Crowdstrike’s CNAPP is one of many potential Cloud Security tools that are now proliferating enterprise cloud deployments. Amongst it’s competitors are Tenable’s CNAPP solution through their acquisition of Ermetic. Palo Alto’s CNAPP and the market dominant version built by Wiz and a few other versions I will not be exploring. By the by, ( CNAPP stands for “Cloud-Native Application Protection Platform”)
Well for Crowdstrike’s CNAPP specifically it means a few different security services that cover the many parts of enterprise cloud infrastructure whether they are multi-cloud or just single cloud. Let’s list out the big one’s;
- Cloud Security Posture Management (CSPM) — This is essentially Falcon for the cloud, consisting of IOM’s (indicators of misconfiguration) and IOA’s (indicators of attack) constantly reminding you your cloud configuration is off the rails and the paper pushing policies you gave the cloud engineers are being more or less skimmed and forgotten. Kidding of course…. Unless.
- Cloud Workload Protection Platform (CWPP) — What you see is what you get with this acronym. It is designed to give you an understanding of any Cloud-hosted workloads that you have running in your organization and asses them for best practices. Think ( virtual machines, containers and server less functions (Azure Functions, Lambda Functions, Google Cloud Functions))
- Cloud Infrastructure Entitlement Management (CIEM) — CIEM refers to the processes and tools used to manage and enforce access permissions for cloud infrastructure resources, such as virtual machines, storage buckets, and network components. In reality this is another way of helping a cloud security program manage the IAM, Network and Access Control sprawl the spawns from cloud over adoption with limited oversight or maybe, just maybe proactively avoid it.
- Kubernetes Security Posture Management (KSPM) — This is going to be pretty straightforward, KSPM runs pre-runtime and runtime level security checks on the kubernetes platform for better insights into the security of the platform.
- Infrastructure-as-Code (IaC) Scanning- Relatively small footprint in the CNAPP, this is for those embracing the future of immutable infrastructure and trying to get admin accounts away from those who aren’t able to stop deploying public EC2 containers. IaC utilizes Terraform, AWS Cloud formation and or ARM Templates in Azure to deploy infrastructure. Now you can scan those and make recommendations.
Each one of these is a piece of the bigger puzzle and while I’ve had a good amount of exposure to Crowdstrike’s CNAPP there’s still plenty to dig into in the future, such as this new DSPM tool that they are integrating or Tenable CNAPP’s ability to integrate Okta into their Cloud offering which is closer to a CASB and a CNAPP function together.
