Cloud security continues to be a vexing situation, and the tool set continues to become more complex, riddled with acronyms representing possible solutions. Now there\u2019s another: the cloud native application protection platform, or CNAPP. This tool combines the coverage of four separate products:\n\nIT and security managers are looking for a few basic elements from these products, including more accurate threat detection, support for all workloads across multiple cloud deployments, and ways to implement preventable controls.\n\nThat is a lot of software to manage, integrate, and understand. However, almost none of the products that claim to be CNAPP have a full set of features that incorporate all four of these categories. What follows is an overview of the landscape and advice on how to navigate amongst the contenders.\n\n[ Learn what cloud providers can and can't do to protect your data and follow these 5 tips for better cloud security. | Get the latest from CSO by signing up for our newsletters. ]\n\nTwo approaches to CNAPP\n\nThere are two ways to approach CNAPP: from the DevSecOps perspective or from traditional IT security practices. The former means more of a focus on protecting the apps themselves (the first two product categories mentioned above), the latter more on expanding traditional network-level protections (the last two product categories mentioned above).\n\nThe summary chart below notes which of these two directions each vendor is coming from, other notable and integration features, whether they offer a complete CNAPP solution, and what little information is available about their pricing strategy.\n\nI interviewed the following vendors and summarized the results in the chart below:\n\nThe following vendors did not respond to requests for information: jFrog, McAfee, Orca Security, Qualys, Snyk, and Trend Micro.\n\nWhy CNAPP exists\n\nThe key to understanding this product category is all about integration challenges. VMware, in its latest State of Observability report, found that 57% of the respondents claimed up to 50 different technologies are used in a typical cloud app. Organizations typically use many different cloud providers, spreading their risk and moving beyond running their legacy applications across the big three PaaS providers (AWS, Google and Azure) and employing a mixture of private, public and hybrid cloud strategies. This includes various virtual machine instances, Kubernetes containers and using serverless and microservices too.\n\nOrganizations will need to control cloud-native application risks, identify weak areas, and remove vulnerabilities. Sysdig in its latest cloud-native security report found that found that 73% of cloud accounts contained exposed Amazon S3 buckets. Is it any mystery that more breaches haven\u2019t happened because of this?\n\nWhat is working against securing clouds is their success: They have become the de facto computing layer for businesses. \u201cThe evolution of cloud workloads and Linux servers into something ubiquitous yet increasingly vulnerable is driving the maturation of the CWPP market,\u201d said Mitchell Hall of Morphisec in a blog post. Part of this maturation is that cloud workloads have many moving parts.\n\nThey are also in a state of flux. In Cisco\u2019s latest Hybrid Cloud report, nearly 60% said they are moving workloads between on- and off-premises every week. Some of these apps are running on open-source code repositories and some use in-house code. That is a lot of different use cases to protect.\n\nSpeaking of which, Palo Alto Networks\u2019 State of Cloud Native Security 2022 report found that 80% of organizations that primarily use open source security tools have weak or very weak security posture, while the number of enterprises that host more than half of their workloads in the cloud has doubled from 2020. A lot of this growth is coming from the serverless world.\n\nWhat is motivating this product category can be traced to Gartner, which first used the CNAPP moniker when it issued its \u201cInnovation Insight\u201d report in August 2021. They said that, \u201cContainers and serverless functions are the primary building blocks of cloud-native applications and are becoming increasingly granular with shorter life cycles.\u201d This means that any protection needs to act quickly and unobtrusively. They also found a shift from protecting infrastructure to protecting cloud-based workloads, and the apps that run them. They found many of their corporate clients have stitched together \u2013 meaning with little to no automation \u2013 ten or more disparate security tools, including dynamic application security testing, web app firewalls, and the four cloud protection platforms mentioned at the start of this post. This one-off, crazy patchwork quilt approach isn\u2019t working.