At the recent Gartner Security and Risk Management Summit in London, executives and business technologists converged to tackle the multifaceted challenge of application and cloud security. While soaring through the clouds on the return trip, we couldn't help but draw parallels between the complex world above and the intricate landscape of cloud security below. Just as every cloud appears unique to the untrained eye, the cloud ecosystem is teeming with options and nuances, often leaving executives with fundamental questions.

Is the public cloud safe to use?

One burning question that every executive faces when contemplating public cloud usage is, "Why do these systems have to be so complex?" It's a valid query, and it's often accompanied by the concern: "Is the public cloud too risky for us?" These are concerns that Thomas Lintemuth, VP Analyst at Gartner, expertly addressed during his session Explaining Cloud Risks to an Executive Audience.

Expert Perspective

Thomas’ resounding answer was: "Not if you concentrate on the cloud risks within your organization's control." His insights shed light on the fact that Tier 1 hyper scalers like AWS, Microsoft Azure, and Google Cloud Platform offer a higher level of security and resilience than commonly believed. The backdrop to this perspective is the track record of smaller providers, marked by data breaches and ransomware incidents, sometimes leading to weeks of investigation and recovery or, in the worst cases, irretrievable data loss. Remember the recent CloudNordic ransomware incident when the provider lost all customer data, including backups? Yikes!

Focus on Governance

He also recommended executives balance their approach, neither taking the cloud for granted nor obsessing over elements beyond their control. This balance is essential for success in the cloud era. The true linchpin of cloud security, in his own words, lies in governance. In the dynamic, self-service environment of cloud providers, enforcing policies and monitoring developer activity can seem like an impossible task. What's more, there are insidious risks, often unseen, that lurk in public cloud use:

  1. Wasted employee time and overspending.
  2. Risks associated with agility and technology debt.
  3. Downtime and its adverse impact on productivity.
  4. Potential security breaches and data leaks.
  5. Complications related to compliance and audits.
  6. The looming specter of project failure and program risk.

The Way Forward

To navigate this terrain effectively, Thomas outlined a straightforward strategy. Executives should anchor themselves on fundamental principles like accountability, responsibility, resilience, and security priorities. Additionally, the establishment of a Cloud Center of Excellence (CoE) is invaluable in the long run. The CoE operates through three key bodies: an executive council to define the cloud strategy, an advisory council responsible for policy and implementation, and a cloud community of practice for business technologists and developers with shared cloud interests. The CoE's ultimate goal is to align business and technical needs, shape a resilient cloud enterprise architecture, provide essential support to business units, facilitate cloud transformation, and embrace a lifecycle approach to governance–all the way from policies and requirements analysis to continuous management and end-of-life stages.

Closing (stoic) thoughts

Thomas urged us to carry the following messages when pitching the cloud to an executive audience:

  • Balanced Approach: Do not take the cloud for granted, but do not obsess over things that are not in your control.
  • Acknowledge Ambiguity: Embrace ambiguity rather than ignoring or avoiding it.
  • Organizational Strategy: Develop an organizational cloud strategy that includes business unit decision accountability.

And he left us with this quote from the Stoic philosopher Epictetus: "Make the best use of what is in your power and take the rest as it happens." These words should serve as a guide for executives seeking the agility and speed the cloud offers while maintaining control over their organization's security.

Is this the perfect time to take a CNAPP?

Now that we have addressed the critical issue of going to the cloud without proper governance and oversight, what do we make of other risks? What about shadow activity in the cloud, vulnerabilities arising from the complexity and the configuration surface services expose, and lack of developer guardrails? Luckily, Richard Bartley, RVP at Gartner for Technical Professionals, addressed these risks in his talk "Technical Insights: Focus on Eliminating Your Cloud Risks With CNAPP."

Expert perspective

Richard first provided an overview of risks in Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) clouds, ranging from posture management and workloads all the way to delivery pipelines and the software supply chain. Without going as far as building a taxonomy of risks or accurately categorizing them into groups of tactics, techniques, and procedures attackers could leverage, he listed the following:

Delivery Pipeline and Supply Chain Risks

The first arena of concern revolves around the vulnerabilities embedded in the delivery pipeline and supply chain within the cloud. These vulnerabilities encompass:

  • Vulnerable Developer Environments / Unsecure Build Processes: The risks associated with the development process.
  • Unsecured Source Control Systems: The security status of source control systems is often overlooked.
  • Vulnerable Dependencies: Risks emerging from dependencies within applications.
  • Compromised Container Registries

Workload Risks

Workloads, encompassing Virtual Machines (VMs), containers, and serverless applications, introduce their own set of challenges:

  • Misconfigurations: Errors in configuring cloud resources that can lead to security breaches.
  • Vulnerabilities: Weaknesses within the workloads themselves that attackers can exploit.
  • Malware and Cryptomining: The presence of malicious software and cryptomining activities in cloud environments.
  • Unauthorized Access: The persistent threat of unauthorized access to sensitive resources.
  • Memory Leaks: Inefficient memory management leads to security and operational issues.
  • Privilege Exploits: The potential for attackers to exploit privileges, causing security breaches.

