Feature
Cloud native application protection platforms aim to provide a complete cloud security solution, but some are more complete than others.
By David Strom
CSO |
Cloud security continues to be a vexing situation, and the tool set continues to become more complex, riddled with acronyms representing possible solutions. Now there’s another: the cloud native application protection platform, or CNAPP. This tool combines the coverage of four separate products:
- A cloud infrastructure entitlements manager (CIEM) that manages overall access controls and risk management tasks
- A cloud workload protection platform (CWPP) that secures code across all kinds of cloud-based repositories and provides runtime protection across the entire development environment and code pipelines
- A cloud access security broker (CASB) that handles authentication and encryption tasks
- A cloud security posturemanager (CSPM) that combines threat intelligence and remediation
IT and security managers are looking for a few basic elements from these products, including more accurate threat detection, support for all workloads across multiple cloud deployments, and ways to implement preventable controls.
That is a lot of software to manage, integrate, and understand. However, almost none of the products that claim to be CNAPP have a full set of features that incorporate all four of these categories. What follows is an overview of the landscape and advice on how to navigate amongst the contenders.
Two approaches to CNAPP
There are two ways to approach CNAPP: from the DevSecOps perspective or from traditional IT security practices. The former means more of a focus on protecting the apps themselves (the first two product categories mentioned above), the latter more on expanding traditional network-level protections (the last two product categories mentioned above).
The summary chart below notes which of these two directions each vendor is coming from, other notable and integration features, whether they offer a complete CNAPP solution, and what little information is available about their pricing strategy.
I interviewed the following vendors and summarized the results in the chart below:
- Aqua Security Platform
- Check Point CloudGuard
- CrowdStrike Cloud Security
- Data Theorem
- Lacework Polygraph
- NeuVector/SUSE
- Palo Alto Networks Prisma Cloud
- Sysdig
- Tenable Cloud Security
- Tigera Calico Cloud
- Uptycs
- Wiz
The following vendors did not respond to requests for information: jFrog, McAfee, Orca Security, Qualys, Snyk, and Trend Micro.
FoundryWhy CNAPP exists
The key to understanding this product category is all about integration challenges. VMware, in its latest State of Observability report, found that 57% of the respondents claimed up to 50 different technologies are used in a typical cloud app. Organizations typically use many different cloud providers, spreading their risk and moving beyond running their legacy applications across the big three PaaS providers (AWS, Google and Azure) and employing a mixture of private, public and hybrid cloud strategies. This includes various virtual machine instances, Kubernetes containers and using serverless and microservices too.
Organizations will need to control cloud-native application risks, identify weak areas, and remove vulnerabilities. Sysdig in its latest cloud-native security report found that found that 73% of cloud accounts contained exposed Amazon S3 buckets. Is it any mystery that more breaches haven’t happened because of this?
What is working against securing clouds is their success: They have become the de facto computing layer for businesses. “The evolution of cloud workloads and Linux servers into something ubiquitous yet increasingly vulnerable is driving the maturation of the CWPP market,” said Mitchell Hall of Morphisec in a blog post. Part of this maturation is that cloud workloads have many moving parts.
They are also in a state of flux. In Cisco’s latest Hybrid Cloud report, nearly 60% said they are moving workloads between on- and off-premises every week. Some of these apps are running on open-source code repositories and some use in-house code. That is a lot of different use cases to protect.
Speaking of which, Palo Alto Networks’ State of Cloud Native Security 2022 report found that 80% of organizations that primarily use open source security tools have weak or very weak security posture, while the number of enterprises that host more than half of their workloads in the cloud has doubled from 2020. A lot of this growth is coming from the serverless world.
What is motivating this product category can be traced to Gartner, which first used the CNAPP moniker when it issued its “Innovation Insight” report in August 2021. They said that, “Containers and serverless functions are the primary building blocks of cloud-native applications and are becoming increasingly granular with shorter life cycles.” This means that any protection needs to act quickly and unobtrusively. They also found a shift from protecting infrastructure to protecting cloud-based workloads, and the apps that run them. They found many of their corporate clients have stitched together – meaning with little to no automation – ten or more disparate security tools, including dynamic application security testing, web app firewalls, and the four cloud protection platforms mentioned at the start of this post. This one-off, crazy patchwork quilt approach isn’t working.
