Enhancing Your Cloud Security with a CNAPP Solution E-Book

Enhancing Your Cloud Security with a CNAPP Solution

Unlock the full potential of Microsoft Defender for Cloud to fortify your cloud security

Yuri Diogenes

Enhancing Your Cloud Security with a CNAPP Solution

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Senior Publishing Product Manager: Reshma Raman

Acquisition Editor – Peer Reviews: Jane Dsouza

Project Editor: K. Loganathan

Content Development Editor: Deepayan Bhattacharjee

Copy Editor: Safis Editing

Technical Editor: Kushal Sharma

Proofreader: Safis Editing

Indexer: Rekha Nair

Presentation Designer: Pranit Padwal

Developer Relations Marketing Executive: Maran Fernandes

First published: October 2024

Production reference: 1241024

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK.

ISBN 978-1-83620-487-9

www.packt.com

To my loving friends and family

– Yuri Diogenes

Contributors

About the authors

Yuri Diogenes has worked at Microsoft since 2006, and currently is the Principal PM Manager for the CxE Defender for Cloud Team. He is a professor at EC-Council University and at Trine University. Yuri has a master’s degree in Cybersecurity from Utica University. He is currently working on a PhD in Cybersecurity Leadership (Capitol Technology University). He is also the author of 33 published books. Yuri holds many industry certifications, such as CISSP, CND, CEH, CSA, CHFI, and CASP.

I would like to thank my wife and daughters for their continuous support, my mother for always believing in me, the entire Defender for Cloud Team for the great partnership since 2015, and my coworkers. Also, thanks to all my mentees for pushing me to be a better professional, to the entire team of Packt for the continuous partnership.

Shay Amar has over 20 years of experience in Cloud Security and customer success, and he specializes in driving digital transformation and aligning technology with business goals. As a Senior Product Manager for Cloud Security CxE at Microsoft, he leads initiatives that bridge the gap between product teams and enterprise customers, delivering impactful security solutions. He holds a degree in Computer Science and multiple certifications, including CCNA, MCSE, and Azure Architect, and regularly speaks at industry events. His focus is on innovation, automation, and securing growth for organizations in the cloud

About the reviewer

Dominik Hoefling is a Security Cloud Solution Architect with a robust background in cybersecurity. He earned his bachelor’s degree in business informatics from IU International University of Applied Sciences, where he developed a strong foundation in both business administration and IT. Dominik specializes in deploying security solutions for customers, particularly focusing on Microsoft security solutions. He holds the Certified Cloud Security Professional (CCSP) certification from ISC2 and numerous other Microsoft security certificates. Before joining Microsoft, he was recognized as a Microsoft Most Valuable Professional (MVP) and served as a Principal Consultant at a Microsoft partner, leading numerous successful projects. As a seasoned cybersecurity expert, Dominik focuses on cloud security, Extended Detection and Response (XDR), and Security Information and Event Management (SIEM). He is a sought-after speaker at global conferences, where he shares his knowledge and insights on modern cybersecurity threats and solutions, helping organizations enhance their security posture. Dominik is passionate about guiding businesses through the complexities of today’s cybersecurity landscape, ensuring they are well equipped to handle emerging threats.

In producing this book, I would like to extend my heartfelt thanks to my wife, Kathrin, and our son, Levi, who was born just a week before the work on this book began. Kathrin’s support and understanding have been invaluable throughout this journey.

Join our community on Discord

Read this book alongside other users. Ask questions, provide solutions to other readers, and much more.

Scan the QR code or visit the link to join the community.

https://packt.link/SecNet

Preface

With the growth of multicloud adoption, and the constant need to protect resources from code to runtime, the old approach of working in silos is not effective anymore. To overcome this challenge the use of a Cloud Native Application Protection Platform (CNAPP) becomes imperative for organizations that want to continue to elevate their cloud security posture, while prioritizing what is important to be remediated based on the risk factors tailored for their own environment. This book covers end-to-end CNAPP adoption, from setting the context of the need for a CNAPP and planning an agnostic approach to adopt CNAPP, all the way to the use of Microsoft Defender for Cloud as a CNAPP solution. I’ve been working with cloud security since 2012, when the emphasis was on Private Cloud security, and I’ve been part of the Defender for Cloud team since its conception in 2015, when it was still called Azure Security Center. I wrote this book based on all these years of experience, talking to hundreds of customers over the years and helping them to adopt the product. The book was reviewed by Dominik Hoefling, a great specialist in Defender for Cloud whom I have known and mentored for years. He did an amazing job performing the tech review and adding his own insights to improve the final project. Chapter 17 was written by Shay Amar, a specialist in Security Exposure Management who has been working in the team that created the product since it was in incubation. Shay adds a lot of value to this project.