Cloud Posture Risks

Further complexities lie within the realm of cloud posture risks, which encompass:

  • Identification and Analysis of Attack Paths: Understanding the pathways through which attackers may target cloud resources.
  • Effective Risk Prioritization: The challenge of prioritizing and addressing risks effectively.
  • Intrusion Detection and Response: The ability to detect and respond to intrusions within cloud environments.
  • Policy and Entitlement Drift: Ensuring that policies and entitlements remain aligned with security requirements.
  • Unauthorized Access to Data: The risk of unauthorized access to sensitive information.
  • Kubernetes Orchestration: The complexities introduced by Kubernetes orchestration in cloud environments.
  • Unregulated East-West Traffic: Ensuring the security of data flows within the cloud environment.

That is a lot of ground to cover. And this is where a CNAPP, or Cloud-Native Application Protection Platform, comes in. Where cloud security teams previously used point solutions in isolation to find and fix security misconfigurations and mitigate risks, a CNAPP's components can share context, enrich assessments, and assess the implications of one finding with others.

Richard compares a CNAPP's features to band members who come together to play a concert they've been training for forever! With this also comes another advantage of the CNAPP–it can run comprehensive risk analysis across the code-to-cloud lifecycle and the different layers (application, infrastructure, workload, identity, and entitlements, etc.) to generate threat models, but more importantly, surface and prioritize attack paths (from their perspective).

Batteries included cloud-native application protection

📚
In Gartner's own words
Cloud-native application protection platforms (CNAPPs) are a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production. CNAPPs consolidate many previously siloed capabilities, including container scanning, cloud security posture management, infrastructure as code scanning, cloud infrastructure entitlement management, runtime cloud workload protection, and runtime vulnerability/configuration scanning.

Components of the CNAPP

Now, let's delve into the core components that make up the CNAPP:

  • CSPM (Cloud Security Posture Management): It continuously manages the security posture of both IaaS and PaaS environments, proactively detecting and responding to cloud infrastructure risks. This includes assessing the risk/trust of cloud service configurations and security settings and providing remediation options.
  • CWPP (Cloud Workload Protection Platform): These workload-centric security products protect server workloads across hybrid and multi-cloud data center environments. CWPPs offer consistent visibility and control for various workloads, whether they are physical machines, virtual machines (VMs), containers, or serverless workloads. They utilize system integrity protection, application control, behavioral monitoring, intrusion prevention, and optional anti-malware protection.
  • CIEM (Cloud Infrastructure Entitlement Management): This component grants, resolves, enforces, revokes, and administers fine-grained access entitlements across structured and unstructured data, devices, and services. It executes IT access policies and can be delivered using various technologies, often differing across platforms, applications, network components, and devices.
  • Application/Software Supply Chain Security: Core capabilities in this area offer essential testing functionality, including Static Application Security Testing (AppSec), Secrets Detection, and Software Composition Analysis (SCA). These functionalities are vital for identifying security vulnerabilities, eliminating hardcoded secrets in the software delivery pipeline, and pinpointing open-source and commercial application components.

What role does Gartner see for AppSec in the CNAPP?

Cloud Native Application Protection Platform (CNAPP) provides a robust framework that combines application security with workload protection, security posture management, and entitlement management. Analyst Richard Bartley emphasized how this fusion creates a powerful defense mechanism that safeguards your entire digital ecosystem.

Here, let's focus specifically on the application security aspect of CNAPP:

Guiding developers in real-time: CNAPP empowers developers by providing contextualized events and alerts. It not only informs developers but also guides them through the nitty-gritty details. Let's say they're working with an S3 bucket. CNAPP tells them exactly what attributes that bucket needs to meet the organization’s security policy.

Infrastructure as Code (IaC) compliance: CNAPP aids in defining Infrastructure as Code compliance, ensuring that the entire ecosystem is built on secure foundations. This is essential for maintaining a robust cloud security posture.

Source Code Security: Secure code security is paramount. CNAPP runs those Static Application Security Tests (SAST) to identify and rectify vulnerabilities before deployment. Sure, it might not be a core CNAPP feature, but it's crucial. We want SAST data to flow in and see that everything is airtight.

Dependency Scanning (SCA): CNAPP goes a step further by ingesting data from third-party tools to perform Software Composition Analysis (SCA). This ensures that the different software components used are free from known vulnerabilities.

Container and image security: Before deployment, CNAPP verifies the security of container registries and golden image libraries. This ensures that the containers don't contain hidden vulnerabilities.

Enforcing security in deployment: CNAPP takes charge of enforcing security throughout the deployment pipeline. This means ensuring all those cloud services responsible for automation are vetted for security.

Runtime protection: At the application layer, CNAPP ensures that your APIs are secure, applies application control, and enforces secrets management. Making sure no secrets are buried in source code is a crucial step in safeguarding your applications in real-time.

GitGuardian specializes in safeguarding against secrets sprawl, which is a significant concern in application security. By monitoring for exposed secrets across your repositories, Docker images, Jira tickets, etc., GitGuardian ensures that sensitive information like API keys, tokens, and credentials are not accidentally leaked.

