What is a CNAPP?
A cloud-native application protection platform (CNAPP) is a unified platform that simplifies securing cloud applications throughout their lifecycle.
CNAPP defined
CNAPP is a term first coined by Gartner in 2021 to describe an all-in-one platform that unifies security and compliance capabilities to prevent, detect, and respond to cloud security threats. A CNAPP integrates multiple cloud security solutions that have been traditionally siloed in a single user interface, making it easier for organizations to protect their entire cloud application footprint.
One of the main objectives of a CNAPP is to embed security into the earliest stages of the application development process. The cloud allows organizations to innovate and scale applications, but its sheer scale multiplies the avenues cybercriminals can use to attack. Developers and security professionals therefore need to spot and fix security flaws as early in an application’s development as possible—a trend referred to as “shifting left”—to prevent bigger security gaps down the line.
Capabilities that set CNAPPs apart
By bringing multiple cloud application security tools under a purpose-built umbrella, CNAPPs make it simpler to embed security into the application lifecycle while providing superior protection for cloud workloads and data. A CNAPP has several key capabilities that help you achieve that, including:
- Multicloud support. Seamlessly unify security and compliance across multiple public and private cloud infrastructure environments, giving you complete visibility of your multicloud data estate.
- Threat intelligence integration. Focus on the most critical vulnerabilities first with an integrated, prioritized view of threats and reduce risk with automatic recommendation and remediation tools.
- Centralized compliance and permissions management. Continuously monitor data governance and compliance and automatically enforce the principle of least privileged access across your cloud footprint.
- “Shifted left” DevOps security management. Enable security teams to collaborate with developers on a platform with common workflows, data, and insights so they can embed security into application code as soon as it’s created.
- Comprehensive cloud workload protection. Improve visibility into all your workloads to detect vulnerabilities and misconfigurations more easily.
- Ease of use. Consolidating vendors with a CNAPP reduces the complexity of your tool stack, which can be a source of frustration and inefficiency.
- Depth and breadth of insights. An end-to-end solution—especially one from a hyperscale cloud provider—can help eliminate significant gaps and blind spots.
The components that make a CNAPP work seamlessly
While CNAPPs currently on the market have some differences, there are several core capabilities your CNAPP must have for it to provide holistic protection for your cloud applications and infrastructure. Choose a solution that integrates:
Cloud security posture management (CSPM)
CSPM solutions are designed to provide security teams with a connected, prioritized view of potential vulnerabilities and misconfigurations across multicloud and hybrid environments. A CSPM continuously assesses your overall security posture and gives security teams automated alerts and recommendations about critical issues that could expose your organization to data breaches. It has automated compliance management and remediation tools to spot gaps and keep them closed.
Multipipeline DevOps security
DevOps security management gives developers and security teams a central console to manage DevOps security across all pipelines. This strengthens their ability to minimize cloud misconfigurations and scan new code to keep vulnerabilities from reaching production environments. Infrastructure-as-code scanning tools pore over your configuration files from the earliest stages of development to confirm that new configuration files are compliant with your security policies.
Cloud workload protection platform (CWPP)
CWPPs provide real-time detection and response to threats based on the latest intelligence across all your multicloud workloads, such as virtual machines, containers, Kubernetes, databases, storage accounts, network layers, and app services. CWPPs help security teams conduct speedy investigations into threats and reduce their organization’s attack surface.
Cloud infrastructure entitlement management (CIEM)
A CIEM centralizes permissions management across your entire cloud and hybrid footprint, preventing accidental or malicious permissions misuse. It helps security teams protect against data leakage and universally enforce the principle of least privilege.
Cloud service network security (CSNS)
CSNS solutions complement CWPPs by protecting cloud infrastructure in real time. A CSNS solution can include a wide variety of security tools such as distributed denial-of-service protection, web application firewalls, transport layer security examination, and load balancing.
Why is a CNAPP important?
An increasing number of organizations are investing in CNAPPs to enable them to:
- Get better protection against cyberthreats. The best way to address rapidly changing threat vectors is to integrate security with the cloud. Doing so provides the broad and deep security and compliance insights every organization needs today.
- Trim costs in more ways than one. The immediate cost benefit of implementing a CNAPP is the overhead saved by using a comprehensive solution in place of multiple, fragmented tools. The long-term savings, however, can be much greater. Using a fragmented set of security tools can cause critical risks to creep in unseen between the gaps. Protect against the escalating cost of breaches and privacy violations—and the business cost of reputational loss—by streamlining the tools security teams use so they can operate with fewer gaps.
- Enable more efficient security operations. The evolving threat landscape and continually expanding attack surfaces cause security professionals to become overwhelmed with threat alerts. Meanwhile, there is a worldwide security talent shortage and your team’s time is precious. Having a unified set of tools with increased visibility and prioritized alerts can make it easier for your security team to protect a growing hybrid and multicloud estate.
