Cloud-native software safety platforms (CNAPP) options supply a number of capabilities rolled into one (advertising label) resolution. CNAPP platforms declare to comprise:
- Cloud safety posture administration (CSPM).
- Cloud infrastructure entitlement administration (CIEM).
- Cloud workload safety (CWP), each agent-based and agentless.
- Container safety, software safety.
- API safety.
- Infrastructure-as-code (IaC) construct script scanning.
- Serverless safety.
- DevOps safety options.
It is a mouthful to place into one sentence and much more burdensome to guage and purchase.
To be clear, we shouldn’t have any challenge with the present CNAPP suppliers’ options. Cloud workload safety, CSPM, API safety, serverless safety, IaC scanning, and container safety are all helpful capabilities to defend cloud assets. However packaging them in a CNAPP bundle is pointless at greatest and deceptive at worst. Right here’s why:
- CNAPP as an answer “platform” turns into unwieldily giant and troublesome to obtain. Finish customers of their quest to pick out the best CNAPP vendor have to guage manner too many traits and options of many alternative disciplines, limiting their alternative. Whereas, for instance, container safety and cloud safety capabilities are sometimes bought collectively, CIEM and DevSecOps tooling are fairly far afield from a expertise and purchaser perspective, as nicely (see determine).
- CNAPP comprises some classes that aren’t associated to cloud-native app safety. For newer organizations with no tech debt and no legacy purposes, the imaginative and prescient of all purposes developed for and deployed completely to the cloud is enticing. The unlucky actuality is that many organizations keep legacy purposes. What number of nonetheless have energetic mainframe apps? Or conventional consumer/server purposes operating in a knowledge heart for which you can not justify the migration prices? Whereas current in cloud workloads, resolution areas equivalent to IaC scanning, API safety, and container safety usually are not solely cloud safety constructs.
- The shopping for facilities for CNAPP parts are disparate. CNAPP options usually are not procured by a single stakeholder; as a substitute, IT safety, software builders, cloud structure/safety, and Dev(Sec)Ops all have a stake in evaluating and shopping for CNAPP capabilities. This can lead to unnecessarily and excessively lengthy gross sales, procurement, and implementation cycles — not a very good factor when making an attempt to advertise fast time to worth at “agile velocity.”
- CNAPP retains vendor innovation low. When making an attempt to create a complete CNAPP resolution, distributors are inevitably spreading themselves too skinny — with out with the ability to create revolutionary technical options in any single CNAPP purposeful space. A number of CNAPP segments (equivalent to serverless and IaC scanning) are shortly evolving, forcing distributors to 1) make investments closely in constructing top-notch options in that particular section and a pair of) to scale back assets and price range to construct out different CNAPP capabilities.