Ideally, a CNAPP solution should reduce misconfiguration errors, improve security of the development pipeline (commonly called shifting left), and use effective automation. To do that requires having all those acronyms firing on all cylinders. You want to be able to scan for various code elements and vulnerabilities, catch cloud configuration and application coding errors quickly (ideally, when the apps run) and still do the basic security blocking and tackling (like identity and network management). Orca says that “CNAPPs exhibit their real value by intelligently combining data points from different layers in the technology stack to highlight critical security issues instead of just sending thousands of meaningless disconnected alerts.”
Questions to ask when considering CNAPP
Before you try out any of the vendors’ products, think about these questions:
What cloud artifacts can you discover and then regularly scan? Some products (like Lacework) don’t go much beyond the big three IaaS players. Some (like Tigera) just support the Kubernetes services of the big three. Others (like Sysdig) take a deeper dive into containers and the various Linux servers that run them. The real issue is can you continuously monitor all of these artifacts in near real time?
Can you mix agents and agentless across the product’s main dashboard, reports and policies? How are incidents reported? Are there discrete access rules so that various staffers can focus on specific parts of the overall picture? Are there separate or combined pre-built security policies for collecting agent and agentless data? How actionable are your dashboards and its visualizations in showing you the current state of your overall cloud security?
Are all four management tools covered? Some of the vendors, such as Microsoft Defender for Cloud, have CWPP and CSPM elements and you will have to add other components to protect Kubernetes and non-Azure clouds. Tigera comes from the opposite direction, focusing more on containers and their infrastructure.
If you have been involved with infrastructure-as-code to manage your cloud deployments, what devops frameworks are supported (like Terraform, Azure Blueprints, AWS Cloudformation, Demisto)? How does this work with shifting left (in other words, do you scan open-source code repositories)?
Finally, what is the price? Very few vendors are transparent about pricing. Data Theorem takes the prize for the most complex, with different calculations for how many APIs, web and mobile apps, and cloud resources are consumed. Tenable’s is a slight improvement but still complex. Aqua and Tigera have the most transparent pricing. Check Point has the simplest: $200 per year per active workload. Others create synthetic units or bundle various elements that obscure the details.
CNAPP vendors
Aqua Security Platform
Aqua Security has had a series of products (such as for supply chain and workload protection and a CSPM) that it has rolled up into a central hub, too. The company offers a unique $1 million USD guarantee (and FAQ on its specifics here) if a “proven successful attack” happens under its watch. Aqua has transparent pricing, including a free version for smaller installations and plans that start at $849/month for the smallest accounts (using a complex online calculator to estimate your bill). In addition to the big three IaaS, it supports Alibaba, Oracle Cloud, Mirantis, VMware Tanzu, and OpenShift. Multiple levels of workload protection are available, and it supports both agent and agentless methods.
Aqua SecurityCheck Point CloudGuard
Check Point CloudGuard is a single product, the result of years of combining products from numerous corporate acquisitions such as Dome9 and Protegos. It offers a single dashboard, policy rule set, and support for both agent and agentless methods. CloudGuard integrates with CloudFormation and Terraform and has a simple pricing plan of $200/year USD per each workload. It supports the Alibaba and (soon) Oracle clouds as well as Kubernetes environments.
Check PointCrowdStrike Cloud Security
CrowdStrike Cloud Security is packaged as two separate products in its constellation of more than 20 different Falcon protective modules. It has an attractive and unified dashboard that shows you the main incidents and assets of the big three IaaS platforms along with a list of a dozen different container deployments, which are dealt with separately in the dashboard. It covers the CNAPP universe with both agent and agentless methods. It also has an interesting container image vulnerability analysis service.
CrowdStrikeData Theorem
Data Theorem’s platform covers five separate products that work together to offer CNAPP. These include specialized protection for cloud, mobile, API and web apps as well as a supply chain protection product. It has a central analysis engine and dashboard that provides some integration. Data Theorem supports all the big three IaaS players along with Kubernetes. One notable feature is what it calls “headliner policies” that are constructed to prevent historical breaches. It has both agents and agentless methods. Its pricing structure is complex, with different plans for each product.