\n\nIdeally, a CNAPP solution should reduce misconfiguration errors, improve security of the development pipeline (commonly called shifting left), and use effective automation. To do that requires having all those acronyms firing on all cylinders. You want to be able to scan for various code elements and vulnerabilities, catch cloud configuration and application coding errors quickly (ideally, when the apps run) and still do the basic security blocking and tackling (like identity and network management). Orca says that \u201cCNAPPs exhibit their real value by intelligently combining data points from different layers in the technology stack to highlight critical security issues instead of just sending thousands of meaningless disconnected alerts.\u201d \n\nQuestions to ask when considering CNAPP\n\nBefore you try out any of the vendors\u2019 products, think about these questions:\n\nWhat cloud artifacts can you discover and then regularly scan? Some products (like Lacework) don\u2019t go much beyond the big three IaaS players. Some (like Tigera) just support the Kubernetes services of the big three. Others (like Sysdig) take a deeper dive into containers and the various Linux servers that run them. The real issue is can you continuously monitor all of these artifacts in near real time?\n\nCan you mix agents and agentless across the product\u2019s main dashboard, reports and policies? How are incidents reported? Are there discrete access rules so that various staffers can focus on specific parts of the overall picture? Are there separate or combined pre-built security policies for collecting agent and agentless data? How actionable are your dashboards and its visualizations in showing you the current state of your overall cloud security?\n\nAre all four management tools covered? Some of the vendors, such as Microsoft Defender for Cloud, have CWPP and CSPM elements and you will have to add other components to protect Kubernetes and non-Azure clouds. Tigera comes from the opposite direction, focusing more on containers and their infrastructure.\n\nIf you have been involved with infrastructure-as-code to manage your cloud deployments, what devops frameworks are supported (like Terraform, Azure Blueprints, AWS Cloudformation, Demisto)? How does this work with shifting left (in other words, do you scan open-source code repositories)?\n\nFinally, what is the price? Very few vendors are transparent about pricing. Data Theorem takes the prize for the most complex, with different calculations for how many APIs, web and mobile apps, and cloud resources are consumed. Tenable\u2019s is a slight improvement but still complex. Aqua and Tigera have the most transparent pricing. Check Point has the simplest: $200 per year per active workload. Others create synthetic units or bundle various elements that obscure the details.\n\nCNAPP vendors\n\nAqua Security Platform\n\nAqua Security has had a series of products (such as for supply chain and workload protection and a CSPM) that it has rolled up into a central hub, too. The company offers a unique $1 million USD guarantee (and FAQ on its specifics here) if a \u201cproven successful attack\u201d happens under its watch. Aqua has transparent pricing, including a free version for smaller installations and plans that start at $849\/month for the smallest accounts (using a complex online calculator to estimate your bill). In addition to the big three IaaS, it supports Alibaba, Oracle Cloud, Mirantis, VMware Tanzu, and OpenShift. Multiple levels of workload protection are available, and it supports both agent and agentless methods.\n\nCheck Point CloudGuard\n\nCheck Point CloudGuard is a single product, the result of years of combining products from numerous corporate acquisitions such as Dome9 and Protegos. It offers a single dashboard, policy rule set, and support for both agent and agentless methods. CloudGuard integrates with CloudFormation and Terraform and has a simple pricing plan of $200\/year USD per each workload. It supports the Alibaba and (soon) Oracle clouds as well as Kubernetes environments. \n\nCrowdStrike Cloud Security\n\nCrowdStrike Cloud Security is packaged as two separate products in its constellation of more than 20 different Falcon protective modules. It has an attractive and unified dashboard that shows you the main incidents and assets of the big three IaaS platforms along with a list of a dozen different container deployments, which are dealt with separately in the dashboard. It covers the CNAPP universe with both agent and agentless methods. It also has an interesting container image vulnerability analysis service.\n\nData Theorem\n\nData Theorem\u2019s platform covers five separate products that work together to offer CNAPP. These include specialized protection for cloud, mobile, API and web apps as well as a supply chain protection product. It has a central analysis engine and dashboard that provides some integration. Data Theorem supports all the big three IaaS players along with Kubernetes. One notable feature is what it calls \u201cheadliner policies\u201d that are constructed to prevent historical breaches. It has both agents and agentless methods. Its pricing structure is complex, with different plans for each product.