Understanding CNAPP: 3 questions we believe the 2023 Gartner® Market Guide for CNAPP can help security leaders answer
Security leaders don’t want to waste their time juggling multiple security tools and piecing together a comprehensive view of their security posture. Meanwhile, developers need tools that help them quickly prioritize and understand security risks in their cloud environments. That’s why we believe increasingly more businesses are turning to cloud-native application protection platforms (CNAPPs): platforms that bring disparate security capabilities into one place. With the rapidly increasing popularity of CNAPP, security leaders who want to modernize their security posture are considering how these can benefit their organization. Gartner just released a new report, the Market Guide for Cloud-Native Application Protection Platforms, which sheds light on emerging CNAPP offerings. Here are some of the questions that we believe the report gave us insight on:
Why are CNAPPs becoming so popular?
CNAPPs are making it easier to secure applications from development through production, and businesses are recognizing the advantages.
By 2025, 60% of enterprises will consolidate cloud workload protection platform (CWPP) and cloud security posture management (CSPM) capabilities to a single vendor, up from 25% in 2022
CNAPP is a more holistic and unified approach to cloud security. CSPM tools automatically inventory cloud resources, find misconfigurations, and report compliance concerns while CWPP tools monitor workloads for threats and vulnerabilities. As per Gartner, “Because developers are creating containers, serverless functions and cloud infrastructure, CNAPP tooling needs to ‘shift left’ into the development life cycle — in addition to the comprehensive runtime visibility”
One of the several factors driving interest in CNAPPs is “the need to unify risk visibility across the entire hybrid application and across the entire application life cycle. This simply cannot be achieved using separate and siloed security and legacy application testing offerings.” Also, “There is a desire to integrate security and compliance testing seamlessly and transparently into modern DevOps (referred to as DevSecOps) in a manner that balances security and speed and doesn’t unnecessarily slow down digital innovation.” CNAPPs give developers and security teams the appropriate alerts and context all in one platform.
Source: 2023 Gartner® Market Guide for CNAPP
Why would my company use a CNAPP?
As per Gartner, reasons that organizations are moving toward consolidation to a CNAPP offering include:
- Better identification, prioritization and remediation of cloud-native application risk
- Reduces operational complexity through consolidation of vendors, consoles, policies and contracts
- Consistent enforcement of security policy across all application artifacts — code, containers, VMs and serverless functions
- Elimination of overlapping policies of disparate products and standardization of application policies and policy objects across all development artifacts
- By having consistently enforced policies and by risk-prioritizing remediation efforts, a single-vendor CNAPP offering should reduce developer friction and improve developer experience
- Eliminates redundant capabilities
How do I choose a vendor?
The Market Guide states, “At a minimum, the CNAPP offering must understand what developer/development team created the artifact, when it was scanned, when it was deployed, and who has since changed or modified it.”
It’s also important for a CNAPP to help you understand and visualize the relationships between each cloud asset. There are dozens of CNAPP capabilities, and each vendor offers a different assortment and strengths in various areas, and the Gartner Market Guide groups capabilities into three categories: core, recommended, and optional.
As per Gartner, “Build a team for the evaluation and selection of CNAPP offerings with skills spanning cloud security, workload security (including containers), application and middleware security, development security and developers.” Also, “it is critical that the joint team evaluating CNAPP capabilities prioritize and rank their requirements for mandatory, recommended and optional prior to the evaluation of offerings.” Gartner also recommends to “Favor CNAPP vendors that provide a variety of runtime visibility techniques, including traditional agents, Extended Berkeley Packet Filter (eBPF) support, snapshotting, privileged containers and Kubernetes (K8s) integration to provide the most flexibility at deployment.”
Learn more about emerging CNAPP offerings
CNAPPs are changing the way businesses handle security, and it looks like they’re here to stay. Click here to get the full 2023 Gartner Market Guide for CNAPP.
Gartner, Market Guide for Cloud-Native Application Protection Platforms, Neil MacDonald, Charlie Winckless, Dale Koeppen, 14 March 2023
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Lacework.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.