Data TheoremLacework Polygraph
Lacework Polygraph supports the big three IaaS players along with Kubernetes. It has both agent and agentless methods along with behavior-based detection rules to examine infrastructure as cloud and vulnerabilities. It uses a single, integrated product so policies can span information collected from both methods.
Palo Alto Networks Prisma Cloud
Palo Alto was unable to provide a demo of its Prisma Cloud solution by our deadline, but we decided to include it since it is a market leader. The company built up Prisma Cloud through a series of acquisitions including Redlock (cloud threat defense), Twistlock (container security), and Bridgecrew (developer-oriented cloud security). Palo Alto allows customers to gradually adopt a full CNAPP solution by selling Prisma Cloud on a modular basis or in bundles. Pricing for those bundles starts at $540 USD a year.
Palo Alto NetworksSUSE Neuvector
SUSE acquired Neuvector last year and has released its code to open source, making it free to use with paid support plans if needed. It is a partial CNAPP solution, stronger in CWPP and missing CIEM and CASB functionality. It supports all the big three IaaS platforms as well as Rancher, OpenShift, VMware Tanzu and Mirantis container platforms. It is exclusively agentless.
Sysdig
Sysdig has two services, aptly named Secure and Monitor, and both are needed to provide CNAPP coverage. Last year the company acquired Apolicy to expand its workload protection features. Besides the big three IaaS players, Sysdig also support IBM, Oracle and VM Tanzu clouds as well as Red Hat OpenShift. It has a pricing page that lacks specifics, but Sysdig told us that plans start at $500/month based on your AWS EC2 storage repositories. Notable features include a new risk prioritization module and the ability to automatically suggest least privilege access rules.
SysdigTenable.cs
Tenable.cs (Cloud Security) is a text-heavy product that touches on most of the CNAPP bases with the exception of CWPP. It does agentless and agent methods and comes with more than 1,400 pre-set policies and loads of default benchmarks. It integrates its Nessus vulnerability scanner, extending it to scan VMs and containers, along with its acquisition of Accurics and earlier this year bought Cymptom and will integrate its cloud path discovery and protection into its Cloud Security line next year. It supports the big three IaaS platforms and Kubernetes. It has complex pricing that is basically a fixed charge per monitored asset, defined as any compute or database node or container registry.
Related:
- Cloud Security
Page 1 of 2
FAQs
Is Wiz a Cnapp? ›
Wiz is a revolutionary new approach to cloud security. The only agentless, graph-based CNAPP that provides 100% visibility, ruthless risk prioritization, and time-to-value across teams that build and secure your cloud.
What does Cnapp stand for? ›CNAPP, or Cloud-Native Application Protection Platform, is a new category of security products, encompassing the functionality previously found in Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) products and more.
What is a Cspm? ›Cloud security posture management (CSPM) is a category of automated data security solution that manages monitoring, identification, alerting, and remediation of compliance risks and misconfigurations in cloud environments.
What is Cnapp Gartner? ›What Is a Cloud Native Application Protection Platform? Gartner has defined the cloud native application protection platform (CNAPP) as “an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production.”
Who are Wiz competitors? ›- Trend Micro Deep Security.
- Illumio Core.
- Prisma Cloud.
- Sophos Central.
- Microsoft Defender for Cloud.
- Sysdig Secure.
- CloudGuard Network Security.
- Orca Security.
Wiz is arguably the BEST CSPM currently available.
Wiz also is strong on serverless (e.g. Log4shell vulnerabilities in serverless functions). Wiz does all this in an agent-less manner. Within hours of deployment, we were already gaining valuable insights that our incumbent product had not found in years.
CSPM solutions automatically and continuously check for misconfigurations that can lead to data breaches and leaks. This automated detection allows organizations to make necessary changes on a continuous, ongoing basis.
Do I need Cspm? ›Having a CSPM is crucial for any organization, since it identifies and remediates threats in an enterprise cloud environment. Some of the most critical functions of a cloud security posture management solution include security risk assessment, incident response, and DevOps integration.
Why is Cspm important? ›CSPM eliminates security risks and accelerates the delivery process by comparing cloud application configurations to industry and organizational benchmarks so violations can be identified and remediated in real-time.
Is Orca a Cwpp? ›Orca offers industry-leading agentless cloud workload protection platform (CWPP) capabilities and provides 100% coverage and deep visibility into cloud workloads—spanning cloud VMs, serverless functions, containers, and Kubernetes applications— without the performance impact, security gaps and operational costs of ...
