Cloud-native utility safety platforms (CNAPP) options provide a number of capabilities rolled into one (advertising and marketing label) resolution. CNAPP platforms declare to comprise:
- Cloud safety posture administration (CSPM).
- Cloud infrastructure entitlement administration (CIEM).
- Cloud workload safety (CWP), each agent-based and agentless.
- Container safety, utility safety.
- API safety.
- Infrastructure-as-code (IaC) construct script scanning.
- Serverless safety.
- DevOps safety options.
It is a mouthful to place into one sentence and much more burdensome to judge and purchase.
To be clear, we would not have any problem with the present CNAPP suppliers’ options. Cloud workload safety, CSPM, API safety, serverless safety, IaC scanning, and container safety are all helpful capabilities to defend cloud sources. However packaging them in a CNAPP bundle is pointless at greatest and deceptive at worst. Right here’s why:
- CNAPP as an answer “platform” turns into unwieldily massive and tough to acquire. Finish customers of their quest to pick out the suitable CNAPP vendor have to judge means too many traits and options of many various disciplines, limiting their selection. Whereas, for instance, container safety and cloud safety capabilities are sometimes bought collectively, CIEM and DevSecOps tooling are fairly far afield from a know-how and purchaser perspective, as nicely (see determine).
- CNAPP incorporates some classes that aren’t associated to cloud-native app safety. For newer organizations with no tech debt and no legacy purposes, the imaginative and prescient of all purposes developed for and deployed solely to the cloud is enticing. The unlucky actuality is that many organizations preserve legacy purposes. What number of nonetheless have lively mainframe apps? Or conventional consumer/server purposes operating in an information heart for which you can not justify the migration prices? Whereas current in cloud workloads, resolution areas equivalent to IaC scanning, API safety, and container safety should not solely cloud safety constructs.
- The shopping for facilities for CNAPP parts are disparate. CNAPP options should not procured by a single stakeholder; as an alternative, IT safety, utility builders, cloud structure/safety, and Dev(Sec)Ops all have a stake in evaluating and shopping for CNAPP capabilities. This can lead to unnecessarily and excessively lengthy gross sales, procurement, and implementation cycles — not a superb factor when attempting to advertise fast time to worth at “agile speed.”
- CNAPP retains vendor innovation low. When attempting to create a complete CNAPP resolution, distributors are inevitably spreading themselves too skinny — with out with the ability to create progressive technical options in any single CNAPP useful space. A number of CNAPP segments (equivalent to serverless and IaC scanning) are shortly evolving, forcing distributors to 1) make investments closely in constructing top-notch options in that particular phase and a pair of) to scale back sources and price range to construct out different CNAPP capabilities.
Author: Andras Cser
Date: 2023-05-30 14:09:03