KCOS Logo

Highlights

Cloud IaaS is used extensively to develop, deliver new applications, and reengineer existing ones. This is often because cloud services provide an environment for accelerated development without the need for capital expenditure and avoids lengthy procurement delays to obtain hardware. However, this also creates challenges, in particular security as a shared responsibility, and this increases complexity since each cloud service provides security capabilities in diverse ways. While the Cloud Service Providers (CSPs) must take steps to secure the service they provide, it is up to the customer to secure the way they use the service. Cloud-Native Application Protection Platforms (CNAPP) are intended to reduce complexity by helping organizations using multiple cloud services to identify and manage the risks for which they have responsibility.

Unfortunately, many organizations still tend to underestimate the potential security challenges of exposing their APIs without a security strategy and infrastructure in place. Although organizations like OWASP are doing a lot to promote the awareness of critical API risks with projects like the recently updated API Security Top 10, this sometimes has an opposite effect – the public tends to forget about the long tail of other problems they have to deal with beyond this essential but definitely not exhaustive list.

  • The customer is responsible for the security and compliance of how they use cloud services, and there are several factors which increase risks when using the cloud.
  • Cloud services are dynamic, thus a traditional static approach to security is not effective. In addition, many organizations fail to adapt and apply their normal internal security and compliance controls.
  • The distinctive feature of CNAPP solutions is the integration of multiple capabilities that were previously offered as standalone products to address various risks and challenges.
  • This report describes the major capabilities that CNAPP should provide to help customers secure their use of cloud services, and then evaluates solutions from several vendors.
  • These solutions should cover the major IaaS cloud services and provide visibility of the risks from the way that these are configured and used.
  • The capabilities should automate the detection, reporting and remediation of vulnerabilities and threats across cloud entitlements, compute services, cloud network and storage elements as well as Kubernetes orchestration platforms and CI/CD pipelines.
  • The capabilities should support DevOps teams as well as security teams.
  • They should also help to manage and report on compliance with laws and regulations, as well as to implement security best practices.
  • This is still an evolving market and in the near term we expect products to mature by expanding the depth of their coverage and increasing the use of AI/ML to enhance effectiveness.
  • In the longer term, the increasing use of AI and Large Language Models (LLM) creates an entirely new kind of cloud workload with new risks and challenges. Tools will be needed to help to manage these.