What is CWP in cloud? ›
Cloud Workload Protection (CWP) is the process of continuously monitoring for, and removing threats from cloud workloads and containers.
What are cloud-native platforms? ›Cloud-native platforms enable teams to develop, run and manage applications without the manual labour associated with building or maintaining the underlying infrastructure. It's a self-service approach that reduces handovers and potential delays which can otherwise hinder progress.
What is shift left security? ›To shift security left means to implement security measures during the entire development lifecycle, rather than at the end of the cycle.
Is lacework a Cspm? ›And for the Cloud Security Posture Management (CSPM) features of the Lacework platform, Polygraph delivers the contextual insights necessary for the efficient handling of compliance, vulnerability, and audit tasks, saving time and improving our customers' agility.
What is cloud-native security? ›Cloud Native refers to both platform and infrastructure security, as well as continuous application security. The security must be built into the assets you're working to secure. This applies to multiple layers, from OS to container to application.
How much does Wiz security cost? ›Of the $600 million raised by the company to date, $65 million has been allocated to secondary deals. "Wiz is going public, but we aren't at that stage yet and still have a long way to go," Rappaport added. "We will not sell the company. We will take it public.
How many employees does Wiz have? ›Wiz has a strong pedigree: Co-founders Yinon Costica, Ami Luttwak, Assaf Rappaport and Roy Reznik sold their previous company, Adallom, to Microsoft for a reported $320 million. The Adallom software became part of the lineup of security tools Microsoft started selling to companies.
Where was WiZ founded? ›What does WiZ company do? ›
Wiz provides direct visibility, risk prioritization, and remediation guidance for development teams to address risks in their own infrastructure and applications so they can ship faster and more securely.
What is Prisma Cspm? ›Prisma Cloud is a unique Cloud Security Posture Management (CSPM) solution that reduces the complexity of securing multi-cloud environments, while radically simplifying compliance.
How does cloud workload protection work? ›Cloud Workload Protection is the process of keeping workloads that move across different cloud environments secure. The entire workload must be functional for a cloud-based application to work properly without introducing any security risks.
What is CrowdStrike Cspm? ›CrowdStrike Falcon® CSPM streamlines cloud security posture management across the application development lifecycle for any cloud, enabling you to securely deploy applications in the cloud with greater speed and efficiency.
What is checkpoint Cspm? ›CloudGuard Cloud Security Posture Management (CSPM) checks your cloud environments compliance with industry standards and best practices, or your organization's own security policies.
What is orchestration in cloud? ›Cloud Orchestration is the process of automating the tasks needed to manage connections and operations of workloads on private and public clouds. Cloud orchestration technologies integrate automated tasks and processes into a workflow to perform specific business functions.
Is Orca security legit? ›Orca Security is #4 ranked solution in top Cloud Security Posture Management (CSPM) tools, #4 ranked solution in top Cloud-Native Application Protection Platforms (CNAPP) tools, #6 ranked solution in Cloud Workload Protection Platforms , and #7 ranked solution in top Vulnerability Management tools.
How much does Orca security cost? ›| Hosts | Description | 1 MONTH |
|---|---|---|
| Small (100) | up to 100 concurrent workloads (EC2) per month | $3,200 |
| Small-medium (300) | up to 300 concurrent workloads (EC2) per month | $8,500 |
| Medium (500) | up to 500 concurrent workloads (EC2) per month | $11,700 |
| Large (1000) | up to 1000 concurrent workloads (EC2) per month | $21,700 |
A workload is a tightly coupled group of resources which run and support an application or capability. An application is a piece of software which fulfils a specific purpose.
What is workload protection in Azure? ›Workload protections gives you the visibility into your different resource types. Based on that visibility, you can link your resources to configure advanced threat protection capabilities in 'Microsoft Defender for Cloud'.
What is VMware workload? ›
VMware Carbon Black Cloud™ Workload is a data center security product that protects your workloads running in a virtualized environment. Carbon Black Cloud Workload ensures that security is intrinsic to the virtualization environment by providing a built-in protection for virtual machines.
What is difference between cloud and cloud native? ›Cloud-based: Applications are tightly integrated, and upgrades may be needed for the entire stack, causing downtime. Cloud-native: Faster to deploy because there is no hardware or software to deploy. Cloud-based: Slower because of hardware provisioning or software setup.
Is Gmail SaaS or PaaS? ›Gmail is one famous example of an SaaS mail provider. PaaS: Platform as a Service The most complex of the three, cloud platform services or “Platform as a Service” (PaaS) deliver computational resources through a platform.
What is the difference between cloud native and cloud ready? ›In a cloud-enabled solution, the organization's application is deployed in the public cloud but still requires a physical server of its own for operations. The difference between a cloud-native and a cloud-enabled system is that a cloud-native system does not require any computing infrastructure onsite.
What does a CASB do? ›A cloud access security broker (CASB) is a security check point between cloud network users and cloud-based applications. They manage and enforce all data security policies and practices, including authentication, authorization, alerts and encryption.
What is CrowdStrike Cspm? ›CrowdStrike Falcon® CSPM streamlines cloud security posture management across the application development lifecycle for any cloud, enabling you to securely deploy applications in the cloud with greater speed and efficiency.
What is Sophos Cspm? ›Sophos Cloud Security Posture Management (CSPM)
In the case of Sophos, the company offers a management console that allows partners and customers to “dive directly into assets to get more detail about your asset inventory and cloud security posture.”
Prisma Cloud is a unique Cloud Security Posture Management (CSPM) solution that reduces the complexity of securing multi-cloud environments, while radically simplifying compliance.
How much does CASB cost? ›| Product | Price | Minimum |
|---|---|---|
| Oracle CASB for Oracle SaaS - Hosted Employee - Non-metered | US$1.25 / month | 1000 |
| Oracle CASB for Oracle SaaS - Monitored Service User - Non-metered | US$5.00 / month | 50 |
| Oracle CASB for Data Protection - Data Loss Prevention - Non-metered | US$2.50 / month |
CASB solutions consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on."
What is difference between CASB and DLP? ›
In a nutshell, CASB monitors the overall cloud usage. DLP is built for protecting data in the cloud or wherever it is.
Is CrowdStrike a vulnerability scanner? ›CrowdStrike Falcon® Spotlight offers security teams a real-time assessment of vulnerability exposure on their endpoints that is always current.
How does CrowdStrike EDR work? ›EDR solutions work by providing continuous and comprehensive real-time visibility into what is happening across all endpoints. Behavioral analysis and actionable intelligence is then applied to endpoint data to prevent an incident from turning into a breach.
What is CrowdStrike XDR? ›CROWDSTRIKE FALCON® XDR applies CrowdStrike's world-class machine learning, AI and Indicators of Attack (IOAs) on this data to extend EDR outcomes and advanced threat detection across the security stack to stop breaches faster.
What are the 3 main challenges that Sophos cloud Optix addresses? ›Cloud Optix supports integration with some of the most popular business tools today. These tools are used to help customers with cloud security monitoring, governance, risk, and compliance (GRC) and DevSecOps processes.
Which 3 Sophos products can be used to protect public cloud hosted servers? ›Sophos Cloud Optix delivers compliance automation, governance, and security monitoring in the cloud, while Sophos Safeguard, DLP, and Sophos Mobile help secure data and determine access permissions.
What is Sophos XG firewall? ›Sophos XG Firewall is the only network security solution that is able to fully identify the user and source of an infection on your network and automatically limit access to other network resources in response.
What are two competitors for Prisma cloud compute choose two? ›- Trend Micro Deep Security.
- VMware Carbon Black App Control.
- Illumio Core.
- Sophos Central.
- Microsoft Defender for Cloud.
- Sysdig Secure.
- CloudGuard Network Security.
- Orca Security.
Falcon Horizon provides intelligent agentless monitoring of cloud resources to detect misconfigurations, vulnerabilities and security threats, along with guided remediation to resolve security risks and enable developers with guardrails to avoid costly mistakes.
What is Dome9 checkpoint? ›CloudGuard Dome9 is an innovative service that allows enterprises. to easily manage the security and compliance of their public cloud. environments at any scale across Amazon Web Services (AWS). CloudGuard Dome9 offers technologies to visualize and assess. security posture, detect misconfigurations, model and actively.