Do you know what a Cloud Native Application Protection Platform (CNAPP) is and why you need one if you are an "enterprise customer" and especially if you are embarking on
multicloudWhen you have on-premise infrastructure you deploy an Endpoint Protection Platform with functions like anti-malware, application control, endpoint detection and response etc. Well in cloud there are more than IaaS workloads, there are Platform as a Service (PaaS) workloads to secure too and these services are even more dependent on the configuration of Cloud Identity and Access Management (CIAM) configuration.
If you need a refresher why CIAM configuration is important have a read of the MIT case study of the CapitalOne breach where a server side request forgery (SSRF) vulnerability in a Web Application Firewall (WAF) product that was overprovisioned with S3 bucket permissions was leveraged to exfiltrate data to the threat actor's personal S3 buckets. Or I am sure you can remember one of the breaches due to backups or migration data being left in open S3 buckets.
Public cloud like aws azure gcp and oci were designed primarily for hosting and accelerating the delivery of internet facing ecommerce applications. If you want "private cloud" in public cloud you have to get CIAM guardrails (and their exceptions) right and have a second line of defence as failure should not be your strategy.
There are nearly 300 odd services in your typical public cloud and you might want to use 50 odd of them in anger. You cannot expect your security operations team to know the key configuration aspects of 300-900 services across three public cloud providers let alone their names, let alone be able to remember the mashup of these across numerous deployments of the customers of your hosting service.
A CNAPP provides your security operations and cloud engineering teams the visibility and control with a suite of functions including but not limited to:
- Cloud Infrastructure Entitlement Management. This models and oversees the effectiveness of your CIAM configuration and guardrails identifying service principals not configured to least privilege. Has a "*" permission slipped in somewhere as part of a troubleshooting step?
- Cloud Security Posture Management. This models and oversees the configuration of your PaaS services.
- Data Security Posture Management. This enriches the modelling by helping your identify what data of what classification is in what services in what deployments.
- Container Protection. This provides you the equivalent of antimalware and application control inside the containers.
- Cloud Detection and Response. This provides you the control to interact with the cloud provider's API in real time and isolate workloads. It also provides you with forensic capture of ephemeral containers.
Do you think CNAPP is a game changer or that cloud providers should ship these functions as part of their standard offering?
cybersecurity CNAPP codetocloud infosec
