Ever-changing CNAPP
In this blog, I would like to introduce recent trends in CNAPP (Cloud Native Application Protection Platforms), which have many functions as cloud native security measures.
SANS released “Cloud Security Foundations, Frameworks, and Beyond” as a white paper in August 2023. In “Conclusion: Looking Ahead” of “Chapter 1: Cloud Security: Shared Fate, Identity, Secure Data, and the Coming AI”, the SANS white paper states the following:
—
As the types of available cloud services grow and organizations continue to deploy large PaaS and IaaS environments that employ numerous interconnected services, the range of cloud security controls needed and surface to protect also gets larger. To keep up with the array of different cloud services in use, security teams will need to learn and use more advanced controls and develop more dynamic and continuous processes for evaluating security conditions in their environments.
In 2023 and beyond, we see a variety of trends that will be likely to continue to grow including:
• Major emphasis on data protection and privacy — Especially for massive-scale data analytics and processing capabilities that exist across numerous accounts and regions
• Continued focus on identity and access management — Primarily for centralized monitoring and control of identities and privileged identity control and oversight
• Continued work on configuring all cloud components and applications securely — Typically done using a shared fate model
• Continuous analysis of trust and privileges — Within the cloud, aligning and focusing assets and workloads/applications based on a principle of least privilege and access minimization
• Significant growth in ML and AI — The security of data within AI and ML services — both for business use cases and security analytics — and environments will prove critical in defending against attacks that could pollute ML models. Cloud environments are ideally suited to help with this in all respects.
In all, these types of security controls and services are simply a natural evolution
that reflects the nature of PaaS and IaaS software-defined cloud platforms and
infrastructure. Security operations in large, distributed cloud environments will need to adapt to accommodate more dynamic deployments and changes, new services and workloads, and a significantly greater reliance on automation. In the next year and beyond, it’s likely all these trends will grow and mature significantly.
—
Now in 2024, I wanted to find out what the results were for this trend that was mentioned in the past, and whether there are any solutions that can be taken or implemented. I think it’s CNAPP.
CNAPP
Gartner proposed CNAPP as a comprehensive approach to ensuring security in cloud-native environments. CNAPP, defined by Gartner, is said to integrate many functions that were previously siled, such as “Container Image Scanning”, “CSPM”, “IaC Scanning”, “CIEM (Cloud Infrastructure Entitlement Management)”, and “CWPP”. CNAPP integrates these disparate elements and technologies to strengthen the security of cloud-native applications. Iwill explain each element that made up CNAPP at the time it was proposed.
1. Container Image Scanning
“Container Image Scanning” is a technique used to improve security during the software development and deployment process. Currently, it is the process of detecting potential security risks and vulnerabilities in images that package applications using container technology such as Docker.
2. Cloud Security Posture Management (CSPM)
“CSPM” is a tool for managing the security posture of cloud environments. It reduces security risks by detecting and remediating inappropriate policies and misconfigurations of cloud accounts and resources. CSPM audits cloud resource configurations to ensure consistency and compliance with best practices. In recent years, there are some models that can perform risk analysis on machine learning models and AI models.
3. Infrastructure as Code (IaC) Scanning
“IaC Scanning” focuses on a code-based approach to managing infrastructure in cloud environments, where security scanning is performed on IaC. As a result, security best practices are built into the code to ensure security during deployment. To maintain IaC security, scan when updating the IaC Scanning tool or changing cloud resource settings, and fix the code if security vulnerabilities are detected.
4. Cloud Infrastructure Entitlement Management (CIEM)
“CIEM” focuses on identity and privilege, providing precise and appropriate controls over user access. It manages identity establishment, authentication, provisioning and deprovisioning of access rights, and is based on best practices for entitlement.
5. Cloud Workload Protection Platforms (CWPP)
“CWPP” is a platform that provides protection for cloud workloads. This includes not only regular hosting servers, but also virtual machines, containers, serverless architectures, and more. CWPP comprehensively manages security across workloads through intrusion detection, network security, and more. It also covers protection in repositories and CI/CD pipelines.
Ever-changing CNAPP
In addition to the elements that make up CNAPP beyond those defined by Gartner, services that claim to be CNAPP in recent years have begun to incorporate and expand functions that were once more siled. I believe that many more features will be added in the future. Let’s take a look at the features that have been incorporated into the many CNAPP services I’ve seen.
