Cloud Computing , Technology

Why Third-Party CNAPP Is Ideal for Securing Hybrid Cloud

Gartner's Richard Bartley Says Organizations Should Embrace CNAPP and ASPM
Why Third-Party CNAPP Is Ideal for Securing Hybrid Cloud
Richard Bartley, research VP, Gartner

As enterprises rapidly adopt hybrid and multi-cloud strategies, securing their distributed cloud infrastructure has become a top challenge. Although cloud service providers offer built-in security tools, organizations are apprehensive of the security challenges related to infrastructure-as-a-service - IaaS, software-as-a-service - SaaS, and pentesting-as-a-service - PaaS. Enterprises are moving away from hyperscalers to third-party vendor platforms because of certain security advantages, which include having a unified security governance across all their cloud environments.

See Also: Managing Infrastructure at Cloud Scale

In an interview with Information Security Media Group, Richard Bartley, research VP, Gartner, discussed why cloud-native application protection platforms, CNAPP, and application security posture management, ASPM, solutions are ideal for securing hybrid/multi-cloud deployments. With more than 20 years of experience, he advises clients on cloud security, including IaaS, PaaS, CNAPP, cloud workload protection platforms - CWPPs, and cloud security posture management - CSPM. He also provides guidance on security architectural approaches and designs, including CSMA, SASE and zero trust.

In this Q&A, Bartley explained the advantages third-party platforms offer over cloud provider security tools in terms of policy management, visibility and supply chain risk reduction.

Edited excerpts follow:

Some organizations are withdrawing from the public cloud because of security concerns, among others. They perceive public cloud to be too risky. A U.K. survey involving 350 IT leaders found that 25% of organizations have already switched their cloud-based workloads back to on-premises infrastructure. What are your thoughts and observations?

The cloud is largely secure. Organizations are not withdrawing from cloud based on security concerns or raising the problem of recent breaches. This may be due to financial choices or as a result of not finding the value in cloud, which is leading them to consider leaving the cloud. Enterprises, however, must consider how much capital has been invested in the cloud, whether they are willing to spend more money to switch back to on-premises, and whether the risk posed by potential breaches is the driver for this shift. At this stage, I'm not convinced that that's the state.

How does CNAPP ensure protection in hybrid, multi-cloud environments that are becoming the mainstay for enterprises?

Vendor CNAPP is mainly focused on multi-cloud. CNAPP features offered by cloud service providers are similar to those offered by third-party vendor security platforms. But, aside from having high or specialized compliance obligations or the presence of multi-cloud environments, the reason organizations choose third-party vendors is because their solutions are more matured with more in-depth analyses. Cloud service provider capabilities, however, are catching up fast. CNAPP supports multi-cloud by establishing common security governance and application control across multiple IaaS/PaaS cloud deployments. CNAPP can also protect workloads using the same controls in any cloud environment, including hybrid and on-premises.

CNAPP can secure cloud-native apps, but what about its protection for on-premises applications?

CNAPP vendor tools can help secure on-premises security in a few ways. Several tools can extend protection to workloads deployed on-premises, examine the security disposition of Kubernetes platforms and help with ensuring application security. But, at this time, only a few vendors review on-premises hypervisor security.

How can ASPM reduce third-party risks and improve supply chain security and vendor risk management?

ASPM helps manage identified application security vulnerabilities throughout the supply chain and development pipeline. Using this, organizations can ensure that they have the necessary governance in place for delivering applications with security issues addressed.

ASPM can be used to secure the pipeline by enabling organizations to quickly address software composition analysis findings. This involves scrutinizing the deployed application assets and ensuring that they are not vulnerable to the challenges discovered during testing.

ASPM works in conjunction with CNAPP to give enterprises the whole picture, including the infrastructure. ASPM uses contextual information to try and provide a comprehensive view of application security and risk status.

What questions should a CISO ask a cloud service provider about securing their infrastructure in the cloud? What do they write in their service-level agreements?

CISOs should have a comprehensive view of the entire security picture and must plan how they intend to implement controls across the different layers of application, infrastructure, network and the configuration of the cloud.

To assess and analyze overall cloud security disposition, CISOs must look at the CNAPP services offered by the cloud providers - Microsoft Defender for Cloud, Amazon Security Hub and Google Cloud Platform's Security Command Center. CISOs will, however, need their cloud security architects to select and design cloud security protective and detective controls to suit the cloud deployment.

About the Author

Brian Pereira

Brian Pereira

Sr. Director - Editorial, ISMG

Pereira has nearly three decades of journalism experience. He is the former editor of CHIP, InformationWeek and CISO MAG. He has also written for The Times of India and The Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.