Major Use Cases and Capabilities
Use Cases
DevSecOps
Sometimes referred to as “Shift Left”, the DevSecOps practice is, in fact, about integrating security into the entire lifecycle of software development, from design to operations. This use case is where new applications are being developed, or existing applications are being reengineered using rapid development methodologies and container-based technology for deployment. The requirement is to enable security teams and application developers to collaborate to embed security into application code at the earliest point in the development cycle. This requires a development platform which provides all stakeholders with common workflows, data, visibility, and insights into the security of the application at all stages of development through to deployment.
Cloud Kubernetes Security
Kubernetes has emerged as a de facto standard for managing containerized workloads. Many organizations are using it as the platform for developing and deploying modern cloud-native applications at scale, often using services managed by CSPs. The requirement is to be able to discover and monitor the security of all ephemeral activities within Kubernetes environments. For example, to identify, report and help to remediate insecure container images, container registries, and runtime issues.
Secure Workload Migration
This use case is where an organization is moving existing workloads to cloud IaaS services without reengineering. In this case they need tools to help to manage the security parameters of the cloud deployment to match or exceed those of the existing delivery environment. This requires a security platform that can provide visibility into the security configuration of the cloud service elements that are involved, together with capabilities to identify and mitigate any increased cyber risks.
Multi-Cloud Compliance
There are now a wide range of laws and regulations that govern how data can be held and processed in cloud services. Some of these relate to the privacy of personal data, some to service resilience, and others are industry-specific. Where an organization is using cloud services, they must be able to visualize and report on how well this use meets their compliance obligations. This use case requires a platform that can extract data from multiple cloud services that can be compared with the obligations from a wide range of laws and regulations to identify and report on how well these obligations are being met.
Cyber Risk Management
Using cloud services alters the way in which IT risk is managed. The CSP is responsible for the security of the service that they provide and its infrastructure. The cloud customer is responsible for securing how they use the service. The customer must implement the appropriate controls. The American Institute of CPAs® (AICPA) describes these as Complementary User Entity Controls (CUECs). This use case requires a platform that that can extract data from multiple cloud services to identify and report on how well the customer’s controls meet best practices and common security frameworks.
Capabilities
Multi-Environment
The solution should provide capabilities that cover a wide range of cloud services including popular public cloud providers like AWS, Azure, GCP or OCI, as well as orchestration platforms such as Kubernetes. In addition, CNAPP solutions are expected to integrate with a wide range of DevOps and security tools and support a variety of industry standards and frameworks like PCI DSS, SOC 2, CIS benchmarks, or NIST cybersecurity framework.
Cloud Entitlements
The solution should dynamically discover and analyze the user accounts (people and services) with access to the cloud services and their entitlements. It should identify, report, and remediate accounts with excessive / abnormal privileges and other risks such as orphan accounts, as well as accounts with weak authentication policies.
Cloud Storage Security
The solution should provide capabilities to discover and analyze cloud data storage services to identify, report, and remediate excessive risk. This includes data storage services without appropriate controls, data storage with public access, and data storage directly exposed to the Internet for a wide range of cloud storage types.
Cloud Network Security
The solution should provide capabilities to discover and analyze cloud network security controls to support a Zero Trust approach to network management, map cloud networks owned, and identify, report, and remediate risky firewall configurations, risky permitted network protocols, etc.
Cloud Compute Security
The solution should provide capabilities to discover and analyze cloud compute services owned to identify, report, and remediate risky configurations of virtual machines and serverless computing elements.
Cloud Container Security
The solution should provide capabilities to discover and report on cloud container services owned, identify / report / remediate insecure container images, container registries, and deployments for common container environments such as Kubernetes.
Cloud Application Security
The solution should provide capabilities to discover, and report on deployed cloud applications and identify / report / remediate apps exposed to the internet, apps with exploitable vulnerabilities, apps without appropriate traffic controls, and other risky configurations.
Cloud Posture Management
The solution should provide capabilities to continuously identify, visualize, and manage an overview of the risks associated with the use of the IaaS cloud services and how well this use complies with a range of regulations, standards, and best practices.