It's worth noting that remediation, though rarely mentioned at the Gartner summit, is a crucial element in the overall security landscape and should be a central point in the context of application security.

GitGuardian emphasizes a collaborative approach between Developers, AppSec, and Ops teams with its AppSec Shared Responsibility Model. With a 1:100 ratio of AppSec to software engineers, addressing application security challenges requires breaking down silos and embedding security into DevOps practices. This model ensures Developers are using appropriate tools for context-aware security while Security engineers focus on policy definition and complex findings. Ops teams ensure proper CI/CD controls and handle specific vulnerabilities. This collaborative approach fosters enhanced communication, visibility, and automation, ultimately leading to improved security in software development.

Will CNAPP eat AppSec for lunch?

It remains to be proven whether the Cloud-Native Application Protection Platform (CNAPP) will deliver on its promise. In its 2023 issue of the Hype Cycle report for Application Security, Gartner touted the benefits of CNAPP while highlighting significant obstacles the category will face in coming years:

  • No single CNAPP offering does everything. Convergence of capabilities will occur but will take place over several years.
  • Cloud Security Posture Management (CSPM) and Cloud workload protection platform (CWPP) vendors good at runtime protection aren't necessarily good at integrating into development (or even known by developers) and vice versa.
  • Organizations may have siloed purchases of application security testing tooling and runtime protection of workloads. A separate team may be responsible for web application protection, even at runtime.
  • CNAPP requires high organizational maturity in cloud-native application development.

Cloud Security has traditionally had a go-to-market motion leaning toward sales-driven/top-down. In contrast, Application Security has tipped toward product-led/bottom-up motion (e.g., Snyk, Bridgecrew, GitGuardian). Buying centers and influencers are also shifting to newer roles, such as DevOps architects and cloud security engineers, requiring information security teams to coordinate with these users. Developers are a tough crowd; they need to see your product, use it, and get value before going deeper into a buying motion.

Application Security Posture Management (ASPM) – The New Kid on The Block

During his session on Application Security Posture Management (ASPM), analyst Dale Gardner highlighted the challenges that arise from the abundance of tools and data in modern application management. Each team in your company today has its own perspective, and when it comes to management, pulling all this information together can be a real challenge. And when there are signals are coming in from various tools, gathering them all in one place to understand an application's status is important. Developers have taken on more responsibility for testing and securing apps, which is great, but it's made things a bit murky for application security teams. They've lost visibility over what's happening.

That's where application security posture management (ASPM) solutions step in. Having an ASPM is a bit like having a comprehensive health check for your applications, ensuring they're strong and secure from every angle.

Over the past few years, ASPM has seen a surge in interest and adoption. It's no surprise, considering the complexity of managing security in modern applications. We're talking about a whopping 40% of organizations predicted to adopt more ASPM solutions.

The big question is – will it become the next integral component of CNAPP, or should it continue to stand on its own?

The answer is not yet clear. Over time, some of these types of capabilities will be incorporated by larger CNAPP offerings. For example, one of the vendors, Cider Security, was acquired by Palo Alto Networks to add to its CNAPP portfolio after its intended acquisition of Apiiro fell through. This trend suggests a growing convergence of these technologies under the umbrella of the CNAPP.

GitGuardian has joined hands with Kondukto and ArmorCode so that users can make automated secrets detection a part of their application security operations within a few minutes.

Where does supply chain security sit?

ASPM has many capabilities, and one of them is the topic of software supply chain security. Some vendors offer a Software Bill of Materials (SBOM), which is like a detailed ingredients list for your software. It's a crucial part of supply chain security, so verify if your vendors support this, but remember it's not the whole solution.

For almost 40 years, organizations have been grappling with supply chain issues. That's a long time, right? It's a complex problem, and it's not going away anytime soon. Capterra, a trusted source for software reviews, found that a whopping 60% of organizations have felt the impact of a supply chain attack in some form.

So, how can you protect yourselves from these threats? Here are three crucial steps:

Incorporate supply chain thinking into vendor risk management: When evaluating vendors, consider their supply chain practices as a fundamental part of your assessment. It's not just about financials; it's about how they secure their development environments.

Demand transparency: Know what's in the software you're getting. The infamous Log4j incident is a prime example. Everyone knew the library was there, but they didn't know exactly where and in what capacity.

Test, test, test: Ensure the software from vendors undergo rigorous testing. This step is non-negotiable.

Dale Gardner emphasized a quote by Ken Thompson, stating, "You can't trust code that you did not create yourself." This sentiment underscores the need for vigilance and due diligence in managing your software supply chain.

Concluding thoughts

The Gartner Security and Risk Management Summit shed light on the intricate world of cloud and application security. Executives learned that while cloud complexity can be daunting, focusing on governance and embracing a balanced approach is the key to success. Creating a Cloud Center of Excellence (CoE) and fostering a collaborative environment are essential steps. As we move forward, the Cloud-Native Application Protection Platform (CNAPP) offers a promising defense mechanism to address the ever-evolving challenges in cloud security and application protection. With a focus on application security posture management (ASPM) and supply chain security, organizations can navigate the complex landscape and safeguard their digital ecosystems.