By Geert De Ron – Cloud Security Architect, published February 3, 2023

Cloud-Native Application Protection Platforms (CNAPP) have become essential tools for organizations to secure their cloud environments. In this article we will cover why cloud security operations are looking for a platform approach to cloud security and how CloudGuard CNAPP introduces new features and capabilities that provide customers with more context, actionable cloud security and smarter prevention.

Welcome to the complex landscape of cloud security

Cloud adoption and digital transformation continues to accelerate. The 2022 Cloud Security Report revealed that 35% of respondents are running more than 50% of their workloads in the cloud. However, most are hindered by the complexity of managing multiple cloud vendors which often results in misconfigurations, lack of visibility, and exposure to cyberattacks. Moreover, the study revealed that misconfiguration is seen as the number one cause of security related incidents, which can be attributed to the need for around-the-clock security operations and alert fatigue.

As a result of the acceleration in cloud adoption, Gartner expects cloud security spending to grow by almost 27% in 2023, including more and more solutions that are now available to solve the cloud security challenges. In recent years, hundreds of new companies and solutions came to market to tackle the different areas of cloud security, starting with cloud security posture management (CSPM), one of the earliest capabilities to tackle the problem of misconfigurations in the cloud. There are tools for vulnerability management, cloud workload protection (CWPP) tools for containers and serverless, cloud application security tooling and more recently, security solutions for developers helping companies to shift cloud security left.

This brings yet another level of complexity: organizations now have potentially up to ten different solutions reporting on problems and alerts for the cloud domain only. But these different solutions don’t have the full context of the cloud environment, which creates a huge headache and alert overload for security teams. To complicate matters further, the native tools of the cloud platforms are also individual capabilities that don’t always integrate well. Each capability has its own portal, its own event and reporting system, and generally misses the context of the full attack chain.

What is CNAPP and why do I need it?

Cloud customers need a more unified platform approach. A platform addresses customers’ need for a single, integrated solution for securing all aspects of a cloud environment.

This unified Cloud Native Application Protection Platform tackles all aspects of cloud security from agentless security posture management, to runtime application and workload protection, and all the way to securing the software development pipeline.

This allows for a more comprehensive security coverage than using individual tools, which may only address specific parts of the cloud environment.

A unified platform approach brings immediate benefits:

  • Security admins can identify and respond quicker to potential security threats because they have a unified view over the full context from multiple capabilities and security layers.
  • Consolidating individual tools into a single platform allows companies to manage less configurations and policies and thus simplify their overall cloud security operations.
  • Building automated processes and custom integrations for ticketing and reporting requires less do-it-yourself as these integrations are natively provided with the platform.

Introducing Check Point CloudGuard CNAPP

CloudGuard is a prevention-first CNAPP. It prevents threats from impacting your cloud workloads, from virtual machines through containers to serverless functions, from writing the first line of code all the way to actively protecting your workloads in runtime. And prevention is critical for effective cloud security, because if you are only detecting breaches, you are often too late.

CloudGuard CNAPP capabilities

The recently-announced expanded capabilities of CloudGuard, Cloud Infrastructure Entitlement Management, Agentless Workload Posture, Pipeline Security and Effective Risk Management, make it the most comprehensive CNAPP in the market. CloudGuard collects data from multiple different sources, from all types of clouds and workloads, and brings everything together in a single unified platform to create more context, actionable security and smarter prevention.

Let’s dig a little deeper into these exciting new capabilities.

Cloud Infrastructure Entitlement Management (CIEM)

Cloud deployments present an ever-changing and dynamic attack surface, including exposed credentials, vulnerabilities, misconfigurations, poor encryption, social engineering and phishing. Identity and access management is particularly complicated, because all users and workloads have permissions. When developers assign too few permissions, the user or workload can’t do what they need. But assigning overly permissive permissions (entitlements) may become the perfect recipe for disaster.

CIEM provides visibility into the effective permissions of users and assets, and enables the enforcement of least-privilege roles to eliminate overly permissive permissions. CIEM provides an easy path to reduce complexity and eliminate risk with auto-identification of identity and entitlement threats—enabling zero trust for cloud identities. CIEM also allows organizations to revoke unused permissions, which helps to enforce zero-trust.

