了解CNAPP解决方案如何在应用程序开发过程中提供更全面的风险情况.
尝试InsightCloudSecA cloud native application protection platform (CNAPP) is a 云安全原型 这需要一个积分, 生命周期方法, protecting both hosts and workloads for truly cloud-native application development environments. These environments have their own unique demands and challenges, 因此,出现新的安全产品类别来解决这些担忧就不足为奇了.
Gartner introduced CNAPP as an official cloud security category in 2021, 当时他说:“云原生应用程序的最佳安全性需要一种从开发开始并扩展到运行时的集成方法.“在像云这样的短暂环境中构建应用程序的DevOps组织需要对流程进行完整和实时的可见性,以便在出现错误配置或漏洞时捕获它们. 许多人将CNAPP安全视为左倾和在开发生命周期中尽可能紧密地集成安全的同义词.
In considering end-to-end application security in the cloud, 组织可以开始实现更深层的防御和更频繁地访问工作负载等好处. A CNAPP also features significant automation capabilities, which – if calibrated correctly – can vastly improve the efficiency of cloud admins. 以前孤立的应用程序安全方法在CNAPP中得到了统一,并提高了兜售下一代应用程序安全解决方案和工具的供应商的标准.
Breaking out the components and capabilities of a CNAPP solution can be a moving target, but Gartner does have minimum requirements a solution must meet. Below, let’s look at some of the core capabilities that define those requirements:
A CSPM解决方案 is one that identifies and remediates threats in an enterprise cloud environment. It uses automation to handle security risks as quickly as possible, working in concert with developers and IT security teams. Other critical functions of CSPM include security risk assessment, 事件响应, 与DevOps的集成. CSPM解决方案s are compatible with hybrid and containerized cloud environments, but are most effective when used in multi-cloud environments. 正是在这里,它们可以提供对组织的云资产及其各自配置的无与伦比的可见性
A CWPP 解决方案必须提供管理当前部署在公司云平台上的任何工作负载的能力. Development organizations are able to integrate CWPPs into the automated processes in their CI / CD pipeline, typically as part of the build process. 这种方法在遵循DevOps或DevSecOps方法的组织中变得越来越普遍. Any CWPP must seamlessly integrate with other parts of the enterprise SecOps infrastructure, but it does enhance the capabilities of the security operations center (SOC), helping it detect and analyze complex cloud-based cyberattacks more effectively.
A CIEM solution is identity-centric and focused on managing cloud access risk. CIEM利用管理时间控制来管理混合云和多云IaaS架构中的权利和数据治理. These tools handle identity governance for dynamic cloud environments, typically following the 最小特权原则, 用户和实体只能在正确的时间和正确的理由访问他们需要的内容.
集装箱安全 在平台上实现保护容器化应用程序和工作负载的机制和流程的实践是否如下 Kubernetes. 在当今的云环境中,最大程度地了解容器主机位置等方面是至关重要的, identifying running or stopped containers, spotting container hosts not in compliance with 独联体基准, and performing vulnerability assessments. 容器安全性应该尽可能早地在CI / CD管道中实现,以便更快地暴露应用程序风险, and reduce as much friction in the development process as possible.
基础设施即代码(IaC) 利用代码(以预构建模板的形式)来提供支持基于云的应用程序所必需的基础设施资源的做法是否存在. Developers can leverage this highly reproducible practice to write, 测试, and release code that will create the infrastructure on which applications run. 确保这一进程至关重要, as the later in the application-development process security controls are implemented, 就越有可能出现被攻击者利用的错误配置或漏洞.
在CNAPP最近的一份市场指南中, Gartner outlined a more exhaustive and categorized list of core, 推荐, 以及可选功能.
A CNAPP solves problems like visibility across the complete application lifecycle, 云风险管理 challenges, and prioritization of detected vulnerabilities. Let's take a look at some specific use cases:
整个开发生命周期的可见性一直是安全团队面临的最关键的挑战. 这就是为什么尽可能多地尝试和转移安全性是如此重要,以便在过程的早期和部署之前捕获错误. Post-deployment and into runtime should not be forgotten from a visibility standpoint, which is why it’s important for a CNAPP vendor to place emphasis on the entire lifecycle. 如果没有CNAPP所能提供的增强可见性,对风险进行量化和优先级排序是很困难的.
The magic solution would be one in which all issues were caught in the development process, aided by total visibility and contextual prioritization. No CNAPP offering will be able to do this perfectly, 100% of the time. 但是一个好的供应商应该能够提供一个能够跟上DevOps快速云增长目标的解决方案, tailoring security around developers without continually breaking up the process.
Gartner表示:“通过减少误报和噪音,CNAPPs可以尽可能无缝和透明地集成到其本地开发工具集,从而改善开发者体验, 通过对他们的补救工作进行风险优先级排序,并通过提供特定的补救指导来解决已识别的风险.“这里的想法是对开发过程的补充,而不是对速度的缺点,这是云采用的主要驱动因素之一. It’s just as important for SecOps to understand the development environment, identifying key areas to move vulnerability scanning earlier into the process.
CNAPP解决方案可以在应用程序开发过程中提供更全面的风险描述. Its capabilities are expansive, but shouldn’t be overstated. 如上所述, 没有什么灵丹妙药, but a capable CNAPP platform should be able to provide the following benefits:
Reducing complexity isn’t a concept limited to the cybersecurity space. 创新的速度, 然而, 需要不断淘汰过时的和遗留的解决方案,这些解决方案不再具有实际影响,并且可能对公司造成财务损失. 潜在的CNAPP客户越来越希望通过将安全整合到单一供应商的解决方案中来简化操作,从而可以捆绑解决方案, 为客户省钱, and provide complete lifecycle visibility.
在最好的情况下, CNAPP解决方案应该是一种全面的云安全方法——包括供应商提供的技术和从业者执行的策略——它简化了在大范围内从端到端监控和修复风险的过程, 复杂的云环境. 分散的服务, 在很大程度上, 当我们着眼于能够简化基于微服务架构的安全性的CNAPP解决方案时,是否会成为过去.
我们在上面已经介绍了一些, 但真正与DevOps组织合作,确保确保开发生命周期的有机性,确实是降低该过程中风险的最佳方式. 为此目的, a CNAPP can leverage advanced analytics to obtain greater visibility into risk, 这使得安全从业人员能够更好地了解在哪里查看以及如何更快地完成此操作. This can help create a DevSecOps culture of faster remediation and prioritization.
CNAPP可以帮助为开发过程提供护栏,也有助于安全的有机集成. 以这种方式, developers can go as fast as they want, 自动化, 建筑, 部署, as long as it's within the constraints of the security guardrails tailored to the environment. 利用这个框架, 创新和速度不需要受到太多的限制——它们可以成为开发者真正的资产.