In the early days of a new market in B2B information technology, it is common for the vendor community to step up with dozens of point products, each with their own points of differentiation within their niche. Nowhere is this phenomenon more obvious right now than in public cloud security, where there is a nearly incomprehensible acronym soup of solutions out there, each of which solves its own slice of the broader cloud protection problem. CSPM, CIEM, DLP, IAM, multicloud networking, microsegmentation, IaC scanning, container runtime security, and vulnerability assessment, to name a few.
Even if you had the budget to buy all of these tools separately, the operational complexity associated with training staff, integrating the products, and dealing with a dozen different vendors would be a nightmare. Fortunately, as the public cloud matures, enterprises are converging on two main platforms that meet their workload protection needs via a strategy based on zero trust security: Cloud Native Application Protection Platforms (CNAPP) and Secure Access Service Edge (SASE).
At its heart, zero trust security is a framework built around the concept of least-privileged access, in which no user or application should be inherently trusted. What’s groundbreaking about this approach is that it’s exactly the opposite of the approach taken by most organizations over the past couple of decades. Since the early 1990s, information security has revolved around the concept of a secure perimeter that attempts to keep the bad out and the good in.
In zero trust, everyone and everything is deemed hostile. But, of course, if you keep everything out, it is difficult for users and applications to communicate, so access is granted only to what is necessary, and only once identity and risk context have been established. While zero trust has gained wide adoption for user access to applications over the last several years, many enterprises are now extending it to application-to-application use cases as well.
Enter CNAPP and SASE…
CNAPP and zero trust
The job of a CNAPP is to identify, prioritize, and help mitigate cloud workload risks. These platforms provide visibility into both public cloud infrastructure and into the workloads running on that infrastructure. A CNAPP also helps to identify and remediate risks prior to deployment to the cloud by integrating into DevOps tools and integrated development environments (IDEs).
CNAPPs provide insights into a broad range of cloud risks, taking the place of several, previously separate, categories of products. Risks include those related to misconfigurations, excessive privileges and permissions, sensitive data-at-rest, unpatched software vulnerabilities, and more. These platforms correlate across functions to help prioritize actual, exploitable issues and provide an accurate picture of how an enterprise might be compromised.
Not only does a CNAPP identify and prioritize cloud risks, but it assists with remediation of those risks as well, either through automated remediation or through guided manual remediation. The CNAPP process of identifying, prioritizing, and mitigating cloud risks is continuous. In dynamic cloud environments, risk posture is changing constantly.
In a zero trust architecture, CNAPP provides the critical element of risk context that can be used to make more informed decisions about the level of access a workload should have within and across the enterprise cloud footprint. As with users, a risky cloud workload should have a limited level of access until those risk factors are adequately mitigated.
SASE and zero trust
With risk context established, the next step is to allow access only to what is necessary. This is where SASE comes into play. SASE uses workload identity and risk context to verify access rights, applying business policies based on that context and on the transaction being attempted. As context changes, access privileges are continually reassessed. SASE has traditionally been associated with protection of user communications, and only recently has begun to gain traction as a platform for protection of workload communications as well.
SASE platforms connect cloud workloads directly to other workloads—without connecting them to networks—an implementation of zero trust communications for workloads. By providing this app-to-app connectivity and segmentation, SASE reduces the ability for malicious software or bad actors to move laterally across the network. SASE enables cloud workload communications for several use cases, including:
- Cloud-to-cloud
- Cloud-to-data center
- Cloud-to-internet
- Intra-cloud
Traditional perimeter technologies, such as firewalls, use a “passthrough” security approach, which makes a bad tradeoff of protection in favor of performance. If malicious traffic is found, it is often too late to stop it. A SASE-based solution performs full inspection of every transaction, terminating every connection to hold and inspect even encrypted traffic before forwarding to its destination. Inspection often includes data loss and threat prevention in addition to access control.
Two parts of one whole
Together, CNAPP and SASE provide a comprehensive approach to cloud workload security by securing the workloads and access to the workloads while ensuring optimal application performance and user experience. Over the next few years, there will be an increasing concentration of functionality that is today provided by point products into one of these two platforms. The result will be widespread adoption of zero trust security for public cloud workloads along with simplification that comes as a result of significant tools consolidation.
But why wait? Reach out to Zscaler — we would love to speak with you further about how to best leverage CNAPP and SASE in your environments today.