STEPS FORWARD: Can ‘CNAPP’ solutions truly unify cloud, on-premises best cybersecurity practices?

By Byron V. Acohido

A fledgling security category referred to as Cloud-Native Application Protection Platforms (CNAPP) is starting to reshape the cybersecurity landscape.

Related: Computing workloads return on-prem

CNAPP solutions assemble a varied mix of security tools and best practices and focuses them on intensively monitoring and managing cloud-native software, from development to deployment.

Companies are finding that CNAPP solutions can materially improve the security postures of both cloud-native and on-premises IT resources by unifying security and compliance capabilities. However, to achieve this higher-level payoff, CISOs and CIOs must first bury the hatchet and truly collaborate – a bonus return.

In a ringing endorsement, Microsoft recently unveiled its CNAPP offering, Microsoft Defender for Cloud; this is sure to put CNAPP on a rising adoption curve with many of the software giant’s enterprise customers, globally. Meanwhile, Cisco on May 24 completed its acquisition of Lightspin, boosting its CNAPP capabilities, and Palo Alto Networks has continued to steadily sharpen its CNAPP chops, most recently with the acquisition of Cider Security.

At RSA Conference 2023, I counted at least 35 other vendors aligning their core services to CNAPP, in one way or another; many more seem likely to jump on the CNAPP band wagon, going forward.

Newer vendors now primarily pitching CNAPP services include Uptycs,  Runecast and Ermetic. Others range from vulnerability management (VM) stalwarts Tenable, Rapid7 and Qualys, to vendors crossing over from the cloud security posture management (CSPM) space, like Caveonix, Lacework and Wiz. Even endpoint security giants Trend Micro and Sophos have commenced pitching CNAPP solutions; so too are API security supplier Data Theorem and secure services edge (SSE) vendor Zscaler.


CNAPP at this juncture appeals mainly to enterprises that maintain large software development communities in the public cloud, Charlie Winckless, Gartner Senior Director Analyst, told me. “CNAPP products are tied to cloud maturity,” he explains. “This will continue to grow, but other security controls will remain important as well. CNAPPs protect cloud environments and the majority of organizations will be hybrid for a significant amount of time.”

Managing dynamic risks

Several developments have converged to put CNAPP on a fast track. Massive interconnectivity at the cloud edge is just getting started and will only intensify, going forward. This portends amazing advancements for humankind – and fresh revenue streams for innovative enterprises — but first a tectonic shift in network security must fully play out.

This is because the attack surface of cloud-native applications is expanding rapidly, with malicious hackers targeting insecure code up and down the software supply chain. Ransomware, email fraud and data theft continue to run rampant aided and abetted by insecure configurations of the myriad access points connecting on-premises and cloud IT assets.

The cybersecurity industry’s competitive bent hasn’t made it easy for companies to understand, much less gain control of these escalating exposures spinning out of a such a highly dynamic operating environment. To protect new cloud-native assets, rival vendors have pushed forward an alphabet-soup of upgraded iterations of legacy tools and all-new technologies – without paying much attention to interoperability.

The result has been a stark lack of integration which has translated into an excessive volume of alerts, a good percentage of them trivial or even false. Tension between security teams trying to cope and software developers striving to innovate as fast as possible has boiled over. Something in the form of CNAPP (as coined by Gartner) was bound to come along.

According to  Gartner’s March 2023 CNAPP market guide, CNAPP solutions consolidate multiple security and protection capabilities into a single platform capable of prioritizing excessive risks. This revolves around granular monitoring and management of cloud-native applications.

This type of overarching approach to securing modern networks can iterate from legacy security technologies, such as VM or endpoint detection and response (EDR,) or  it can extend from newer services, such as software composition analysis (SCA,) cloud workload protection platforms (CWPP,) cloud infrastructure entitlements management (CIEM.)

And now Microsoft has set out to prove that it makes good sense to come at it from the operating system level. That said, the Gartner report acknowledges that CNAPP is in a very early stage and cautions that no single vendor is best-of-breed in every capability.