Agentless Workload Posture (AWP)

Many workload protection solutions employ the use of runtime agents to monitor activity within virtual machines and hosts. These agents, such as traditional endpoint agents, are installed in all workload images. During runtime, they monitor behavior and aim to safeguard against various forms of malware and attacks. But these agents are often a problem for your developers and security teams, because security teams need to trust developers to deploy these into their code. Agents may impact application performance, and may even be another potential point of failure until a developer fixes the agent’s problem.

CloudGuard AWP extends CloudGuard’s agentless infrastructure visibility into workloads and enables deep workload visibility at scale with no agents. It scans and identifies risks including misconfigurations, malware detection, vulnerabilities and secrets across cloud workloads. An added bonus is that AWP scanning is performed on a snapshot of the workload, so there is no impact on performance. AWP thus helps to reduce the friction between development and security teams.

Pipeline Security

The way software is developed has recently undergone a major shift. Today, cloud-native applications are rarely written from scratch, but instead are constructed from a vast array of resources sourced from open-source repositories, services, libraries, and APIs. This shift has accelerated the development process, however, it also exposes you to vulnerabilities present in any software component, anywhere in the software supply chain.

Shift-left in security refers to the practice of incorporating security considerations and testing earlier in the software development lifecycle (SDLC), rather than at the end or after the fact. The idea is to find and fix security vulnerabilities at the earliest stages of development, when they are less expensive and easier to resolve, rather than later when they may be more difficult or costly to fix. By shifting security activities to the left, organizations aim to reduce the risk of security breaches and improve the overall security of their software applications.

Check Point acquired Spectral one year ago. Spectral is a developer-centric code security platform that seamlessly monitors, classifies, and protects codes, assets, and infrastructure. These capabilities were recently integrated into CloudGuard, allowing customers to shift CNAPP left and secure their cloud applications from the start of the SDLC. Pipeline security detects and fixes misconfigurations, secrets, and vulnerabilities in Terraform, ARM, CloudFormation, Kubernetes and other IaC templates. It identifies and remediates pipeline posture risks across Jenkins, GitHub and other pipeline tools, and extends workload protection to the CI/CD pipeline – to remediate issues before they reach production.

Effective Risk Management (ERM)

An important lesson that we learned is that even a single unified platform is not enough: due to the massive amount of information, the layered capabilities generate a lot of alerts and findings in an ever-expanding cloud environment, which creates a cloud security operational challenge of its own. The more visibility that organizations get into every single detail, the less they are able to find the needle of what really matters inside the haystack of alerts. The end result is that security teams are often overwhelmed, without an indication of where to start and the priority of resolving alters.

This is why Check Point introduced Effective Risk Management. ERM helps to operationalize cloud security by leveraging Machine Learning to understand the thousands of individual security findings and create context, in order to focus on the 1% of risks that matter most to your business.

CloudGuard’s smarter prevention capabilities then allow you to apply the most effective action to prevent or remediate risks.

Summary

CloudGuard is the one platform that provides you with deep insights and context, allows you to understand effective IAM permissions and privileges, identifies security issues throughout your pipeline, and prioritizes risks across your entire cloud infrastructure.

No other CNAPP solution in the market can provide this much value.

With the launch of CIEM, AWP, ERM and Pipeline Security, CloudGuard customers have the ability to reduce the main concern that keeps them up at night: how to prioritize risks and tackle them automatically, quickly eliminating critical vulnerabilities such as misconfigurations and remove over-privileged access based throughout the software development lifecycle. This helps them ultimately reduce their threat surface and provide them with confidence to consume cloud services as part of their digital transformation.

Next Steps

For more information, the first step is to read the press release that was published a few days ago. You can read more about the new CNAPP capabilities in the Check Point website.

We’re currently in the middle of our annual Check Point Experience (CPX360). You’re invited to sign up to join the virtual sessions and hear about the new capabilities first-hand from the subject matter experts.

If you’re interested in what respected analysts and third-parties think of CloudGuard’s CNAPP, you’re in luck:

If you’re ready to take the next step, you can:

You may also like