AcademyWhat is a Cloud-Native Application Protection Platform (CNAPP)?
What is a Cloud-Native Application Protection Platform (CNAPP)?
A Cloud-Native Application Protection Platform (CNAPP) is a security solution that unifies all cloud security capabilities to protect cloud environments.
Wiz Experts Team
12 min read
What is a CNAPP?
A CNAPP combines the capabilities of existing cloud security solutions into one platform to protect cloud-based environments and infrastructure from cyberattacks.
CNAPP represents a consolidation and evolution of multiple cloud security technologies, including Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), Cloud Infrastructure Entitlement Management (CIEM), Infrastructure as Code (IaC) scanning, and more
The term “CNAPP” was coined by Gartner, defining it as a “unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production.”
By 2026, 80% of enterprises will have consolidated security tooling for the life cycle protection of cloud-native applications to three or fewer vendors, down from an average of 10 in 2022.
There are two important elements in the term CNAPP that help explain why it exists. The first is “cloud-native.” The shift to the cloud has brought a wide range of new security needs along with it. The rise of dynamic and ephemeral environments within the cloud have increased complexity and created unique and unpredictable interactions. Traditional agent-based security approaches can’t provide the coverage needed to keep up with ephemeral, containerized, and serverless environments.
The second element is “application protection.” Previously, most cloud security tooling was focused on helping teams understand the security of their infrastructure. However, as Gartner says, “it’s no longer enough to ask, ‘Is my cloud infrastructure secure?’ Security tools must now ask, ‘Are my cloud applications secure?’”
When it comes to cloud applications, organizations need to be holistic in their security thinking. There are many ways to expose applications to risk in the cloud, from unintentional public Internet exposure to overly permissive access rights and more. Organizations should focus on identifying and mitigating the highest priority risks their cloud applications are exposed to, not just collecting a long list of security-related issues that in isolation pose little risk. With individual point solutions, it is often the case that they focus narrowly on a limited set of security issues and don’t integrate well together when it comes to correlating their signals, leading to challenges around prioritizing many low-priority alerts.
Cloud security challenges solved by CNAPP
The cloud has introduced new types of security risks
Cloud environments are complex. The cloud allows organizations to add new resources on demand, from virtual machines to serverless functions to containers. There are constantly new types of services getting introduced to a dynamic and scalable environment. This makes it challenging to secure an environment that can grow and change in minutes.
The cloud also simplifies actions, such as making it possible to expose a resource to the internet at the click of a button, resulting in further risks of misconfigurations. With so many different types of services and configurations, organizations need a solution to help them ensure they are staying secure as their environment changes. This complexity also introduces new types of attack paths on the cloud, which requires organizations to have a threat detection and response strategy in place that is built for cloud-native attacks.
Visibility gaps and blind spots
To gain visibility into this complex environment, organizations often use security tools that rely on agents to provide them with visibility into their workloads. Agent-based solutions result in blind spots in the environment, as resources that don’t have the agent set up are simply not protected by the tool. These visibility gaps in the security posture can result in critical issues going unnoticed, and lead to a breach.
Siloed tooling and operational challenges
To set a security foundation on the cloud, organizations often use standalone security tools such as vulnerability management, data security posture management, Kubernetes security posture management, cloud security posture management, and others. Gartner talks about this approach to security in the CNAPP Market Guide 2023:
This lack of integration creates fragmented views of risk with insufficient context individually making it difficult to prioritize the actual risk.
CNAPP Market Guide 2023
As described, using standalone tools creates siloes in security posture and operational challenges, as each tool requires unique expertise and process per tool. In addition, to understand risk criticality, organizations need to manually correlate risks across the different tools resulting in further operational overhead.
Siloed tools lack the context around each risk, for example, a vulnerability management solution can identify if a machine is vulnerable, but it is not aware if the machine is also exposed to the internet, or if it has high privileges.
The lack of context results in the inability of the tools to identify which risks are more critical than others and leads to them creating a lot of noise and alert fatigue. This makes it hard for teams to identify the actual critical risks in their environment and prioritize them.
Gaps between the security team and developers
The security team is responsible for ensuring the security of the cloud environment, however, developers are the ones spinning up resources in the cloud. This results in security slowing down innovation. Additionally, developers often don’t have visibility into the risks related to their resources, and even when they do, they are unable to prioritize them successfully as they lack context and prioritization.
Removing blind spots: CNAPP provides agentless visibility and risk reduction, automatically detecting and protecting new cloud workloads without requiring agent configuration. This ensures full coverage and eliminates blind spots in your security posture.
Faster deployment: Agentless CNAPP enables organizations to protect their entire environment in minutes, by using the cloud provider's APIs to scan for resources
Improved operational efficiency: Agents are expensive to maintain and can slow down workloads, leading to operational challenges that hinder innovation. DevOps teams often reject them, and the value of runtime visibility into ephemeral workloads may not outweigh the overhead of managing agents. A CNAPP with agentless visibility and risk reduction reduces operational costs and complexity.