- Shift security left. The most agile and cost-effective way to innovate with cloud applications is to ensure that they start secure and stay secure. Give security and development teams the collaboration platform they need to embed security into the application code itself. The earlier vulnerabilities in code and infrastructure are identified, the less time, money, and energy it will take to resolve them.
- Use automation to manage entitlements and detect risks. A CNAPP helps security admins use automated policy enforcement to protect against exposure through overprivileged access to infrastructure. A CNAPP also automates risk detection and compliance, allowing your organization to expand its cloud infrastructure while maintaining a strong security posture.
CNAPP implementation checklist
If you are considering deploying a CNAPP, create a strategy for choosing a vendor and integrating your CNAPP with your organization’s systems. Work these fundamentals into your plan:
- Choose a mature solution. Select a provider that is committed to remaining at the leading edge of multicloud security. Your CNAPP will need to evolve in sophistication as cyberthreats do. It’s also important to have a vendor that can support you through the implementation process.
- Prioritize comprehensiveness. Finding the most holistic solution now will help you get the most value out of the shift to a CNAPP in the long term.
- Address alert fatigue. A comprehensive solution with the most optimized prioritization of threats and alerts—for example, from a vendor that is also a cloud provider—will ease the burden on your security team.
- Cover all your environments and artifact types. Be sure that the CNAPP you choose can integrate security functions across the on-premises, private cloud, and public cloud resources you use and all the different types of artifacts you need to protect—otherwise it won’t reduce complexity in the way a CNAPP is intended to.
- Shift to a development, security, and operations (DevSecOps) culture. Move your application development lifecycle from a DevOps model to a DevSecOps model—one in which fortifying security is a continuous part of the process rather than an afterthought. Plan for any necessary shifts in responsibilities and workflows that are likely to take place once your CNAPP is deployed.
- Factor in change management. A consolidated solution will take time to deploy and both security teams and developers will need to become familiar with the CNAPP’s features. Plan ahead so you can minimize disruptions to your operations.
CNAPP solutions
CNAPPs are still evolving. As you search for products that combine cloud-native application protection tools on a single platform, you may find that there are a handful of fully comprehensive options and many others that combine select security components.
Microsoft Defender for Cloud is one of the few comprehensive CNAPPs. It provides end-to-end cloud security for full-stack workloads across Amazon Web Services, Google Cloud Platform, and Azure Cloud Services. Microsoft is the only vendor that is both a CNAPP and a public cloud provider. Defender for Cloud draws rich insights from Microsoft Azure and uses industry-leading Microsoft AI to analyze 65 trillion global signals a day to identify emerging threats.
Learn more about Microsoft Security
Microsoft Cloud Workload Protection
Detect and respond to threats across a wide range of workload types in real time.
Microsoft Defender for Cloud
Strengthen your security posture, develop secure applications, and protect workloads across clouds.
Microsoft Defender Cloud Security Posture Management
Prioritize the most critical risks and get unified visibility of your multicloud security posture.
Microsoft Defender for DevOps
Unify DevOps security across all pipelines and hybrid and multicloud environments.
The next wave of multicloud security
Learn what’s driving CNAPP adoption and how to embed security from code to cloud.
Information Protection
Frequently asked questions
-
A CNAPP unifies security and compliance capabilities on a single platform to better prevent, detect, and respond to cloud security threats. Using a single user interface gives organizations comprehensive threat visibility across multiple cloud environments and workloads. It also allows developers and security teams to embed security in applications early in the development lifecycle.
-
A cloud-native application is a program that is built to take advantage of cloud computing architecture. It’s designed and delivered differently from a traditional monolithic application and is faster to develop. Cloud-native applications are more scalable and portable than traditionally delivered applications.
-
A CNAPP such as Microsoft Defender for Cloud is the best way to secure cloud-native applications. It helps developers and security teams to enhance security throughout the development lifecycle. It also provides centralized threat visibility, compliance, and permissions management across multicloud environments.
-
Here are two CNAPP use cases.
An organization that has adopted modern DevSecOps application development methods but has been using multiple siloed tools to protect applications from code to cloud might deploy a CNAPP. A CNAPP would simplify and speed up DevSecOps significantly.
An organization with applications and workloads widely distributed across private and public clouds and a security team that is struggling to prioritize alerts would also find advantages from implementing a CNAPP. A CNAPP would centralize threat visibility into a single console for the security team and automate compliance and permissions management functions, making the entire cloud footprint easier to secure.
-
A cloud-native application protection platform (CNAPP) is a unified group of security solutions on a single platform that protects applications from development to runtime.
A cloud access security broker (CASB) safeguards your organization's use of cloud services by enforcing your enterprise security policies, mitigating risk, and maintaining regulatory compliance.
A cloud security posture management (CSPM) solution provides security teams with a prioritized view of potential vulnerabilities and misconfigurations across cloud environments and continuously assesses your overall security posture.
A cloud workload protection platform (CWPP) provides real-time detection and response to threats based on the latest intelligence across all your multicloud workloads.
Follow Microsoft Security