There is a transformation happening in cloud security. Gartner has identified Cloud-Native Application Protection Platforms (CNAPP) as the category to address the full protection of cloud applications from development to production. According to Gartner, “until recently, comprehensively securing cloud-native applications required the use of multiple tools from multiple vendors that are rarely well-integrated and often only designed for security professionals, not in collaboration with developers.” For organizations, this siloed approach was ineffective at prioritizing actual risk and led to excessive alerts and wasting of developers’ time. CNAPPs offer an integrated approach that enables collaboration across teams to secure an increasingly complex attack surface.
The future of cloud security is CNAPP
The days of siloed approaches to cloud security are coming to an end. Gartner states that, “Since identifying the convergence between CWPP, CSPM, cloud infrastructure entitlement management (CIEM) and other cloud security technologies in early 2021, client interest as indicated by inbound inquiries with inquiry growth has grown significantly. The number of end-user calls on CNAPPs grew 70% from 2021 to 2022 with an emphasis on CSPM due to compliance drivers and ease of deployment via APIs.” Gartner expects more significant growth for CNAPP over the next several years including these important Strategic Planning Assumptions:
By 2026, 80% of enterprises will have consolidated security tooling for the life cycle protection of cloud-native applications to three or fewer vendors, down from an average of 10 in 2022.
By 2025, 75% of new CSPM purchases will be part of an integrated CNAPP offering.
By 2025, 60% of enterprises will have consolidated cloud workload protection platform (CWPP) and cloud security posture management (CSPM) capabilities to a single vendor, up from 25% in 2022.
What to look for in a CNAPP
A complete CNAPP provides visibility into risk across the full lifecycle from the development artifact to the cloud configuration to the runtime environment with an integrated set of capabilities.
Per Gartner, these capabilities should be cohesive, and they describe that a well-architected single-vendor CNAPP offering should have certain key characteristics:
All services should be fully integrated, not loosely coupled independent modules (typically resulting from a vendor’s internal silos, poorly integrated OEM components or those added from an acquisition). Integration should include the front-end console, unified policy across multiple points of inspection and a unified back-end data model.
Deep understanding of relationships between the elements of an application (VMs, containers, service functions and storage), security posture, permissions and connectivity, typically enabled by underlying graph database technology.
Deep understanding of the relationship between development artifacts (custom code, libraries, container images, VMs and IaC scripts), who created them and when they were created, who deployed them and when they were deployed, and who changed them and when they were changed.
Integrated advanced analytics that are combined with the graph relationships to risk-prioritize findings both in development and at runtime.
Single security policy for risk assessment across all artifacts — containers, VMs, serverless functions and data storage.
So how should enterprises proceed? For organizations that are ready to evaluate CNAPP offerings, Gartner recommends “Create a unified CNAPP strategy and evaluation team spanning cloud security, container security and application security. Because the developer is the ultimate persona that will be asked to remediate the identified risk, the team should include representatives from DevSecOps/development.” Developer experience should be a primary goal to reduce friction, provide better risk identification, and reduce false positives.
When it comes to evaluation, Gartner says to “prioritize CNAPP offerings with deep relationship graph analytics expertise.” Further mentioning, “A single vendor should implement a single data lake, data model and unified graph database for all event logging, reporting, alerting and relationship mappings. This enables the vendor to deliver against the vision of RiskOps — finding the root cause of the risk, identifying the person/team responsible for fixing it and risk-prioritizing the remediation efforts. This reduces the attack surface and shortens remediation times.”
From our perspective, this Gartner research is valuable for any team planning to secure their cloud development. We are proud that Wiz is recognized as a Representative Vendor in the March 2023 Gartner Market Guide for Cloud-Native Application Protection Platforms. We recommend you download the full complimentary document to review all of the Gartner insights, including a summary of core, recommended, and optional CNAPP capabilities.
Gartner, Market Guide for Cloud-Native Application Protection Platforms, Neil MacDonald, Charlie Winckless, Dale Koeppen, 14 March 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.