Asaf Shahar is a detail-oriented, accomplished senior technology and product executive, with a proven track record of over 18 years of defining and delivering large-scale complex products, architectures and technologies. Vast experience in security, cloud and networking.
In this interview, Senior Product Manager Asaf Shahar explains why you need a Cloud Native Application Protection Platform (CNAPP). See how to select the right CNAPP tool, prevent pipeline challenges, accelerate your cloud-security journey, discover how to better prioritize risk and so much more. Real insights from a real expert. Keep reading.
Can you please tell us about what CNAPP is?
CNAPP aims to provide end-to-end security coverage for cloud customers. CNAPP includes CWPP, CSPM, and many other previously siloed capabilities, providing an integrated set of security and compliance functions. With CNAPP, you have a single consolidated platform, as opposed to a multiplicity of scattered tools.
In a brief overview, how does a CNAPP work? Key capabilities?
CNAPP includes a set of capabilities such as posture management, workload protection, application protection, ‘shift left’ capabilities, vulnerability management, identity management, cloud detection and response and micro-segmentation.
The term ‘CNAPP’ was coined by Gartner and they have defined the capabilities that a CNAPP platform should ideally have. They took different cloud security domains – CSPM, CWPP, identity management, application security, vulnerability management, etc…and placed them under one cloud security umbrella.
This consolidation of capabilities was already happening in the market – Gartner just put a label on that and tried to define, as they saw them, the key capabilities of a Cloud Native Application Protection Platform.
Why do organizations need a platform like CNAPP? What problems does it solve?
CNAPPs ensure that when a customer purchases a security solution, it has all of the right ‘ingredients’. For example, instead of leaving a security administrator to incorporate posture management, CWPP and identity management separately, they can purchase CNAPP, which will cover all of the key capabilities. With a CNAPP, security professionals are also nearly guaranteed to own all of the necessary capabilities for proper cloud security.
How does a CNAPP allow security professionals to better collaborate with developers?
Part of the capability of CNAPP is what we call ‘shift left’ or more of a developer/DevOps-targeted solution. The idea is that, basically, the earlier that you can identify issues, the earlier that you can solve them within the product/service pipeline – meaning that, in the long-run, it will cost an organization less in time and effort than otherwise.
To present an analogy, say that you write a whitepaper in Microsoft Word. When you hit ‘save and review,’ say that there was some function that informed you of a major grammatical error within the writing. You can then immediately look and decide on whether or not it’s a problem, and if needed, you can fix it.
Now, let’s assume that you didn’t have this super helpful ‘save and review’ button. You might send the whitepaper to a bunch of people, they all review it, and send you their input. They might send you the same exact input as the ‘save and review’ button would have, but later in the process.
Such a process is manual, and depending on the nature of the project, the input could be too late. Pretend that you needed to send the whitepaper to a publisher right away – the problem could be released ‘into the wild,’ whereas an automated tool could have caught it in production.
The further along the chain that you find a problem, the more time and effort required to fix it. In the case of the published paper, you would need to email the publisher, explain the issue, maybe there’s a time difference…etc. Resolving the issue suddenly becomes much more involved than necessary, given that an automated tool could have caught the issue at the very beginning.
As you can see from the example, catching and fixing problems at the source is more efficient than trying to remedy them later.
The right cloud security tools are necessary to perform cloud security checks and validations prior to When a coder writes code, it’s advantageous to have immediate insight into whether or not there’s a problem. Catching problems at the source is more efficient than catching them down-the-line.
Now, CNAPP incorporates tools to do these checks and validations prior to things being deployed. And there are different stages – so as the coder writes the code, CNAPP can see whether or not there’s a problem; as the coder builds a new app element, CNAPP can identify a potential problem; and if the coder deploys the code, CNAPP can recognize a problem.
While a developer might find and fix such problems anyway, the cost of fixing things is reduced if problems are identified at an earlier stage within the pipeline.
How can organizations choose the right Cloud Native Application Protection Platform?
Ultimately, every vendor will show up and say ‘I have a CNAPP’. But there are a few key capabilities that your CNAPP should have and that you should tick off on your checklist. A critical question to ask vendors is whether, within the CNAPP solution, security mechanisms are still isolated and siloed, or whether there is an interaction between the different parts in order to create a 1 + 1 = 3 phenomenon.
And it’s not just about having precisely defined capabilities. You need to know what it’s like to manage the solution, how it can be incorporated into the operational processes, the integration into the ecosystem, the quality of the outputs (are they broad enough, what is the depth of the capabilities…etc).
You need to look at the functionality, the operations, the ease-of-use, and the level of protection that you get. It’s not enough to say ‘ok, I have a CSPM or a CWPP and it has these capabilities’. Think about what it takes to operate the platforms.
Can you please share a bit about what led up to the need for CNAPP?
Naturally, a customer wants an easy way to get the security that they need. So, customers started to look into vendors that provided them with broader coverage and capabilities than one single siloed solution can offer.
Around the same time, vendors started adding more capabilities to their CWPPs, to their posture management, to their identity management solutions…etc. And very quickly, there was this consolidation of capabilities to a single platform, which provides much more than any one siloed solution can individually.
How is Check Point driving innovation and pushing boundaries for best-in-class CNAPP?
One of the main things is looking at cloud security in a holistic way; not just saying ‘ok, I have CWPP, I have posture management, I have identity management.’ The idea is to create collaboration between these elements in order to have a ‘better together’ solution.
Check Point aims to create better synergy between tools. Check Point’s CNAPP provides better insight and better overall analysis than available otherwise, allowing the customer to have a much higher quality in terms of the effectiveness of the tool as they handle and operate security.
Is there anything else that you would like to share with our audience?
One of the areas where Check Point is investing a lot is in what we call ‘effective risk management’. To explain, when considering a CNAPP, security professionals need to consider whether the solution efficiently points them to the right problems. Effective risk management aims to take all of the information available from all different parts of a platform and to make sense of it in a single place; telling the customer ‘these are the problems that you need to tend to. If you have time to do one task, this is the one task that you need to do today. If you have time for five tasks, these are the five tasks that are the highest priority.’ So, focusing the customers on their business-driven security issues helps them to be more effective in handling their environments’ security.