What is CNAPP? Security measures for the increasingly complex public cloud

With the rise in public cloud usage, incidents such as information leakage due to misconfiguration are increasing year by year. This article explores the Cloud Native Application Protection Platform (CNAPP), which has gained attention as a crucial security measure for public cloud environments. It delves into specific security challenges associated with public cloud usage, outlines the security functions designed to address these challenges, and provides key points for introducing CNAPP. This article is highly recommended for those facing security issues in public cloud environments.

Security Incidents on the Public Cloud Rise

The use of public clouds, such as PaaS and IaaS, is increasing every year, making system development on public clouds mainstream. However, serious incidents like information leaks have occurred on public clouds both in Japan and overseas.
In 2023, an AI researcher at Microsoft accidentally disclosed 38TB of sensitive data through GitHub due to a misconfiguration of the SAS token, a feature that allows data sharing from Azure Storage (*1). These public cloud incidents are on the rise. According to Trend Micro's research, the number of reported cyber-attacks on clouds from 2023 to 2024 increased faster than the previous year (*2).
To prevent information leakage caused by cyber-attacks or misconfigurations on public clouds, comprehensive security measures are essential. This includes addressing vulnerabilities and misconfigurations.
This article introduces effective measures to protect public clouds from cyber-attacks and information leakage risks. If you are using or considering using public cloud services and are concerned about current security measures, or if you are looking for information on effective security strategies, we hope this article will be helpful.

Public Cloud Specific Security Measures Issues

Configuration errors in the public cloud often stem from insufficient technical skills and attention to detail among those who develop and operate these systems. While it might seem that security education and operational reviews could resolve these issues, the reality is more complex. Here are some reasons why improving technical skills and attention alone may not be sufficient:

1. Rapid Changes and Wide Range of Services:

Public cloud services evolve quickly, with frequent specification changes, new service releases, and minor updates. This makes it challenging for personnel to keep up and configure systems accurately.

2. Complex Multi-Vendor Environments:

When combining a primary cloud platform with SaaS from other vendors, consistent security measures become difficult to implement. Each vendor's service specifications and necessary security measures must be understood and applied correctly.

3. Complicated Network Configurations:

Using multiple Availability Zones (AZ) and regions within the same public cloud for load balancing and fail-safe purposes complicates network configuration and access control, increasing the likelihood of misconfigurations. For example, Amazon Web Services (AWS) offers security services like AWS Security Hub, AWS Config, and Amazon GuardDuty to manage security information, detect misconfigurations, and identify threats. Managing these services across multiple platforms can be burdensome.

4. Complex Cloud-Native Applications:

Cloud-native applications often involve intricate configurations with multiple containers communicating with each other, making monitoring and vulnerability management challenging.

Given these unique security challenges in the public cloud, a comprehensive approach is necessary. One promising solution is the Cloud Native Application Protection Platform (CNAPP), which has gained attention for its effectiveness in addressing these issues.

Functions of CNAPP

To address these challenges, the Cloud Native Application Protection Platform (CNAPP) integrates multiple security functions into a single platform, ensuring security throughout the entire lifecycle from development to operation. CNAPP includes several key functions, as illustrated in Figure 1. The core components are Cloud Security Posture Management (CSPM), which protects cloud infrastructure, and Cloud Workload Protection Platform (CWPP), which secures application.

Figure 1 : CNAPP Components

The five functions of CNAPP are described in Table 1 below. Each function addresses a different security challenge, but they work together and complement each other to make the public cloud as a whole more secure.

Function Name	Function Description	Solution
CSPM (Cloud Security Posture Management)	Visualize the state of public cloud security settings Detect configuration errors, management deficiencies, and compliance violations	Prevent damage by immediately notifying users of missing settings and other problems without noticing changes in public cloud service specifications, or by automatically correcting settings
CWPP (Cloud Workload Protection Platform)	Monitor and protect cloud workloads (Virtual machines, containers, serverless, storage, networking) Vulnerability protection, intrusion prevention, and malware protection	Provides centralized security for multiple cloud workloads of different types
CIEM (Cloud Infrastructure Entitlement Management)	Manage account settings and resource access permissions Detect over-granting permissions Visualize unused accounts	Manage large amounts of accounts and set permissions appropriately for large organizations. Reduce unattended accounts and mis granted permissions
IaC (Infrastructure as Code) Scanning	Manage the configuration and settings of cloud infrastructure such as virtual machines and networks by coding them into IaC Scan IaC code to detect and repair weak settings and configuration errors	Easily manage cloud infrastructure configuration and settings by writing them in code Template cloud infrastructure configuration and settings to build cloud infrastructure automatically Scan IaC reduces mistakes and errors compared to manually configuring and configuring cloud infrastructure
KSPM (Kubernetes Security Posture Management)	Manage Kubernetes environment security and compliance Detect incorrect settings in a Kubernetes cluster Vulnerability scanning, log monitoring, and policy management	Centralized management of the entire Kubernetes cluster to detect configuration errors that are likely to occur in complex configurations

Table 1: CNAPP Components

Considerations for deploying CNAPP products

As previously explained, there are two primary approaches to implementing security measures for the public cloud: utilizing security services provided by public cloud vendors or deploying CNAPP products. The best method for your organization will depend on your specific public cloud environment, security needs, and budget. Table 2 below compares the use of security services provided by public cloud vendors with the deployment of CNAPP products, summarizing key points for reference.

Implementation method	Characteristics	Example of deployment cases
Using security services provided by public cloud vendors	You can start security measures by simply enabling functions from the management console of the cloud service Less expensive than CNAPP products	You only need to implement basic security measures provided by public cloud vendors here are not many systems on the public cloud to be managed
Adopting CNAPP products for security operations	You can visualize and operate multiple security functions together You can manage the security of multiple systems on the public cloud even with a small number of people You can perform more advanced security measures than the basic security measures provided by public cloud vendors	You have a large number of public cloud systems in your organization, and you want to manage them collectively When a large number of public cloud systems exist in an organization and are managed by a small number of people When consistent security measures are taken in a system configuration that combines services from multiple public cloud vendors

Table 2: Considerations for deploying CNAPP products and specific cases

Lastly

Public cloud services have become increasingly complex, and manual security measures by personnel are no longer sufficient. As a comprehensive security solution covering the entire process from development to operation, the introduction of CNAPP products, as described in this article, is highly effective. By implementing CNAPP products, organizations can centrally manage multiple public cloud services, integrate various security functions, and utilize a visual GUI, thereby reducing the overall workload.
The introduction of CNAPP products is particularly beneficial for large organizations that need to manage cloud services across multiple public clouds or wish to reduce the operational burden of security management. However, it is important to consider the cost-effectiveness of CNAPP products, as they can be expensive. We hope the points discussed in this article will be helpful when considering the introduction of CNAPP products.

Yoshimasa Hayashi

NTT DATA Group Corporation

After joining NTTDATA-CERT, he worked in CSIRT. He is currently in charge of 0 trust security research and verification.