This shift to cloud native requires integrating multiple security capabilities into a single platform.
For those not familiar with CNAPP, it’s a consolidation of different point products that businesses use to achieve their cloud security objectives. CNAPP makes Information security (InfoSec) teams more efficient in public cloud risk mitigation by pulling in signals from different sources to help identify and prioritize vulnerabilities.
Zscaler’s differentiator is that it built Posture Control from the ground up, with a single data store and risk driven prioritization to help the InfoSec team be more efficient. The data is generated from the company’s Zero Trust Exchange that processes billions of transactions a day.
For most businesses, cloud is the primary way forward as the flexibility and agility it offers can be incredibly powerful from an innovation standpoint. However, if not properly managed, vulnerabilities can spread across the enterprise quickly. InfoSec teams are in a difficult spot, where they’ve lost control that they once had as gatekeepers for apps and services. Today, software development and IT operations (DevOps) can easily launch new apps and services to the cloud with no such gate in place.
For this reason, every organization should be thinking about protecting assets that live in the public cloud by identifying vulnerabilities as early as possible, even before an app or service goes into production. The ultimate goal is building security into the development process. It helps the overall health of the business—how it competes and goes to market.
In my latest ZKast, I interviewed Rich Campagna, senior vice president and general manager of CNAPP at Zscaler, where he oversees strategy for securing public cloud infrastructure and workloads. CNAPP allows organizations to build, deploy, and run secure apps in the public cloud. Campagna explained how CNAPP can help organizations maintain the pace of innovation in the public cloud, while effectively mitigating security risks. Highlights of my ZKast interview, done in conjunction with eWEEK eSPEAKS, are below.
- CNAPP allows InfoSec teams to collaborate with DevOps teams by integrating into the development lifecycle. Organizations can start to identify risks from the time a developer writes code all the way through to the app’s deployment and run phase. It doesn’t just scan what’s in the cloud, but what’s going to be in the cloud across the entire lifecycle and providing remediation.
- As organizations move to the cloud, more of the security responsibility is shifting to developers. Developers have the power to provision apps and services to the cloud with a few clicks. While this can be seen as a major challenge for InfoSec teams, it’s also an opportunity for a more strategic approach to security where both teams work together to mitigate risks.
- CNAPP not only helps secure apps, but also the development process. The policies that CNAPP provides are oriented around things like misconfigurations and other types of issues. That’s the foundation layer. Above that is the app and data-centric layer, such as scanning for vulnerabilities. So, issues can be identified even before apps and services get deployed.
- CNAPP can be integrated into the native workflows that DevOps already use. Through tight integration, vulnerabilities can be identified without deploying additional tools. InfoSec teams can see exactly what the issue is and how to fix it, while developers can continue to launch services without interruption.
- CNAPP isn’t a panacea for all security issues. It specifically targets workloads that are running in public cloud environments. All CNAPP vendors support the three major cloud providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Ultimately, every organization is responsible for its security, not the public cloud providers.
- CNAPP scans data that has been deployed across public clouds and then identifies the data source code, since it’s an important part of the risk equation. CNAPP also scans core vulnerabilities in containers, virtual machines (VM), serverless functions, and assets. It looks at the underlying infrastructure and what’s running inside that infrastructure.
- There are a number of cloud security tools on the market today, such as cloud security posture management (CSPM) and cloud workload protection platform (CWPP). Yet, organizations don’t want to run a dozen different security tools to protect their public cloud infrastructure. That’s why CNAPP is used to eliminate some of the other tools.