Unified risk engine: A CNAPP should be a single platform that covers all risk factors, including vulnerabilities, network exposures, secrets, malware, identities, and sensitive data, as well as real-time threat detection. With a unified risk engine, the CNAPP can assess the criticality of risks by understanding how they combine to create attack paths in your environment. The CNAPP automatically correlates all risks across prevention and detection, eliminating the need for manual correlation and enabling organizations to focus on remediating critical risks.
Graph-based context: A CNAPP should provide a graph-based context around risks. The node-and-edge structure is a best practice for graphs, making it much more intuitive to define queries that represent risks. Having a graph-based view also makes it easy for anyone at any skill level to understand relationships between resources and context around risk, so they can respond to issues faster.
Prioritization: A CNAPP with a fully integrated set of features can better prioritize risks by correlating all risks and identifying critical attack paths. A CNAPP should provide a single queue of prioritized risks to allow teams to focus on the most important issues and reduce the noise.
Shift-left enablement: Once risks were identified and prioritized in production, a CNAPP should enable organizations to shift left to scale security across the development lifecycle. By providing integration with CI/CD pipelines, a CNAPP allows organizations to identify risks early on in development and ensure they don’t reach production from the first place. This results in fewer issues the security team has to remediate in production and allows them to focus on broader initiatives.
Contextualized detection and response: To have an effective detection and response strategy, defenders need to understand the attack paths in their environment. This helps them to assess the potential impact of an attack. Before an attack occurs, a CNAPP can help defenders to proactively remove attack paths through contextual risk reduction. After an attack occurs, a CNAPP can help defenders to detect threats in real time based on cloud events and runtime signals. It can also help them to limit the blast radius of an attack based on cloud context. By correlating runtime signals, cloud events, and cloud and infrastructure risks, a CNAPP enables defenders to respond rapidly to threats and minimize the impact of a potential incident.
Visibility across all clouds: A CNAPP should provide complete visibility into your cloud environment, no matter what cloud your workloads run in, whether it is AWS, GCP, Azure, Alibaba, OCI, or other clouds you are in.
Visibility across all resources: A CNAPP should be comprehensive in its coverage and provide visibility into every resource in your environment, including virtual machines, serverless functions, containers, databases, managed services, and any other cloud service you use. A CNAPP should also normalize the different types of resources from the different clouds so you can have a consistent platform with consistent visibility spanning all clouds.
Visibility across all risk factors, from prevention to detection: CNAPP should provide cohesive visibility into all risk factors including vulnerabilities, network exposures, secrets, malware, identities, and sensitive data, as well as visibility into threats in realtime, to give you the full picture of your security posture.
Remove blind spots with agentless visibility: A CNAPP should ensure full coverage and no blind spots in the security posture by using an agentless approach to provide visibility into cloud environments, utilizing the Cloud Service Provider’s (CSP) APIs to detect and scan for resources and workloads, rather than relying on agents that must be configured and maintained.
Unify Independent Cloud Security Solutions
Unified approach to security: A CNAPP provides you with one platform, one process, and consistent controls across all environments. Based on Gartner’s CNAPP Market Guide, when evaluating a CNAPP “All services should be fully integrated, not loosely coupled independent modules.”. A fully integrated CNAPP replaces all point solutions with one single platform that covers all security aspects, removing the need for a unique process per tool and reducing operational overhead.
Unified risk engine: A CNAPP uses a unified risk engine to identify risks across CSPM, CWPP, CIEM, Kubernetes Security Posture Management (KSPM), Data Security Posture Management (DSPM), and IaC scanning.
Defense in depth strategy: A comprehensive CNAPP provides a complete defense in depth cloud security strategy. It starts from prevention, through agentless visibility and risk reduction, to the last line of defense being detection and protection from threats from inside the workload, through a lightweight agent. A CNAPP with defense in depth provides full end-to-end visibility into attacks, enabling faster, more efficient response.
Single pane of glass: A CNAPP does not only have visibility into all risk factors, but also correlates all risks to understand how risks combine to result in a toxic combination in an environment that can create an attack path. CNAPP models risks on a security graph to provide the complete context around risks. Garner also recommends that a CNAPP has a single front-end console with a unified back-end data model to reduce switching between multiple consoles.
Prioritized risks with context
Context: A fully integrated CNAPP can identify the context around risks and find attack paths in an environment, enabling organizations to understand the real criticality of risks in their environment. Using a security graph, CNAPP is also able to provide a deep understanding of relationships between all elements in the cloud environment.
Prioritization: A contextual CNAPP is able to prioritize risks based on criticality, and only surfaces the issues you should really pay attention to so your team can focus on the risks that matter. Gartner recommends that a CNAPP should have “Integrated advanced analytics that are combined with the graph to prioritize risks” Prioritization allows teams to spend less time responding to distracting noise, and more time remediating critical issues.
