Learn how a CNAPP solution can provide a more holistic picture of risk in the application development process.
尝试InsightCloudSecCNAPP (cloud native application protection platform)是一个云原生应用保护平台 云安全原型 这需要一个积分, 生命周期方法, 为真正的云原生应用程序开发环境保护主机和工作负载. 这些环境有其独特的需求和挑战, so it should come as little surprise that new security product categories have arisen to address those concerns.
Gartner在2021年将CNAPP列为官方云安全类别, saying at the time that “optimal security of cloud-native applications requires an integrated approach that starts in development and extends to runtime.” DevOps organizations 建筑 applications within an ephemeral environment like the cloud need complete and real-time visibility into the process in order to catch misconfigurations or vulnerabilities as they emerge. Many see CNAPP security as synonymous with shifting left and integrating security in the development lifecycle as tightly as possible.
考虑云中的端到端应用程序安全性, organizations can begin to realize benefits like more deeply layered defenses and more frequent access to workloads. CNAPP还具有重要的自动化功能, 如果校准正确,哪一个可以极大地提高云管理的效率. Previously siloed approaches to application security are unified in a CNAPP and have raised the bar for vendors that tout next-gen application security solutions and tooling.
分解CNAPP解决方案的组件和功能可能是一个移动的目标, 但Gartner确实有解决方案必须满足的最低要求. 下面,让我们看看定义这些需求的一些核心功能:
A CSPM解决方案 是识别和修复企业云环境中的威胁. 它使用自动化来尽可能快地处理安全风险, 与开发人员和IT安全团队协同工作. CSPM的其他关键功能包括安全风险评估, 事件响应, 与DevOps的集成. CSPM解决方案与混合云环境和容器化云环境兼容, 但是在多云环境中使用时最有效. It’s here that they can provide unparalleled visibility into an organization’s cloud assets and their respective configurations
A CWPP solution must provide the ability to manage any workload currently deployed on a company’s cloud platforms. 开发组织能够将cwpp集成到他们的自动化过程中 CI / CD 管道,通常作为构建过程的一部分. This approach is becoming commonplace in organizations following the DevOps or DevSecOps methodologies. 任何CWPP都必须与企业SecOps基础设施的其他部分无缝集成, 但它确实增强了安全运营中心(SOC)的能力,, 帮助它更有效地检测和分析复杂的基于云的网络攻击.
A CIEM 解决方案以身份为中心,专注于管理云访问风险. CIEM leverages administration-time controls for managing entitlements and data governance in hybrid and multi-cloud IaaS architectures. 这些工具处理动态云环境的身份治理,通常遵循 最小特权原则, where users and entities are able to access only what they need at the right time and for the right reason.
集装箱安全 is the practice of implementing mechanisms and processes to secure containerized applications and workloads on platforms such as Kubernetes. It’s critical in today’s cloud environments to have maximum visibility into aspects like container-host location, 识别运行或停止的容器, 发现容器主机不符合 独联体基准,并进行脆弱性评估. 集装箱安全 should be implemented as early on in the CI / CD pipeline as possible to expose application risks faster, 并尽可能减少开发过程中的摩擦.
基础设施即代码(IaC) is the practice of leveraging code – in the form of pre-built templates – to provision infrastructure resources necessary to support cloud-based applications. 开发人员可以利用这种高度可重复的实践来编写, 测试, 并发布将创建应用程序运行的基础结构的代码. 确保这一进程至关重要, 随着应用程序开发过程的后期,安全控制被实现, the more likely there will be misconfigurations or vulnerabilities that could be exploited by attackers.
在最近的 CNAPP市场指南, Gartner列出了一份更详尽的核心产品分类清单, 推荐, 以及可选功能.
CNAPP解决了整个应用程序生命周期的可见性等问题, 云风险管理 挑战,以及检测到的漏洞的优先级. 让我们来看一些具体的用例:
Visibility across the development lifecycle has long been the most critical challenge facing security teams. This is why it’s so critical to try and shift security left as much as possible in order to catch missteps earlier in the process and prior to deployment. 从可见性的角度来看,不应该忘记部署后和运行时, 这就是为什么CNAPP供应商强调整个生命周期很重要的原因. Quantifying and prioritizing risks for remediation can be difficult without the enhanced visibility a CNAPP can provide.
神奇的解决方案是在开发过程中捕获所有问题, 借助于总可见性和上下文优先级. 没有任何CNAPP产品能够在100%的时间里完美地做到这一点. But a good vendor should be able to offer a solution that can keep pace with the rapid cloud growth goals of DevOps, 为开发人员量身定制安全性,而不需要持续破坏流程.
Gartner says that “CNAPPs can improve the developer experience by integrating into their native development toolset as seamlessly and transparently as possible by reducing false positives and noise, by risk prioritizing their remediation efforts and by providing specific remediation guidance to resolve the identified risk.” The idea here is to be complementary to the development process without being a drawback to the speed that was one of the primary drivers of cloud adoption in the first place. 对于SecOps来说,理解开发环境同样重要, 识别关键区域,以便将漏洞扫描更早地移动到流程中.
A CNAPP solution can provide a more holistic picture of risk in the application development process. 它的能力是广泛的,但不应该被夸大. 如上所述, 没有什么灵丹妙药, 但一个有能力的CNAPP平台应该能够提供以下好处:
降低复杂性的概念并不局限于网络安全领域. 创新的速度, 然而, necessitates a continuous culling of outdated and legacy solutions that no longer have real impact and can be a financial drain on the company. Prospective CNAPP customers are increasingly looking to simplify operations by consolidating security into a solution from a single vendor that can bundle solutions, 为客户省钱, 并提供完整的生命周期可见性.
在最好的情况下, a CNAPP solution should be a comprehensive approach to cloud security – both from the technology provided by vendors and the strategy executed by practitioners – that simplifies the process of monitoring and remediating risks from end to end within vast, 复杂的云环境. 分散的服务, 在很大程度上, can be a thing of the past when looking at a CNAPP solution that can simplify the security of microservices-based architectures.
我们在上面已经介绍了一些, but truly partnering with a DevOps organization to ensure securing the development lifecycle feels organic is really the best way to mitigate risk in that process. 为此目的, CNAPP可以利用高级分析来获得更大的风险可视性, which makes it possible for security practitioners to get a better sense of where to look and how to do that faster. 这可以帮助创建一个DevSecOps文化,更快地修复和优先级.
CNAPP can aid in providing guardrails for the development process and also aid in the organic integration of security. 以这种方式, 开发人员可以按照自己的意愿进行开发, 自动化, 建筑, 部署, 只要在安全护栏的限制范围内就可以. 利用这个框架, innovation and speed don’t have to be held in as much check – they can truly be an asset for the developer.