December 1, 2021
Let’s talk about CWPP, CSPM and CNAPP. We’re going to take a little time to unpack and hopefully demystify these letters, and show you how Runecast can protect your cloud environments.
Cloud is big business these days. Even before the pandemic and the necessary rise of remote working, cloud infrastructure was increasing. There are many versions and variants, a wide array of vendors, multi-cloud and hybrid cloud, that businesses are now relying on for their critical infrastructure. And just because something is cloud-based does not mean it is any more secure than the more traditional on-premises infrastructure. Cloud services and cloud-native applications need protecting just as much (if not more). Cloud security is a broad topic and unless you’re a cloud-native, or work in cloud security, these acronyms might not mean all that much. But they’re not as confusing as they may seem, and here we’ll explain three of the most common and the most important.
First, let’s talk about CWPP. Cloud Workload Protection Platform is a category for a software solution that secures cloud-based workloads. What that means, in practice, is one piece of software that will protect your cloud environments. One dashboard or interface to view, the so-called ‘single-pane-of-glass’ that shows not just one environment, but all your environments. This reduces time spent checking dashboards for security professionals and the possibility of missing a potentially critical alert. Features of a CWPP can include intrusion prevention and malware scanning, but are specifically catered to the cloud.
CWPP security solutions are built for security in the cloud era and should cover on-premises, physical and virtual machines, containers, or basically all the ingredients of the modern hybrid and multi-cloud.
CSPM is short for Cloud Security Posture Management, a way of protecting workloads from threats due to misconfigurations. Many organisations rely on public cloud infrastructure but don’t know the best practice or best configuration of that cloud. When the cloud you are reliant on changes or adds a new feature, do you know how to handle the effects that might have on your existing configurations? CSPM is the practice of monitoring infrastructure, detecting misconfiguration throughout the environment and resolving it using best practices and documented fixes. Good CSPM tools use multiple sources of information to get the best and most secure setup for your needs.
CNAPP is the third acronym, newly coined by Gartner. A Cloud Native Application Protection Platform attempts to combine the two previous terms, providing both the protection element of CWPP and the proactive monitoring element of CSPM.
CNAPP is a holistic approach, providing full coverage of cloud environments and cloud native apps. CNAPPs guard against configuration drift and misconfiguration across VMs, containers, hybrid and multi-cloud, while also 'shifting left' in the development cycle (i.e. moving it sooner in the left-right project timeline). This means they now cover security elements during development and runtime, making for an end-to-end approach. After all, if you can catch errors, vulnerabilities or issues earlier in the development lifecycle that's more time and effort saved.
So CNAPP tools can help developers to keep their builds secure and can help operations and security teams use that same information to continue to keep the builds secure as they go live.
These acronyms are overlapping areas of cloud protection, like the circles in a venn diagram. We’re not trying to say that a tool which bills itself as a CWPP is inferior to a tool which is marketed as a CNAPP, or vice versa. There are even some tools which span the whole spectrum.
Runecast is an enterprise platform which spans across these different areas of cloud protection. Runecast provides automated best practice, actionable insights and proactive monitoring for VMware, AWS, Azure and Kubernetes, and OS-level support for Windows and Linux will be released in Q4 2021.
This means you can, for example, configure your Kubernetes environment to best practice standards, as well as making it security compliant. While you’re monitoring your K8s you can be deploying new virtual workloads in AWS, or VMware, also using Runecast Analyzer to monitor and secure.
Runecast provides automatic audits and reporting for best practices and security compliance benchmarks from CIS, DISA-STIG, PCI DSS and more. It covers an enormous range of KB articles from VMware and a best practice database from AWS, Azure and Kubernetes as well as additional insights for SAP HANA and Pure Storage on VMware and vSphere on Nutanix. Your cloud environments can be scanned at the click of a mouse and you can have a report in minutes.
Plus, we’re always working and adding new features. One of Runecast’s newest features is Remediation. For a growing number of misconfiguration issues and vulnerabilities Runecast Analyzer will auto-generate a remediation script which can be examined in your change process and applied to your environments easily and securely. Runecast is putting in the leg work and letting you take the plaudits.
Images courtesy of Gartner, Market Guide for Cloud Workload Protection Platforms, July 21.