Bridge between development and security teams
Reduce time spent remediating issues in production: A CNAPP can integrate security checks into CI/CD pipelines to scan for risks during development. It enables you to apply unified security policies across production and the CI/CD pipeline to prevent issues from reaching production in the first place. In the CNAPP Market Guide, Gartner recommends to “Reduce complexity and improve the developer experience by choosing integrated CNAPP offerings that provide complete life cycle visibility and protection of cloud-native applications across development and staging and into runtime operation”.
Enable developers to ship faster and more securely: CNAPP empowers developers with the context, prioritization, and specific remediation guidance they need to fix issues related to the resources they own. Context and prioritization enable developers to stay agile and move fast while staying secure.
An integrated CNAPP seamlessly consolidates the following security tools within a unified platform, encompassing and correlating the capabilities outlined below:
Cloud Security Posture Management (CSPM)
CSPM offers insight into the configuration of cloud resources and continuous monitoring of these resources. It assesses cloud resources against rules for proper configuration, identifying any instances of misconfiguration. The system ensures compliance through built-in and customized standards and frameworks, automatically remediating non-compliant resources. By evaluating resources during development, CSPM prevents misconfigurations from propagating to production environments.
Cloud Workload Protection Platform (CWPP)
CWPP ensures visibility into cloud workloads and risk mitigation across VMs, containers, and serverless functions without relying on agents. It conducts scans for vulnerabilities, secrets, malware, and secure configurations within workloads. Additionally, CWPP supports the identification of workload misconfigurations and vulnerabilities during CI/CD pipelines. As the final line of defense, CWPP employs a lightweight agent for real-time threat detection, enriching data through agentless visibility and risk reduction.
CIEM oversees entitlements within cloud setups, guiding the implementation of least privilege permissions while optimizing access and entitlements across the environment. The system analyzes effective permissions for principals and resources, detecting potential leaks of secrets or credentials that could compromise access to sensitive assets.
Kubernetes Security Posture Management (KSPM)
KSPM automates security and compliance for Kubernetes components, providing comprehensive visibility into containers, hosts, and clusters. The system assesses risks related to vulnerabilities, misconfigurations, permissions, secrets, and networking, correlating these risks to offer contextual insights and prioritization. KSPM also facilitates a shift left approach, identifying and preventing Kubernetes security issues during the development phase.
Data Security Posture Management (DSPM)
DSPM safeguards sensitive data within the cloud environment. It identifies sensitive data and provides visibility into its location across buckets, data volumes, OS and non-OS environments, and managed and hosted databases. DSPM correlates sensitive data with underlying cloud context and other risk factors to comprehend data asset configuration, usage, and movement. A fully integrated DSPM can even pinpoint potential paths of attack on sensitive data, allowing proactive issue prioritization to prevent breaches.
Cloud Detection and Response (CDR)
Cloud detection and response enables the detection, investigation, and response to cloud-based threats by monitoring activity within the cloud environment and identifying suspicious events. While proactive risk reduction without agents eliminates potential attack paths, real-time threat detection remains essential. CDR identifies threats and suspicious activities in real time, including remote code execution, malware, crypto-mining, lateral movement, privilege escalation, and container escape. The system offers comprehensive visibility, automatically correlating threats across real-time signals, cloud activity, and audit logs to track attacker movements. This enables rapid response and limits the impact of potential incidents.
Over time, CNAPP will become the standard way for cloud developers to ensure that they are doing well on the security front. CNAPPs are usable and consumable by developers and operation teams, so they will allow those teams to be more proactive with the security of their resources.
Today, security teams have very few ways to tell if they are in a good state with their security. They don't have a way to tell if they've taken the right steps to secure the cloud, or if they've left some areas wide open. CNAPPs will allow any cloud developer to see that they are taking the right steps to secure their applications and resources, and for security teams to validate the state of security across their cloud applications without gaps.
As with any nascent space, it's easier to market than deliver, so ensure that any CNAPP you consider is able to adequately address the underlying drivers and changes that are causing your team to explore such a solution.
Wiz's Approach to CNAPP
Wiz's approach to CNAPP is based on these key pillars:
Agentless architecture: Wiz does not require any agents to be installed on your cloud resources, which makes it easy to deploy and manage, and avoids any performance impact.
Comprehensive visibility: Wiz provides 100% visibility into all of your cloud resources and risks, across all cloud providers and cloud services.
Graph-based security: Wiz builds a graph of all of your cloud resources and their relationships, which allows it to identify complex attack paths and prioritize risks more effectively.
Ruthless risk prioritization: Wiz's graph-based security approach allows it to identify complex attack paths and prioritize risks more effectively, so you can focus on the most important issues first.
Unified platform: Wiz provides a single platform for all of your cloud security needs, including vulnerability management, misconfiguration management, secrets management, and cloud forensics.
Wiz's CNAPP solution provides visibility into all of your cloud resources and risks, from infrastructure to data. It also provides actionable insights and recommendations to help you prioritize and remediate risks.