I hope you enjoy reading it!

Who this book is for

This book is recommended for Cloud Security Administrators, Cloud Solution Architects, DevSecOps Engineers, Security Operations Engineer, members of the Cloud Security Posture Management Team, and any IT/Security professional that wants to learn more about CNAPP.

What this book covers

Chapter 1, Why CNAPP?, covers the roots of cloud security with CSPM and CWP, the traditional CSPM lifecycle, the use of secure score to track progress over time, and the challenges introduced with multicloud and shift left. You will also learn about the main aspects of CWP, the use of MITRE ATT&CK framework to map alerts to different workloads, and the need to have agents for some types of workloads. Lastly, you will learn how CNAPP was idealized and the main advantages of using a CNAPP, which include attack disruption, agentless approach, proactive hunting, and SOC enrichment.

Chapter 2, Assessing Your Environment’s Security Posture, goes further into the adoption of Defender for Cloud Foundational CSPM to start assessing your environment security posture. You will learn how to use security recommendations to visualize areas of improvement for your workloads, how to remediate security recommendations, and about the importance of using secure score to improve the overall security posture. Lastly, you will learn how to track your secure score overtime, about the use of MCSB to have a different view of your recommendations and adhere to compliance standards, and how to access your cloud inventory using Defender for Cloud.

Chapter 3, CNAPP Design Considerations, focuses on the importance of first establishing design principles four your CNAPP adoption, which includes the use of Zero Trust, Shift-left security, data protection, visibility and monitoring, dynamic threat detection and response, and compliance/governance. These design principles will be agnostic of your platform and will be the foundation of your implementation. You will also learn about the design considerations for your CNAPP adoption, which include considerations for posture management, considerations for DevOps security, and for workload protection. Lastly, you will learn some important questions to ask while going through these considerations, which should also be complemented by specific needs and constraints of your organization.

Chapter 4, Creating an Adoption Plan, details the overall approach to forming a Microsoft CNAPP (Defender for Cloud) adoption plan. You will learn about the different aspects of planning your posture management adoption by enabling Defender CSPM. We discuss the planning aspects of workload protection by covering each individual Defender for Cloud plan. Lastly, you will learn about the important aspects of how to create a proof of concept plan to validate the main use case scenarios that your organization needs.

Chapter 5, Elevating Your Workload’s Security Posture, shows how to onboard Defender CSPM. You will also learn about the use of the attack path to disrupt potential attacks and how to use the risk-based recommendations to prioritize what is important for your environment. Lastly, you will learn about data security posture, how the discovery takes place, how to customize data sensitivity, and how to use the data security dashboard.

Chapter 6, Multicloud, demonstrates how to connect with AWS. You will learn about the prerequisites, the architecture of the solution, and how to configure the AWS Connector. You will also learn how to leverage the risk-based recommendations to prioritize what it is important to remediate in the AWS environment. Lastly, you will learn about how to connect with GCP, and how to configure the GCP connector.

Chapter 7, DevOps Security Capabilities, covers the DevOps security capabilities available in Defender CSPM. You will also learn about the prerequisites and how to connect Defender for Cloud with GitHub, Azure DevOps, and GitLab. Lastly, you will learn about how recommendations from GitHub and ADO appear in Defender for Cloud, and how developers will experience these recommendations on their platform.

Chapter 8, Governance and Continuous Improvement, goes into how to use the Governance feature in Defender CSPM to assign ownership to security recommendations. You will also learn how to integrate the governance feature with ServiceNow. Lastly, you will learn how to create exemptions according to your needs and how to visualize all resources that have exemptions.

