In the early days of a new B2B information technology market, it is common for the vendor community to step up with dozens of point products, each with its own differentiators within its niche. Nowhere is this phenomenon more evident now than in public cloud security, where there is a nearly incomprehensible acronym soup of solutions, each of which solves its own slice of the broader cloud protection problem. Examples include CSPM, CIEM, DLP, IAM, multicloud networking, microsegmentation, IaC scanning, container runtime security, and vulnerability assessment, to name a few.
Even if you had the budget to buy all of these tools separately, the operational complexity associated with training the staff, integrating the products, and meeting the deadline with a dozen different vendors would be a nightmare. Fortunately, as public clouds mature, enterprises converge on two key platforms that meet their workload protection needs via a strategy based on zero-trust security: Cloud Native Application Protection Platforms (CNAPP) and Secure Access Service Edge (SASE).
Zero-trust security is a framework built around the concept of least-privileged access, in which no user or application should be inherently trusted. This framework is the opposite of a traditional secure perimeter approach in which employees and data reside in an office building.
With zero trust, every user and application is deemed hostile. But if you keep everything out, it is difficult for users and applications to communicate, so access is granted only to the specific resource that is necessary once identity and risk context have been established and verified. While zero trust has gained wide adoption for user access to applications over the last several years, many enterprises are extending it to application-to-application communication use cases.
Enter CNAPP and SASE …
CNAPP and Zero Trust
The job of a CNAPP is to identify, prioritize, and help mitigate cloud workload risks. These platforms provide visibility into both public cloud infrastructure and the workloads running on that infrastructure. A CNAPP also helps identify and remediate risks before deployment to the cloud by combining DevOps tools and integrated development environments (IDEs).
CNAPPs provide insights into a broad range of cloud risks, taking the place of several previously separate categories of products. Hazards include those related to misconfigurations, excessive privileges and permissions, sensitive data-at-rest, unpatched software vulnerabilities, and more. In addition, these platforms correlate across functions to help prioritize actual exploitable issues and provide an accurate picture of how an enterprise might be compromised.
Not only does a CNAPP identify and prioritize cloud risks, it assists with remediation of those risks as well, either through automated remediation or through guided manual remediation. The CNAPP process of identifying, prioritizing, and mitigating cloud risks is continuous. In dynamic cloud environments, risk posture is constantly changing.
In a zero-trust architecture, CNAPP provides the critical element of risk context that can be used to make more informed decisions about the level of access a workload should have within and across the enterprise cloud footprint. As with users, a risky cloud workload should have limited access until those risk factors are adequately mitigated.
SASE and Zero Trust
With risk context established, the next step is to allow access only to what is necessary. This is where SASE comes into play. SASE uses workload identity and risk context to verify access rights, applying business policies based on that context and the transaction being attempted. As context changes, access privileges are continually reassessed. SASE has traditionally been associated with the protection of user communications and has only recently begun to gain traction as a platform for the protection of workload communications.
SASE platforms connect cloud workloads directly to other workloads — without connecting them to networks — and implementation of zero trust communications for workloads. By providing this app-to-app connectivity and segmentation, SASE reduces the ability of malicious software or bad actors to move laterally across the network. SASE enables cloud workload communications for several use cases, including:
- Cloud-to-data center
Traditional perimeter technologies, such as firewalls, use a “passthrough” security approach, making a lousy protection tradeoff in favor of performance. If malicious traffic is found, it is often too late to stop it. A SASE-based solution thoroughly inspects every transaction, terminating every connection to hold and check encrypted traffic before forwarding it to its destination. The inspection often includes data loss and threat prevention, and access control.
Two Parts of One Whole
Together, CNAPP and SASE provide a comprehensive approach to cloud workload security by securing the workloads and access to the workloads while ensuring optimal application performance and user experience. Over the next few years, there will be an increasing concentration of functionality provided by point products today into one of these two platforms. The result will be widespread adoption of zero-trust security for public cloud workloads and simplification from significant tool consolidation.
About the Author
Rich Campagna is Senior Vice President and General Manager, CNAPP, at Zscaler, where he leads strategy for securing public cloud infrastructure and workloads. In his 20+ years in technology, Rich has held product management and marketing leadership positions at Balbix, Bitglass, F5 Networks, and Juniper Networks. Rich received an MBA from the UCLA Anderson School of Management and a B.S. in Electrical Engineering from Pennsylvania State University.