Security

What in the World Is a CNAPP (and Do I Need One)?

You’ve heard your CISO talking about CNAPPs (along with CSPM, CWPP, and so on). What is a CNAPP, and what does it mean to you as a security engineer?

800x418 blog feature images (9)

A cloud-native application protection platform (CNAPP) is a unified solution for cloud infrastructure security that spans development and production. CNAPPs like Mondoo integrate protections that, until now, required many siloed tools. They provide one centralized resource for hardening your cloud, and weave security into the full development lifecycle.

Let’s explore the components and capabilities that comprise a CNAPP, and why they’re such a hot topic in infrastructure security.

The complexity of cloud security

How attackers compromise your cloud

Patchwork security

CNAPP: full-stack security

Infrastructure as code (IaC) scanning

Container scanning

Cloud workload protection platforms (CWPPs)

Cloud infrastructure entitlement management (CIEM)

Cloud security posture management (CSPM)

One platform, one engine

The complexity of cloud security

While the shift from physical servers to the cloud has revolutionized information technology, it has also turned infrastructure security into a complex tangle. Security engineers aren’t fooled by the breezy simplicity of the term cloud. The more you know about cloud technology, the better you see its trials and intricacies—and its security challenges.

an image of a cloud that’s partly revealing the complexity inside it

Just as the cloud isn’t one operating system, service, or application, cloud security isn’t one problem to solve; it’s many. Consider all the technologies that comprise your cloud infrastructure:

  • Servers
  • Operating systems
  • Containers
  • Data storage
  • Networking
  • Virtualization software
  • Services
  • Middleware
  • Management tools  

Each of these dozens, hundreds, or thousands of components carries its own potential security risks. It can be an enormous undertaking to ensure that they all comply with your industry’s and organization’s security standards. And because all the components are interconnected, a vulnerability in just one can place them all in the hands of cybercriminals.

How attackers compromise your cloud

Most IT security teams have invested some resources into cloud security. Too many tend to focus on fortifying only one or two components, such as endpoint detection and response. There’s an adage that’s relevant here: “It doesn’t matter how strong your door is if you leave a window open.” You must fortify all potential gateways. Even if you leave just one open, attackers use it to breach your infrastructure.

Mondoo CISO Patrick Münch demonstrates this truth in a short video on hacking Kubernetes.

Patrick exploits a vulnerable web application and, because of an unpatched vulnerability, gains root privileges. One misconfiguration within the Kubernetes cluster allows him to perform a container escape and compromise the entire cluster.

In the system Patrick hacked, there might have been strong cloud security management and asset management in place, but neither would have prevented him from penetrating the infrastructure. To be safe from an attacker like Patrick, every aspect must be secure.

Patchwork security

an image of patchwork

Some IT organizations are already wise to this challenge. They see that one gap is all an attacker needs to wreak havoc on their cloud infrastructure. The typical response is a patchwork approach to cloud security—using multiple, disconnected products and services to safeguard different cloud components. In an August 2021 report, Innovation Insight for Cloud-Native Application Protection Platforms (paywall), Gartner describes the status quo:

Organizations have manually stitched together DevSecOps with 10 or more disparate security tools — some new and some old — each with siloed responsibilities …

The problems with using many cloud security tools include:

  • Without a holistic solution, there are likely gaps that none of the different tools fill.
  • Each tool requires its own upkeep and attention.
  • They all present findings in different ways, which makes the overall data difficult to consume and nearly impossible to prioritize. This can mean missing important vulnerabilities.

Disparate cloud security tools consume time and resources, and can leave your cloud infrastructure open to attack.

Find and fix the security risks that pose the biggest threat to your business.

CNAPP: full-stack security

With a CNAPP, there’s no patchwork of cloud security tools. A single platform provides complete end-to-end security for cloud native environments. At Mondoo, we call this full-stack security. According to Gartner, a CNAPP spans all of these solutions:

  • Infrastructure as code (IaC) scanning
  • Container scanning
  • Cloud workload protection platforms (CWPPs)
  • Cloud infrastructure entitlement management (CIEM)
  • Cloud security posture management (CSPM)

That’s a powerful platform and, for some, a confusing collection of abbreviations. Let’s investigate what each one means, using Mondoo as a sample CNAPP.

Infrastructure as code (IaC) scanning

Infrastructure as code tools like Terraform and Packer configure and automate the provisioning of cloud systems. IaC scanning reviews your IaC config files to find vulnerabilities and misconfigurations. This means you find the security problems before you deploy.

IaC scanning is an integral part of the shift left security trend in DevSecOps. This practice enforces cloud security earlier in the development lifecycle to minimize risk and maintain cloud compliance.

