What differentiates CNAPP offerings? What value do these solutions deliver to security and development teams? How is the CNAPP landscape evolving, and which aspects should cloud security leaders focus on?
We believe these questions are the primary focus of the latest Gartner Market Guide for Cloud-Native Application Protection Platforms, which helps security and risk management leaders responsible for cloud security strategies to analyze and evaluate emerging CNAPP offerings. In this blog post, we’ll discuss some of the salient points from the Market Guide. In our opinion, it’s an incredibly insightful read and we highly recommend downloading the full report here.
CNAPP owes its rise to multiple factors. Chief among them are the rapid adoption of AI and cloud, along with an ever-changing threat landscape in which attack techniques are constantly evolving.
Gartner writes in the report:
By 2029, 60% of enterprises that do not deploy a unified CNAPP solution within their cloud architecture will lack extensive visibility into the cloud attack surface and consequently fail to achieve their desired zero-trust goals.
Lack of visibility is a major driver of CNAPP adoption and security responsibility has expanded beyond infosec teams to include additional personas. Gartner shares the following insight:
With operational responsibilities shifting toward developers and cloud architects, the need for advanced tools to address vulnerabilities, deploy infrastructure as code and manage production implementations has grown to accommodate this expanded scope. Proactively identifying and prioritizing risks during development, while providing developers with adequate context, is essential due to developers perceiving security as an obstacle.
Meanwhile, as cloud security becomes democratized internally, attackers are also evolving their techniques and targets:
The attack surface of cloud-native applications and infrastructure is expanding, with attackers focusing on the runtime environment, including network, compute, storage, identities and permissions, and the misconfiguration of cloud management and control features. Additionally, APIs and the software supply chain itself have become targets for potential attacks.
The realities of today’s cloud operating model, coupled with the changing threat landscape, are why CNAPP solutions have become so prevalent. But with many competing offerings on market – and even competing definitions of what constitutes a CNAPP – how can security leaders cut through the noise? Here are some strategies, based on Wiz’s key takeaways from the Gartner report.
By 2029, Gartner predicts that over 80% of enterprises will adopt a centralized platform engineering and operations approach to facilitate DevOps self-service and scaling, a significant increase from less than 30% in 2023. In our opinion, this shift not only emphasizes the need for streamlined DevOps practices but also highlights the necessity for a cohesive security strategy that encompasses the entire development lifecycle. With a centralized approach, organizations can foster self-service and scale while maintaining robust security throughout the development process.
In the report Gartner projects that by 2029, 35% of all enterprise applications will run in containers, up from less than 15% in 2023.
The surge of containerization underscores the increasing reliance on cloud-native architectures and indicates a corresponding need for security solutions that can manage the complexities associated with container environments.
As developers increasingly utilize container technology, CNAPPs will need to provide enhanced visibility and control over these dynamic workloads.
CNAPPs break siloes between application development, cloud architecture, and security operations teams. Having a centralized platform enhances communication and risk identification throughout the development lifecycle. With real-time visibility into workloads and effective vulnerability management, “CNAPPs aim to deliver a comprehensive analysis of various elements and characteristics of the application and cloud environment with a strong emphasis on empowering developers to take responsibility for application risk’’.
One of the most significant advantages of CNAPPs is their ability to provide a unified view of risk across cloud environments. By connecting the dots across various layers of cloud infrastructure, CNAPPs help organizations prioritize risks effectively while consolidating siloed point products, reducing the burden on developers and security teams.
Furthermore, by balancing the need for product agility with security requirements, CNAPPs support innovation rather than inhibit it.
When organizations are assessing a CNAPP solution, Gartner suggests creating a joint evaluation team to identify and rank the enterprise functionality requirements into required, preferred and optional before sending out requests for information/purchase, as no single vendor is best-of-breed in all CNAPP capabilities. In our opinion, this approach aids in establishing fundamental requirements for each group, such as developer experience, risk identification, reducing false positives, and expediting remediation through improved collaboration among stakeholders. Moreover, the joint evaluation team is better equipped to pinpoint opportunities for simplifying processes and enhancing security enforcement and prioritization.
When it comes to evaluating CNAPP products, Gartner suggests all core services should be fully integrated, not loosely coupled independent modules (typically resulting from a vendor’s internal silos, poorly integrated OEM components or those added from an acquisition). Integration should include the front-end console, unified policy across multiple points of inspection and a unified back-end data model.
For example, a robust graph-based data model that can effectively analyze and visualize the intricate layers of the cloud to identify risk and potential attack paths. Gartner encourages assessing “the organization’s existing security DevSecOps tools portfolio from development through to runtime SecOps and build a matrix of what is essential to each of your teams and find where the overlaps are within CNAPP. Work with your teams to determine if tools consolidation is possible into CNAPP without causing major operational gaps or security holes.’’ Lastly, Gartner suggests running a functional pilot with real developers and applications before selecting a single-vendor CNAPP offering to ensure that the developer experience suits your business requirements.
As the market for CNAPPs continues to expand, enterprises can use these powerful solutions to achieve a comprehensive view of risk, streamline their security processes, and ultimately secure their cloud-native applications more effectively. Having a CNAPP is pivotal in order to navigate the complexities of a rapidly evolving threat landscape.
At Wiz, we feel that we are aligned to these key learnings from the Gartner report, in that the true value of CNAPP lies in its ability to transform processes and enable people across the business. Ultimately, a CNAPP is a way to democratize security across security, cloud, and engineering teams – so that all parties can be successful, innovating at speed while reducing risk.
Source:
Gartner, Market Guide for Cloud-Native Application Protection Platforms, Dale Koeppen, Charlie Winckless, Neil MacDonald, Esraa ElTahawy, 22 July 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Wiz.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。