New level of collaboration

It may be early, but CNAPP is demonstrating that it does a few things very well: reducing complexity, for one. There’s a huge need for this. Some 80 percent of respondents to Palo Alto Networks’ 2023 State of Cloud-Native Security Report expressed the need for a centralized security solution, with 76 percent reporting that using multiple security tools has created blind spots that make it difficult to prioritize and mitigate risk.


“Stitching together disparate security tools often results in security blind spots,” says Ory Segal, CTO of Prisma Cloud, Palo Alto’s CNAPP offering. “Attempting to triage security issues reported from multiple security systems, used by different teams, is close to impossible.”

One Palo Alto customer, a well-known global multimedia organization, recently replaced several tools with Prisma Cloud, which then swiftly detected a significant number of malicious bots abusing an API search function in one of their internet-exposed cloud workloads, Segal told me.

“Once they were aware of the abuse, they enabled bot protection on the platform and saw a dramatic decrease in daily operational costs — from thousands of dollars a day to $50 a day,” he says.


A notable intangible benefit of CNAPP is that it eases the burden on stretched-thin security teams and creates space for more productive dialogues between security analysts, software developers and IT services. This is leading to a new level of collaboration that’s making a notable difference day-to-day for companies embracing CNAPP, says Doug Dooley, CTO at Data Thereom.

At present, security analysts and software developers tussle over shifting code audits to the left, as early as possible in the software development cycle, while IT staff separately focuses on wrangling configuration settings of cloud-hosted IT infrastructure, a piecemeal approach to security. “So this idea of artifact scanning, cloud configuration hardening, and runtime protection, particularly in production, those three programs needed to merge together,” Dooley says. “And that’s what CNAPP, when it works, does really well.”

CNAPP’s emergence happens to align with another trend gaining steam. As part of getting a better handle on their use of cloud-hosted IT infrastructure, some enterprises are reverting to running certain workloads back home — in an on-premises data center, observes Michiel De Lepper, Global Enablement Manager at Runecast. This “back-migration,” he says, is happening because certain workloads are proving to be too costly to run in the cloud, namely resource-intensive AI modeling.

De Lepper

“The IT industry is always evolving and essentially that means ever-increasing complexities because you’ve got disparate environments that you somehow need to cohesively manage,” De Lepper says.

According to Gartner, CNAPP’s superpower is that it can trump complexity by ingesting telemetry, at a deep level, across all key security systems. Advanced data analytics can then be brought to bear setting in motion automated enforcement of smart policies and automated detection and response to live attacks.

Runecast, for instance, takes a proactive approach to risk-based vulnerability management, configuration management, container security, compliance auditing, remediation and reporting. This helps with compliance, at one level, but also continually improves improving a company’s overall security posture, De Lepper told me.

“It’s no longer about creating shields,” De Lepper he says. “Instead, we’re helping our customers plug all the gaps we know that the bad guys can use.”

Synergistic intergration

I heard very similar messaging from all the CNAPP solution providers I’ve reviewed for this article. Indeed, all of them are designed to consolidate some mix of security capabilities into a single platform tuned prioritize and act upon cloud-native risks, and, by extension, exposures in related infrastructure, whether it be in the public cloud, hybrid cloud or  on premises.

The suppliers argue that this leads first and foremost to enhanced visibility not just of individual components, but much more crucially of all the communications between systems – especially connections happening ephemerally in runtime and in the API realm. This is a very positive development for security analysts, software developers and IT staff who desperately need a more unified toolset to help them collectively visually risk and make the highest use of this greater visibility.

CNAPP suppliers are starting to help these three groups lower the cost of compliance and remediate security vulnerabilities much more effectively. Gartner’s Winckless cautions that some vendors may not supply true integration, nor provide a robust feedback loop. “As with many other platforms, it’s important to look for these integrations to provide synergy and not to buy simply a collection of tools that are, at best, loosely interconnected from a single vendor in the hopes of gaining advantage,” he says.

Moving forward, CNAPP seems poised to arise as a core security component of modern business networks.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone