Aqua Blog

Why the time for CNAPP is now

Why the time for CNAPP is now

CNAPP is projected to be one of the biggest security categories ever – a $25 to $30B market. Why? Enterprises are continuing to move applications to the cloud while adopting cloud native practices, necessitating new security measures. At the same time, CISOs are under pressure to consolidate tools for better security and operational efficiency.

CNAPP is the opportunity for enterprises to connect the dots across the cloud application lifecycle and create more efficient and effective security. But what exactly is CNAPP and why is it gaining such momentum now?

Gartner most recently defined cloud native application protection platforms (CNAPPs) as a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production.

They further explained that CNAPPs consolidate many previously siloed capabilities, including container security, cloud security posture management (CSPM), Kubernetes security posture management (KSPM)., infrastructure-as-code scanning, runtime cloud workload protection and runtime vulnerability/configuration scanning.

Why are CNAPPs gaining momentum?

Cloud native applications are complex and present the challenge of a new attack surface. Traditional security tools were not designed for cloud native architectures and can only supply limited visibility and control. Niche tools are not much better as they lack integrations needed to see across systems. Free tools come with the high cost of integration not to mention maintenance. Yet, doing nothing opens high risk with probable loss of revenue and operations.  Attackers are aware of the challenges and limitations of these tools and are targeting the misconfiguration of cloud infrastructure (network, compute, storage, orchestrators, identities and permissions), known and zero-day vulnerabilities in code, and the software supply chain, including the tools used to develop and deploy code.

Moreover, the move to shift-left is in full swing, leaving DevOps teams increasingly responsible for security remediation tasks, commonly called DevSecOps, such as addressing vulnerabilities, deploying fixes to infrastructure as code, thus requiring tools that address this expanded scope.

CNAPP offers a way to reduce complexity while improving security and the developer experience. At Aqua, we often like to explain it backwards to simplify how you think about it: a CNAPP is a platform that protects applications in cloud native environments.  It is a category of security solutions to help identify, assess, prioritize, and adapt to risk in cloud native applications and their underlying infrastructure. Unlike traditional approaches to cloud security, the goal of a CNAPP is to provide complete end-to-end security for cloud native environments.

“Agentless workload scanning has become a popular approach and an expected core CNAPP capability, although in-workload approaches provide the best protection.”  

– Gartner CNAPP Market Guide 2023

Merging capabilities of CSPM and CWPP

Agentless cloud workload scanning is a newer technology for broad Cloud Security Posture Management (CSPM), providing basic workload visibility in addition to infrastructure misconfiguration. It works by taking snapshots of running workload block storage volumes and scanning them via cloud providers’ APIs. This method provides quick, non-real-time visibility into cloud workloads, risk posture management, while detecting some, but not all, risks, such as vulnerabilities, malware, and secrets.

Agents are traditionally used in Cloud Workload Protection (CWPP) solutions to ensure strong controls to protect running workloads against threats and attacks in real time. They also provide Incident Response (IR) teams rich data about incidents for forensics and investigation. The agents collect data, monitor system activity, enforce security policies, or take action such as stopping a suspicious executable. The unique vantage point of agent technology enables you to detect advanced attacks such as fileless malware that evade agentless scanning technology.

With the growing sophistication of cyber-attacks and increasing complexity of multi-cloud environments, visibility alone isn’t enough. To achieve effective protection in the cloud, you need to seamlessly combine both agentless and agents in your platform to prioritize and reduce risk, as well as detect and stop the most advanced types of attacks.

“By 2025, 60% of enterprises will have consolidated cloud workload protection platform (CWPP) and cloud security posture management (CSPM) capabilities to a single vendor, up from 25% in 2022.” 

– Gartner CNAPP Market Guide 2023  

Gartner recommends a single-vendor approach.

Gartner expects Cloud Native Security to consolidate from the 10 or more tools/vendors utilized today to a more viable 2 to 3 in a few years. While some many argue that this is the result of macro-economic concerns, studies have shown the primary benefit for adopting the single vendor approach to a security framework relies on three principles. First to provide better security through context, second produce operational efficiency through utilizing fewer tools that need management and or training, and finally cost.

Most organizations have some form of runtime CWPP for their virtual machines but with the adoption of containers and serverless computing increasing, traditional CWPP are not effective as they are not built for cloud native applications’ technology stack. Many have selected a scanning tool for container images in development and another solution for CSPM. Additionally, many organizations have several vendors for different (or sometimes overlapping) functions, creating silos of users and findings. This makes it difficult to create a unified picture of risk. The shift to a CNAPP-based approach, and the synergy of an integrated platform provides more benefits than a best-of-breed strategy that is difficult to scale.

CNAPP should identify and understand the effective risk across the multiple layers of a modern cloud-native application. When part of one integrated platform, it combines data from agents and agentless to connect the dots and provide greater context so you can better prioritize security issues. As a result, you can not only efficiently reduce your attack surface but also stop attacks in real time.

Aqua’s approach

From day one, our vision at Aqua has been to deliver a single end-to-end security solution for the entire cloud native application lifecycle in one holistic platform. We’ve always believed that to be a true CNAPP, a solution must include shift-left scanning, broad visibility, and crucially strong runtime controls that can detect and stop attacks in progress. Aqua offers the industry’s first and only unified cloud native application protection platform. The Aqua Cloud Security Platform supports the customer experience from scanning and visibility to runtime workload protection. This single platform approach provides users with better context and prioritization in identifying threats to secure customers’ cloud native assets from day one and protect them in real time. Simply put, we see what others don’t, and we stop what others can’t.

Learn more about the CNAPP market and find out how the Aqua platform can help you achieve visibility and eliminate risk across your cloud native environments in the Gartner Market Guide for Cloud-Native Application Protection Platforms.

Rani Osnat
Rani is the SVP of Strategy at Aqua. Rani has worked in enterprise software companies more than 25 years, spanning project management, product management and marketing, including a decade as VP of marketing for innovative startups in the cyber-security and cloud arenas. Previously Rani was also a management consultant in the London office of Booz & Co. He holds an MBA from INSEAD in Fontainebleau, France. Rani is an avid wine geek, and a slightly less avid painter and electronic music composer.