Background
“Attackers are targeting the misconfiguration of cloud infrastructure (network, compute, storage, identities and permissions), APIs and the software supply chain itself.” Cloud security providers are taking note and merging more CWPP, CSPM, and CIEM solutions into a CNAPP offering for customers. Gartner, in their 2023 Market Guide for Cloud Native Application Protection Platforms, predicts “By 2025, 60% of enterprises will have consolidated cloud workload protection platform (CWPP) and cloud security posture management (CSPM) capabilities to a single vendor, up from 25% in 2022”
But more than the consolidation of cloud security technologies is needed. As developers take on more responsibilities of security tasks, leading CNAPP solutions must offer more depth to identify and understand the entire cloud deployment in context and seamlessly remediate risks early in the development lifecycle.
Gartner acknowledges that while multiple providers market CNAPP capabilities, few offer the required breadth and depth of functionality, with integration between all components across development and operations. This blog post will uncover several key capabilities areas of the Gartner Market Guide, how Check Point CloudGuard’s CNAPP solution is poised, and why they are a leading provider for CNAPP security.
Not all CNAPP providers are the same.
The Market Guide provides information and guidance for selecting and deploying a CNAPP to reinforce security for workloads and applications CNAPPs have been subject to an immense amount of marketing hype and abuse. We frequently see vendors that market CNAPPs but don’t meet Gartner’s minimum requirements. Since the complete listing of CNAPP capabilities is quite broad, we have broken the capabilities into three categories: core, recommended and optional
*Gartner recommends several attributes of leading CNAPP solutions for consideration during the evaluation and testing process.
See why we believe CloudGuardis recognized: :
- Fully Integrated Solution: All in one tightly integrated management platform, CloudGuard includes posture management, cloud identities and entitlements, Web application and API protection, workload protection, and code security. Security teams benefit from one simple-to-use interface for visibility and managing the security of their cloud environment. At the same time, CloudGuard takes all of the inputs on the back end to understand security posture and findings—in the context of the user’s unique deployment. In addition, CloudGuard supports all major cloud providers, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle, Alibaba Cloud, and more.
2. Depth of Relationship between Application Workload and Cloud Security Capability: CloudGuard provides complete runtime protection for serverless functions and containers. Understanding the compliance and security of each, as well as its connectivity and behaviors. This allows teams to implement least privilege access controls for each asset automatically and to understand the overall risk impact so security teams can take action quickly. CloudGuard also offers preemptive-threat prevention against zero-day attacks with its WAAP functionality for even greater threat prevention.
3. Predefined Templates and Single Policy Inspection: With more than 2400 compliance rules, 50 frameworks, and the ability to set customized controls and rules, CloudGuard quickly detects and remediates misconfiguration and compliance issues and enforces security best practices automatically. In addition, CloudGuard provides deep customization using GSL, a human-readable proprietary language. This allows customers to implement their company policies on top of security best practices across their cloud accounts.
4. Depth of Understanding of Development Artifacts: As with any development artifact, such as code, library, container image, or scripts, it is essential to understand not only who created them and when but also how they were deployed, if they are public or private, and who has access and what is connected. CloudGuard offers security teams the deepest level of intelligence behind each of its artifacts to understand all of these critical areas and, not only that, identify security gaps and recommend remediation next steps based on custom policies and best practices.
5. Understanding Effective Permissions with Cloud Infrastructure Entitlement Management: The cloud is plagued with risks caused by over-permissive identities. CloudGuard is designed to reduce these risks through its CIEM functionality. Because CloudGuard is deeply integrated, it uses context to measure the gaps between the permissions granted and how they are used across cloud workloads. This allows teams to quickly identify and remediate irrelevant permissions; some that are downright dangerous. CloudGuard will enable customers to create a lean and muscular security protocol in which each identity can access only what it needs—all under one platform.
6. Integrated Advanced Analytics: As part of its CNAPP solution, CloudGuard offers customers an Effective Risk Management (ERM) engine, which prioritizes risks and provides actionable remediation guidance based on the full context, including workload posture, network exposure, identity permissions, attack path analysis, and the application business value. In addition, security and SOC teams can improve their threat hunting and remediation protocols with CloudGuard’s Cloud Detection and Response capabilities, which integrates information from the cloud inventory and configuration, account activity, network traffic logs, and threat feeds such as Check Point ThreatCloud and IP reputation databases.
7. Attack Path Analysis. Check Point does not just stop at contextual risk scoring and cloud detection, CloudGuard CNAPP also provides an enhanced visualization of the attack path to best understand the risks in the context of the environment. Using its context graph database, CloudGuard analyzes connections between assets and creates a topology map of your cloud network. This allows CloudGuard to discover exposed assets even when the network configuration is complex, and exposures resulting from unplanned asset connections.
8. Agentless Support: An agentless deployment option gives you immediate, deep visibility into OS security configuration issues, leaked credentials, and malware on workloads. This instant, deep visibility eliminates blind spots and security gaps caused by agent-only deployments. It seamlessly identifies vulnerabilities, exposed credentials, malware within each workload, OS-level compliance, intrusion detection, file integrity, and more. With CloudGuard’s scanning-as-a-service model, customers can take full advantage of an agentless workload deployment to achieve optimal workload protection—without impacting performance.
9. Integration into CI/CD: CloudGuard fully integrates with cloud formation templates and code repositories and registries to scan for vulnerabilities early in CI/CD, search for secrets in code and libraries, and ensure compliance with regulatory mandates and policies. CloudGuard is a proper prevention-first Shift-Left CNAPP solution—making it a frictionless experience for developers and allowing them to do the right thing from the start.
10. Consumption-based Pricing Model: With no hidden fees, or year-two price hikes, CloudGuard is an all-inclusive, consumption-based solution. Offered through our channel partners and on Marketplace, customers get all of the benefits of a fully integrated CNAPP solution, with the ability to add additional functionality around threat intelligence.
In summary, Check Point CloudGuard’s CNAPP solution is a multi-faceted platform that automates cloud-native security for applications, workloads, and networks. It takes a prevention-first approach, protecting apps and workloads during the software development process through runtime. It also provides a risk management engine with automated remediation prioritization to address potential risks quickly. This means that CloudGuard reduces overall cloud security complexity and improves the overall developer experience through seamless integrations that provide complete visibility and automate security across the application lifecycle—from code to cloud.
Conclusion:
CNAPP solutions are ideal for reducing complexity and operational overhead while providing better visibility. The CNAPP solutions that stand apart offer greater context to fully understand the risks and threats in the cloud and prioritize the next steps for security and SOC teams—all while providing a seamless experience for developers.
Check Point is pleased to be recognized as a Respectable Vendor in the Gartner 2023 Market Guide for Cloud Native Application Protection Platform. We are committed to continuing to innovate and provide superior service for our customers.
For more information, visit https://www.checkpoint.com/cloudguard/cnapp/
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.