6. Kubernetes Security Posture Management (KSPM)
“KSPM” is a technology for managing the security posture of Kubernetes clusters. Often included in CSPM. The goal is to ensure security across your Kubernetes cluster and minimize potential risks by implementing policies, auditing resources, identifying security vulnerabilities, and more.
7. Observability
“Observability” is the concept of how effectively and easily a system or application can be observed. Get a complete view of your system by capturing the logs, metrics, and traces you need to troubleshoot and optimize performance. Observability is important to ensure that systems are predictable and controllable.
8. Security Observability
“Security Observability” is a technology that monitors threats and issues alerts regarding system compromise based on the three types of telemetry found in “Observability”. Logs and metrics have been used to understand known attacks, but traces can provide visibility into unknown compromised requests. By visualizing API requests between microservices and system-wide traces, it can identify vulnerabilities in the collaboration between microservices and generate alerts when there is a deviation from expected behavior.
9. Data Security Posture Management (DSPM)
“DSPM” is a tool for managing your data security posture. It helps you move data in and out of the cloud, audit data access, maintain data confidentiality, and more. It is also possible to visualize where important information such as sensitive data is stored and how it is input/output. DSPM ensures the implementation and compliance of data security policies, validates data inputs and outputs, and assesses robustness against data poisoning attacks.
10. Cyber Asset Attack Surface Management (CAASM)
“CAASM” aims to manage the intrusion routes of cyber attacks, visualize attackable areas, and take appropriate countermeasures against them. Explicit visibility into the attack surface of web applications and APIs allows organizations to understand exactly what entry points can be exploited by attackers and minimize security risks.
11. Attack Path Management
“Attack Path Management” is the process of understanding and managing the routes and techniques that attackers can use to penetrate and reach their targets within a network or system. Cloud resources that can be called from compute instances reached via CDN or cloud load balancer, inconsistencies in permission policies attached to those resources, excessive privileges, etc., the possibility of privilege escalation, and the reachability of database services. can be visualized.
12. Vulnerability Management
“Vulnerability Management”, as the name suggests, is a function that manages workload vulnerabilities by incorporating vulnerability diagnosis functions such as SAST and DAST into source code repositories and CI/CD on the cloud.
13. Software Bill of Materials (SBOM)
“SBOM” is a formalization of all the components and dependencies used by a particular software product or system. SBOM improves software transparency and serves a variety of purposes, including security, compliance, software supply chain management, and license information management. You can visualize not only conventional web applications, middleware, and OS images, but also runtimes and library information used for container images and serverless functions, and recently, generative AI models.
14. FinOps
“FinOps” provides visibility into resource and cost usage. Although it is often considered to be far from a security function, it is possible to investigate whether a security incident has occurred by tracing resource usage when cost patterns change. Unexpected cost usage increases can lead to unauthorized access, data breaches, resource compromise, and Economic Denial of Service (EDoS).
15. Security Information and Event Management (SIEM)
“SIEM” is an integrated platform for security information and event management. Collect logs from networks, databases, applications, endpoints, and more in the cloud for analysis, monitoring, and reporting in a central location. From the correlationally analyzed logs, it is possible to detect correlated logs that could result in a security incident, and support countermeasures for incident response.
16. Security Orchestration, Automation, and Response (SOAR)
“SOAR” is a mechanism for security orchestration, automation, and response. SOAR is a mechanism to automate and improve the efficiency of security operations, and automation is possible by preparing a playbook with implementation steps to automate the response to security incidents. Some include incident management capabilities, and others allow for performance visualization of security operations.
At the time of writing, many services that incorporate such functions as CNAPP have appeared.
I had conversations with many exhibitors at last year’s AWS re:Invent. I was given a demo of each company’s CNAPP, which is the result of many companies’ efforts, and Ialso asked about their future roadmaps. I am confident that CNAPP will continue to be even more exciting in the future.
There is no doubt that cloud vendors will not go against this trend and will continue to expand their functionality.
In the end
It can be said that the trends covered in the previous SANS white paper are covered by these functions. Please note that implementing CNAPP does not cover all aspects of cloud native security. In order to utilize CNAPP correctly, service introduction design and operational design are required. The settings and operational design of CNAPP will change to keep up with changes in applications and architecture when using the cloud, but if used correctly, it can be said that the effects of CNAPP can be maximized. I would like to continue to watch this CNAPP.
