There is a lot of confusion out there when it comes to cloud native IT and cloud security tools. Things have gotten rather complicated over the last few years as we migrate a majority of our technology and security stacks into cloud native offerings. According to the Fortinet 2023 Cloud Security Report, 39% of respondents have over half of their workloads in the cloud, with 58% expecting to achieve this within the next 12 to 18 months.
- Cloud Access Security Broker (CASB)
- Cloud Workload Protection Platform (CWPP)
- Cloud Security Posture Management (CSPM)
- Cloud Infrastructure Entitlement Management (CIEM)
- Cloud-Native Application Protection Platform (CNAPP)
- Cloud-Native Configuration Management Database (CMDB)
- SaaS Security Posture Management (SSPM)
Sometimes the term is created by a vendor and adopted by the market and sometimes it originates from an inventive market analyst or reporter. In general each of these is just a bunch of features grouped together to create a market that CISOs, CIOs and IT and Security leaders want to buy.
I could go through in detail how the overlap on each of the above technologies matters or doesn’t matter to the value delivered to the buyer, but for sake of brevity I’ll scope the discussion down to a few specific terms: CSPM, CWPP, CNAPP and CMDB.
Defining The Terms
First off let’s level set on the traditional terms that have been in the market for a while now. Many of these technologies were created a decade or more ago and have been growing in lockstep with the growth of cloud native applications and cloud computing.
Cloud Security Posture Management
CSPM solutions help you manage cloud security risk. Generally this is done by connecting to and analyzing the security settings and configuration of the cloud service provider (CSP) directly. They take a continuous view of the state of your CSP and help look for known security issues while tracking drift and changes in that environment over time. They alert, log, and help you fix these issues as quickly as possible. There are a number of great CSPM vendors in the market today that provide reasonable solutions for security in your cloud environment. From a value perspective, CSPM helps enterprises with governance and security of their CSP (multi cloud or single cloud) native resources.
Cloud Workload Protection and Cloud Native Application Protection Platforms
Compared to CSPM, CWPP is more focused on the security of the cloud workload itself than it is about the configuration of the CSP. There are very unique runtime protection aspects of cloud security that are solved by CWPP targeted products. CWPP products secure workloads from the operating system up through memory, application code, container layer, and even with behavioral process monitoring. A full suite of technology offerings shine through in the CWPP market tackling security in both multiple and hybrid cloud environments.
SaaS Security Posture Management
SSPM is an emerging space. The goal of SSPM is to improve the security of SaaS applications through monitoring configurations, detecting security gaps, managing data access and providing visibility into the security setting of SaaS applications like SalesForce, Microsoft 365 and Google Workspace. CSPM and SSPM are important for cloud security. CSPM protects IaaS environments like AWS, Azure, and Google Cloud by monitoring resources and detecting misconfigurations, SSPM secures SaaS applications by managing access, identifying vulnerabilities, and ensuring compliance.
Configuration Management Database
This might seem like a really old technology to be discussing in a blog focused on cloud and cloud native security technologies - and it is. However, there are reasons why CMDB technologies are required to implement the best possible cloud security initiatives. A CMDB solution tracks all of the hardware and software used in the enterprise. It keeps an organized and opinionated view into your environment allowing you to view, visualize, and slice and dice the data however you need. CMDB has been around for a long time and is currently being reinvented by cloud native versions of CMDB technologies. CMDBs track configuration items (CI) for all of the assets that are in the system making the value increasingly important to both IT and security teams alike.
Here’s Where Things Get Fuzzy - And The Battle Begins
The market is beginning to see a convergence of cloud security technologies resulting in significant confusion amongst vendors, analysts, and specifically the CISO and CIO purchasers. Where we previously had the choice of CSPM, CWPP, and CMDB point solutions, there is a merging of offerings occurring that will result in much more value at lower overall total cost of ownership for the customer. Let’s look at the two most prominent “better together” stories.
CSPM + CWPP = Cloud Native Application Protection Platform
CNAPP is a very nascent term that Gartner is using to describe the unification and blending of value propositions from CSPM and CWPP technologies. Securing your cloud environment requires both configuration and runtime protection to be successful. Because of this, we are seeing a movement towards vendors offering the breadth of both solutions in a single package. Most of the more recent products that have come to market are targeting this new approach. They target being competitive in cloud native security both at runtime and at rest and are crafting a story where the combination of these offerings are much better together than they are separately.
CSPM + CMDB = Cloud Native Cyber Asset Management (or Cloud Native CMDB)
When we think of security and asset tracking in the cloud we come to the realization that CMDB solutions that collect configuration information can’t be too far off from CSPM solutions that collect configuration information. The primary difference between them is the type and depth of the CI that they collect and how they analyze it to provide value to the CISO or IT leader.
It’s not far of a leap to think that CSPM will eventually be the replacement for CMDB until you realize that CMDB has way more asset classes than just cloud configuration. If a traditional CMDB tackles primarily end points and mobile devices, a modern cloud native CMDB is smart enough to tackle any class of asset that you can draw a software defined box around. Anything from user identities, to CSP configuration, workload status, GitHub repositories, vulnerabilities, code commits, training levels and more can and should all be tracked in a modern cloud native cyber asset management approach.
The Final Verdict - Gold Medal Round
I bet you thought I would eventually declare one a winner. It’s obviously what I’ve been driving to throughout this entire post. But at the end of the day, if we decided to have a race between Noah Lyles vs Usain Bolt, between CNAPP and Cloud Native Cyber Asset Management, would one really come out on top.
A closer analogy would be a world-class sprinter versus a world-class decathlete. The winner would really depend on how you frame the track and field event and what rules you put into place. I don’t think there is much difference between that and CNAPP vs. Cloud Native Cyber Asset Management.
The benefits of Cloud Native Cyber Asset Management for asset management, compliance, incident response and vulnerability management are clear. Understanding your cyber asset landscape and the relationships between those cyber assets will help you to build the underlying requirements for an overall strong security program. CNAPP or CSPM + CWPP both result in a rather robust runtime protection system for cloud workloads that is built on top of an asset collection that complements that single use case. The breath of the solution and possible extensibility is vast.
The net and final result is that Cloud Native Cyber Asset Management is the ultimate system for overall better cyber security program delivery. Every company needs modern cyber asset management.
If you are looking for a cloud security solution that targets your AWS, Azure or GCP and provides a running protection of your workloads it’s clear that CNAPP is the way to go. If you are looking for an extensible platform that you can build your entire modern cyber security program on top of, then you really can’t beat the breadth of asset management and relationship context that comes from a modern cloud native cyber asset management platform.