Chapter 9, Proactive Hunting, shows how to leverage the insights collected by Defender for Cloud to perform proactive hunting. You will also learn how to use the Cloud Security Explorer to create queries and how to use the available templates. In addition to that, you will learn how to use Azure Resource Graph (ARG) to create queries using KQL and how to access ARG via Defender for Cloud. Lastly, you will learn about the advantages of using threat intel while doing proactive hunting.

Chapter 10, Implementing Workload Protection, explains why it is important to have a tailored approach to workload protection, how threat detection works in Defender for Cloud, and the different types of detection. You will also learn about the Security Alert dashboard, alert correlation, sample alerts, and how alert suppression works. Lastly, you will learn about the different Defender for Cloud plans available.

Chapter 11, Protecting Compute Resources (Servers and Containers), explains how to protect Containers with Defender for Containers and machines with Defender for Servers. You will also learn about the supported scenarios in Defender for Containers, the capabilities and constraints, how to enable Defender for Containers, how to visualize vulnerabilities in your containers, and how to configure binary drift detection. Lastly, you will learn about Defender for Servers capabilities such as agentless malware scanning, file integrity monitoring, just-in-time VM access, and vulnerability assessment powered by Microsoft Defender Vulnerability Management.

Chapter 12, Protecting Storage and Databases, discusses the importance of protecting the data located in storage and databases. You will learn about the most common threat vectors for storage and databases and how Defender for Storage and Defender for Databases can help protect this type of workload. You will also learn how to enable Defender for Storage in your subscription, and how malware scanning can be used to protect your storage accounts from getting compromised with malware. Lastly, you will learn how to enable Defender for Databases, about the different types of databases that are supported by this plan, and how to use the vulnerability assessment feature to improve your database security posture.

Chapter 13, Protecting APIs, looks at the importance of protecting APIs, what is necessary to do to prepare the environment before enabling Defender for APIs, and where Defender for APIs sits within the network architecture in a multilayered protection approach. You will also learn how to enable Defender for APIs in your Azure subscription, how to operationalize Defender for APIs, how to leverage the insights that are added by Defender for APIs in Cloud Security Explorer, and about the templates available to perform proactive hunting. Lastly, you will learn how to manage the onboarded APIs, including how to offboard APIs.

Chapter 14, Protecting Service Layer, addresses the importance of protecting Azure Resource Manager and how Defender for Resource Manager monitors and detects threats against ARM. You will also learn how to enable Defender for Resource Manager in your Azure subscription. Lastly, you will learn about the importance of protecting Azure App Service, and how Defender for App Service can help to protect your platform.

Chapter 15, Incident Response, covers the use of Defender for Cloud for Incident Response and the different alert insights provided by Defender for Cloud to empower IR teams to do a better investigation. You will also learn about the integration of Defender for Cloud with Microsoft XDR, the Alert experience in Microsoft XDR portal, and get an introduction to the advanced hunting capability in Microsoft XDR. Lastly, you will learn how to configure the Defender for Cloud connector in Microsoft Sentinel to enable the ingestion of Defender for Cloud security alerts in Microsoft Sentinel.

Chapter 16, Leveraging AI to Improve Your Security Posture, looks at Defender for Cloud integration with Copilot for Security, how to perform risk exploration by using Copilot for Security embedded experience in Defender for Cloud, and how to summarize recommendations and ask Copilot for Security to generate remediation script. Lastly, you will learn about AI posture management, the importance of having security recommendations tailored for AI scenarios, how Defender CSPM takes into consideration Azure AI as part of the attack path, and the AI queries available in Cloud Security Explorer.

Chapter 17, Security Exposure Management, explains more about Microsoft Security Exposure Management and how to enable it in your organization to manage the security posture of your workloads proactively. You will also learn about the importance of incorporating Key Initiatives, Top Metrics, and Security Recommendations into a cohesive strategy. In addition, you will learn about the importance of using Security Events to track how specific incidents and score drops affect an organization’s security landscape. Lastly, you will learn about Attack Surface Maps and Attack Paths to visualize your environment and identify potential vulnerabilities.