Mondoo is an example of a CNAPP that includes IaC scanning. It analyzes Kubernetes manifests, Terraform code, and Docker images.

mondoo-cicd-gitlab-result-junit

Mondoo even integrates with your existing developer software development workflows with minimal friction. You can make Mondoo IaC scanning a part of your CI/CD automation with any of these tools:

  • Azure Pipelines
  • GitHub Actions
  • GitLab
  • CircleCI
  • Jenkins

Mondoo comes stocked with an ever-increasing collection of codified policies for all of your business-critical infrastructure. With policy as code, teams using Mondoo can automate enforcement of security guidelines. This practice reduces security incidents in production and gives you more time to focus on innovation.

Container scanning

Container scans systematically review cloud containers and their components to reveal potential security threats. They’re an important tool for IT teams to secure their containerized cloud environments.

k8s-vulnerabilities

Mondoo scans your running containers, container images, and container registries to discover common misconfigurations and CVEs that are easy to fix. It helps you avoid blind spots and close holes for which vendors have supplied fixes.

cve

Cloud workload protection platforms (CWPPs)

CWPPs are workload-centric security tools that protect server workloads (like IaaS, SaaS, and PaaS) in hybrid and multicloud data center environments. They give you visibility and control over physical machines, VMs, containers, and serverless workloads.

k8s-overall-score

For example, Mondoo reveals vulnerabilities in your server workloads and provides quick solutions for repairing them. It keeps track of your entire inventory of cloud workload assets:

  • Servers
  • Hypervisors
  • VMs
  • Containers
  • Endpoints

Cloud infrastructure entitlement management (CIEM)

CIEMs manage cloud access risk through administration-time controls over entitlements in hybrid and multicloud infrastructure as a service (IaaS). They help enterprises manage entitlements across all of their cloud infrastructure resources. Your CIEM alerts you when your cloud resources have careless and over permissive access.

AWS-IAM-queries

Many of Mondoo’s out-of-the-box security policies focus entirely on entitlement and access management. They enforce industry best practices across operating systems, containers, and more. You can pick and choose the details of each Mondoo entitlement policy you apply to the different elements in your infrastructure. You can also define your own entitlement policies to tailor to the specific needs of your organization.

Cloud security posture management (CSPM)

CSPMs identify misconfiguration issues and compliance risks in your cloud. They continuously monitor cloud infrastructure for gaps in security policy enforcement.

For example, if your company maintains SOC 2 standards, you can use a CSPM to assess your infrastructure’s adherence to those standards.

As another example, your organization’s security policy may include specific guidelines for different cloud infrastructure assets to thwart cyberattacks. The CSPM features in a CNAPP monitor all of your infrastructure for compliance with those guidelines.

overview-with-3-policy-scores

Mondoo comes with over 100 out-of-the box policies ready for you to choose from. Many are certified by the Center for Internet Security (CIS), while others are based on deep industry knowledge and best practices. Mondoo’s built-in policies are the results of years of security research and penetration testing.

Luna-policy-hub

Organizations with unique needs can write new policies to meet their own special requirements. Mondoo’s powerful query language finds every answer you need.

Mondoo continuously assesses your infrastructure’s compliance and helps you prioritize changes. Preparing for audits seems like business-as-usual. Furthermore, audits themselves don’t need to be full of unpleasant surprises. Long before a compliance audit, you’re well aware of how your system will stand up to inspection, and you’ve had time to improve.

One platform, one engine

A CNAPP is truly a Swiss army knife of infrastructure security, combining so many solutions in one. And it’s important to ensure that all the solutions are truly unified.

Some cloud security solution providers buy and/or build a handful of separate tools, combine them under an umbrella platform name, and claim the result is a CNAPP. They’re trying to sell you a Swiss army knife, but your gut tells you it's just some tools stuck together with duct tape. These mash-ups don’t run on the same engine or have unified data output. As a result, they can present the same disadvantages as slapping together your own patchwork: security gaps and an overwhelming amount of overlapping and unprioritized data.

A genuine CNAPP like Mondoo is designed from the start to fulfill all of the security compliance needs of a cloud infrastructure. At Mondoo, we first built our powerful engine and query language, which can explore and reveal aspects of even the most complex systems. Then we began building security-specific problem-solving capabilities upon that base. The result is a single engine running a highly effective and fully unified CNAPP.

Letha Dunn

Letha has been writing about technology for more than thirty years. During the past decade, she’s focused on educating engineers about identity and access management, security, CI/CD, and project velocity. Letha lives in the Pacific Northwest, where she rescues and rehabilitates abused and neglected horses and dogs.

You might also like

Overview of Changes and New Security Features in Windows Server 2025
Releases
Mondoo October 2024 Release Highlights
Releases
Mondoo September 2024 Release Highlights