
What is CNAPP? Security measures for the increasingly complex public cloud
With the rise in public cloud usage, incidents such as information leakage due to misconfiguration are increasing year by year. This article explores the Cloud Native Application Protection Platform (CNAPP), which has gained attention as a crucial security measure for public cloud environments. It delves into specific security challenges associated with public cloud usage, outlines the security functions designed to address these challenges, and provides key points for introducing CNAPP. This article is highly recommended for those facing security issues in public cloud environments.
Security Incidents on the Public Cloud Rise
The use of public clouds, such as PaaS and IaaS, is increasing every year, making system development on public clouds mainstream. However, serious incidents like information leaks have occurred on public clouds both in Japan and overseas.
In 2023, an AI researcher at Microsoft accidentally disclosed 38TB of sensitive data through GitHub due to a misconfiguration of the SAS token, a feature that allows data sharing from Azure Storage (*1). These public cloud incidents are on the rise. According to Trend Micro's research, the number of reported cyber-attacks on clouds from 2023 to 2024 increased faster than the previous year (*2).
To prevent information leakage caused by cyber-attacks or misconfigurations on public clouds, comprehensive security measures are essential. This includes addressing vulnerabilities and misconfigurations.
This article introduces effective measures to protect public clouds from cyber-attacks and information leakage risks. If you are using or considering using public cloud services and are concerned about current security measures, or if you are looking for information on effective security strategies, we hope this article will be helpful.
Public Cloud Specific Security Measures Issues
Configuration errors in the public cloud often stem from insufficient technical skills and attention to detail among those who develop and operate these systems. While it might seem that security education and operational reviews could resolve these issues, the reality is more complex. Here are some reasons why improving technical skills and attention alone may not be sufficient:
1. Rapid Changes and Wide Range of Services:
- Public cloud services evolve quickly, with frequent specification changes, new service releases, and minor updates. This makes it challenging for personnel to keep up and configure systems accurately.
2. Complex Multi-Vendor Environments:
- When combining a primary cloud platform with SaaS from other vendors, consistent security measures become difficult to implement. Each vendor's service specifications and necessary security measures must be understood and applied correctly.
3. Complicated Network Configurations:
- Using multiple Availability Zones (AZ) and regions within the same public cloud for load balancing and fail-safe purposes complicates network configuration and access control, increasing the likelihood of misconfigurations. For example, Amazon Web Services (AWS) offers security services like AWS Security Hub, AWS Config, and Amazon GuardDuty to manage security information, detect misconfigurations, and identify threats. Managing these services across multiple platforms can be burdensome.
4. Complex Cloud-Native Applications:
- Cloud-native applications often involve intricate configurations with multiple containers communicating with each other, making monitoring and vulnerability management challenging.
Given these unique security challenges in the public cloud, a comprehensive approach is necessary. One promising solution is the Cloud Native Application Protection Platform (CNAPP), which has gained attention for its effectiveness in addressing these issues.
Functions of CNAPP
To address these challenges, the Cloud Native Application Protection Platform (CNAPP) integrates multiple security functions into a single platform, ensuring security throughout the entire lifecycle from development to operation. CNAPP includes several key functions, as illustrated in Figure 1. The core components are Cloud Security Posture Management (CSPM), which protects cloud infrastructure, and Cloud Workload Protection Platform (CWPP), which secures application.

Figure 1 : CNAPP Components
The five functions of CNAPP are described in Table 1 below. Each function addresses a different security challenge, but they work together and complement each other to make the public cloud as a whole more secure.
Function Name | Function Description | Solution |
---|---|---|
CSPM (Cloud Security Posture Management) |
|
|
CWPP (Cloud Workload Protection Platform) |
|
|
CIEM (Cloud Infrastructure Entitlement Management) |
|
|
IaC (Infrastructure as Code) Scanning |
|
|
KSPM (Kubernetes Security Posture Management) |
|
|
Table 1: CNAPP Components
Considerations for deploying CNAPP products
As previously explained, there are two primary approaches to implementing security measures for the public cloud: utilizing security services provided by public cloud vendors or deploying CNAPP products. The best method for your organization will depend on your specific public cloud environment, security needs, and budget. Table 2 below compares the use of security services provided by public cloud vendors with the deployment of CNAPP products, summarizing key points for reference.
Implementation method | Characteristics | Example of deployment cases |
---|---|---|
Using security services provided by public cloud vendors |
|
|
Adopting CNAPP products for security operations |
|
|
Table 2: Considerations for deploying CNAPP products and specific cases
Lastly
Public cloud services have become increasingly complex, and manual security measures by personnel are no longer sufficient. As a comprehensive security solution covering the entire process from development to operation, the introduction of CNAPP products, as described in this article, is highly effective. By implementing CNAPP products, organizations can centrally manage multiple public cloud services, integrate various security functions, and utilize a visual GUI, thereby reducing the overall workload.
The introduction of CNAPP products is particularly beneficial for large organizations that need to manage cloud services across multiple public clouds or wish to reduce the operational burden of security management. However, it is important to consider the cost-effectiveness of CNAPP products, as they can be expensive. We hope the points discussed in this article will be helpful when considering the introduction of CNAPP products.

Yoshimasa Hayashi
NTT DATA Group Corporation
After joining NTTDATA-CERT, he worked in CSIRT. He is currently in charge of 0 trust security research and verification.
Related links