\n\nLacework Polygraph\n\nLacework Polygraph supports the big three IaaS players along with Kubernetes. It has both agent and agentless methods along with behavior-based detection rules to examine infrastructure as cloud and vulnerabilities. It uses a single, integrated product so policies can span information collected from both methods.\n\nPalo Alto Networks Prisma Cloud\n\nPalo Alto was unable to provide a demo of its Prisma Cloud solution by our deadline, but we decided to include it since it is a market leader. The company built up Prisma Cloud through a series of acquisitions including Redlock (cloud threat defense), Twistlock (container security), and Bridgecrew (developer-oriented cloud security). Palo Alto allows customers to gradually adopt a full CNAPP solution by selling Prisma Cloud on a modular basis or in bundles. Pricing for those bundles starts at $540 USD a year.\n\nSUSE Neuvector\n\nSUSE acquired Neuvector last year and has released its code to open source, making it free to use with paid support plans if needed. It is a partial CNAPP solution, stronger in CWPP and missing CIEM and CASB functionality. It supports all the big three IaaS platforms as well as Rancher, OpenShift, VMware Tanzu and Mirantis container platforms. It is exclusively agentless.\n\nSysdig\n\nSysdig has two services, aptly named Secure and Monitor, and both are needed to provide CNAPP coverage. Last year the company acquired Apolicy to expand its workload protection features. Besides the big three IaaS players, Sysdig also support IBM, Oracle and VM Tanzu clouds as well as Red Hat OpenShift. It has a pricing page that lacks specifics, but Sysdig told us that plans start at $500\/month based on your AWS EC2 storage repositories. Notable features include a new risk prioritization module and the ability to automatically suggest least privilege access rules.\n\nTenable.cs\n\nTenable.cs (Cloud Security) is a text-heavy product that touches on most of the CNAPP bases with the exception of CWPP. It does agentless and agent methods and comes with more than 1,400 pre-set policies and loads of default benchmarks. It integrates its Nessus vulnerability scanner, extending it to scan VMs and containers, along with its acquisition of Accurics and earlier this year bought Cymptom and will integrate its cloud path discovery and protection into its Cloud Security line next year. It supports the big three IaaS platforms and Kubernetes. It has complex pricing that is basically a fixed charge per monitored asset, defined as any compute or database node or container registry.\n\nTigera Calico Cloud\n\nTigera Calico Cloud comes from the CWPP perspective and integrates with lots of different Kubernetes platforms, including the big three IaaS vendors along with Red Hat\u2019s OpenShift and SUSE\u2019s Rancher. The container world is its focus and is more network focused than other CNAPP tools. It has a very transparent pricing page and comes in three different packages: a free open-source collection, a managed services version, and an on-premises version. The protective features of the free version are minimal but the other two are at parity.\n\nUptycs\n\nUptycs claims to be the only vendor that combines CNAPP (CWPP, CSPM, KSPM, and CIEM) and XDR into a single platform, UI, and data model. Deployment is both agent and agentless and supports AWS, Azure, Google Cloud, as well as private cloud, servers, and laptops. By combining CNAPP and XDR capabilities into a single platform, Uptycs is able to tie together threat activity as it traverses on-premises and cloud boundaries. The company has developed commercial versions of osquery to pull normalized telemetry into what it calls a Detection Cloud, which customers can then query via a Google-like interface. Uptycs has more than 1,100 behavioral rules mapped to the MITRE ATT&CK framework for container and cloud detections. Pricing starts at $5,000 per year for 200 cloud assets.\n\nWiz\n\nWiz is an agentless platform that combines misconfigurations, network exposure, secrets, vulnerabilities, malware, and overly permissive identities into a single risk prioritization queue. It combines CSPM, CWPP, vulnerability management, infrastructure-as-code (IaC) scanning, CIEM, and container and Kubernetes security capabilities. Notably, it uses a graph-based approach to analyze and model the interconnections between technologies running in the cloud environment and present the pathways to a breach, providing deep context and helping users remediate the most critical risks. Wiz supports AWS, Azure, GCP, Oracle Cloud Infrastructure (OCI), and Alibaba Cloud. It offers two plans, priced per workload.