Cloud-native application protection platforms (CNAPP) solutions offer multiple capabilities rolled into one (marketing label) solution. CNAPP platforms claim to contain:

  • Cloud security posture management (CSPM).
  • Cloud infrastructure entitlement management (CIEM).
  • Cloud workload protection (CWP), both agent-based and agentless.
  • Container security, application security.
  • API security.
  • Infrastructure-as-code (IaC) build script scanning.
  • Serverless security.
  • DevOps security solutions.

This is a mouthful to put into one sentence and even more burdensome to evaluate and buy.

To be clear, we do not have any issue with the current CNAPP providers’ solutions. Cloud workload protection, CSPM, API security, serverless security, IaC scanning, and container security are all useful capabilities to defend cloud resources. But packaging them in a CNAPP bundle is unnecessary at best and misleading at worst. Here’s why:

  • CNAPP as a solution “platform” becomes unwieldily large and difficult to procure. End users in their quest to select the right CNAPP vendor have to evaluate way too many characteristics and features of many different disciplines, limiting their choice. While, for example, container security and cloud security capabilities are often purchased together, CIEM and DevSecOps tooling are pretty far afield from a technology and buyer perspective, as well (see figure).
  • CNAPP contains some categories that are not related to cloud-native app security. For newer organizations with no tech debt and no legacy applications, the vision of all applications developed for and deployed exclusively to the cloud is attractive. The unfortunate reality is that many organizations maintain legacy applications. How many still have active mainframe apps? Or traditional client/server applications running in a data center for which you cannot justify the migration costs? While present in cloud workloads, solution areas such as IaC scanning, API security, and container security are not only cloud security constructs.
  • The buying centers for CNAPP components are disparate. CNAPP solutions are not procured by a single stakeholder; instead, IT security, application developers, cloud architecture/security, and Dev(Sec)Ops all have a stake in evaluating and buying CNAPP capabilities. This can result in unnecessarily and excessively long sales, procurement, and implementation cycles — not a good thing when trying to promote quick time to value at “agile speed.”
  • CNAPP keeps vendor innovation low. When trying to create a comprehensive CNAPP solution, vendors are inevitably spreading themselves too thin — without being able to create innovative technical solutions in any single CNAPP functional area. Several CNAPP segments (such as serverless and IaC scanning) are quickly evolving, forcing vendors to 1) invest heavily in building top-notch solutions in that specific segment and 2) to reduce resources and budget to build out other CNAPP capabilities.