incident severity.

Related content: Read our guide to CWPP

CSPM (Cloud Security Posture Management)

While CWPP secures workloads from the inside, Cloud Security Posture Management (CSPM) secures workloads from the outside. It achieves this by evaluating compliant and secure configurations of the cloud platform’s control plane.

Here are key attributes of a CSPM:

• Offers tools that support integration with DevOps processes, compliance monitoring, risk assessment, incident response, and risk visualization.
• Identifies excessive or unknown risk across the entire cloud estate of the organization, including cloud services for storage, compute, access, identity, and more.
• Provides security operations center investigations, configuration drift prevention, and continuous compliance monitoring.
• Monitors the cloud environment looking for compliance and security violations, and offers automated measures to remediate them.
• Identifies new risks to the environment, protects against breaches, and creates uniform cloud configurations.

Organizations must devise policies to define the required state or configuration for the cloud infrastructure. They can use a CSPM product to manage such policies, identifying and attending to configuration issues affecting their cloud environments.

CNAPP (Cloud-Native Application Protection Platform)

The Cloud-Native Application Protection Platform (CNAPP) combines the capabilities of CASB, CSPM, and CWPP. CNAPP scans configurations and workloads in development and secures them at runtime.

By combining these solutions into one platform, CNAPP can:

• Provide unified visibility for DevOps and SecOps teams.
• Offer a series of capabilities to react to threats and protect cloud-native applications.
• Provide automation of misconfiguration and vulnerability management.
• Identify and prioritize data, infrastructure, and workloads across networks, endpoints, and the cloud according to risk.
• Prevent configuration drift.
• Perform vulnerability assessment across containers, serverless environments, and VMs.

CNAPP with Calico

Calico Cloud is the industry’s only SaaS for active security for cloud-native applications running on containers, Kubernetes, and cloud. It enables organizations to prevent attacks using zero trust, and to detect, troubleshoot, and automatically remediate exposure risks from security issues in build, deploy, and runtime stages across multi-cloud and hybrid deployments.

Calico Cloud offers unique features for the following use cases:

• Zero-trust workload security – Zero-trust workload access controls; identity-aware microsegmentation for workloads; workload-based IDS/IPS, DDoS, DPI, and WAF; firewall and SIEM integration; Envoy-based application-level security
• Container security – Image assurance, runtime threat defense, configuration security
• Compliance – Data-in-transit encryption; evidence and audit reports; PCI DSS, SOC 2, HIPAA, GDPR, FIPS, and custom frameworks
• Full-stack observability powered by eBPF – Dynamic Service and Threat Graph, Dynamic Packet Capture, application-level observability, DNS Dashboard

Next Steps:

• Learn more about Calico’s zero-trust workload security
• Discover Calico’s features for container security
• Read about Calico’s full-stack observability powered by eBPF
• Blog: Why cloud native requires a holistic approach to security and observability