To get the most out of this book

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://packt.link/gbp/9781836204879.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. For example: “By the time this book was published, the GCP data collectors that were using a fixed scan time of 1 hour were ComputeInstance, ArtifactRegistryRepositoryPolicy.”

Bold: Indicates a new term, an important word, or words that you see on the screen. For instance, words in menus or dialog boxes appear in the text like this. For example: “Open the Defender for Cloud dashboard and click Environment settings, under the Management section.”

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book’s title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you reported this to us. Please visit http://www.packtpub.com/submit-errata, click Submit Errata, and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit http://authors.packtpub.com.

Leave a Review!

Thank you for purchasing this book from Packt Publishing—we hope you enjoy it! Your feedback is invaluable and helps us improve and grow. Once you’ve completed reading it, please take a moment to leave an Amazon review; it will only take a minute, but it makes a big difference for readers like you.

Scan the QR code below to receive a free ebook of your choice.

https://packt.link/NzOWQ

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781836204879

1

Why CNAPP?

For the past decade, cloud security has evolved according to the threat landscape in addition to the overall business needs of the companies that were migrating to the cloud. In the beginning, cloud security solutions provided very basic security hygiene based on a set of baselines and workload visibility, which, at the time, addressed the needs of most companies. As the market evolved around cloud security, companies started to demand specialized solutions to address specific challenges in cloud security, such as multicloud adoption and the shift-left initiatives. New solutions were developed to tackle these challenges; however, they were done in an isolated manner.

The evolution of attack methods, the growth of cloud automation such as the high usage of Infrastructure as Code (IaC), the wide adoption of multicloud, and the need to have a better way to prioritize risk based on a contextual approach led the market to a new reality when it comes to cloud security. The best-of-breed approach to deciding which cloud security solution should be adopted wasn’t working anymore. Customers demanded a better way to cross-reference the data consumed by different tools in a single place to enable them to make smarter decisions when it comes to risk prioritization.

It becomes imperative to not only improve the security posture but also identify how threat actors can exploit existing vulnerabilities and move laterally to potentially compromise highly sensitive assets. The solution for all this is called Cloud Native Application Protection Platform (CNAPP).

This chapter covers:

Cloud Security Posture Management

The term Cloud Security Posture Management (CSPM) was introduced around 2018. It appeared as companies started to adopt more and more cloud computing, which led to the need to have tools to manage and secure their cloud environments. The term was coined by Gartner, a leading research and advisory company. Gartner introduced CSPM to describe a category of security tools designed to identify and manage security risks in cloud environments. The main objective of CSPM was to ensure that organizations were strengthening their cloud security posture across their workloads.

The core of CSPM was based on the discoverability of cloud workloads, and the assessment of these workloads according to cloud security best practices. These cloud security best practices were grounded in a mix of cloud solution providers’ benchmarks and industry security standards, such as the Center for Internet Security (CIS), the International Organization for Standardization (ISO), and the National Institute of Standards and Technology (NIST).

Over time, some CSPM solutions also started to offer regulatory compliance lenses on top of the data to help organizations validate if their workloads were compliant with certain standards, such as the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI).

Regardless of the benchmark in use, the traditional CSPM lifecycle used in the beginning had the following phases:

Figure 1.1: Traditional CSPM lifecycle

These phases are highlighted below:

While these steps are generic and vendor agnostic, each CSPM solution available at that time (around 2018) was adding specific features to improve the overall user experience. For example, Azure Security Center, the Microsoft CSPM at that time, had the secure score, which was a measurement for organizations to identify their security posture by scoring recommendations based on the benchmarks’ asset criticality. The advantage of using a metric such as secure score was that it gave organizations the capability to evaluate progress over time and a North Star to follow: reach 100% on their secure score.

However, the use of secure score also exposed another problem in the cloud security environment, which was the lack of governance. This problem was exposed with the constant fluctuation of the secure score, as shown in the diagram below:

Figure 1.2: Secure score over time

In the fictitious sample diagram above, you have the secure score during the month of May. Notice that in the beginning, the progress was going in the right direction; the initial score was 40%, and it got better, all the way to 65%.

But then something happened, and it dropped to 35%. The question that many cloud administrators had at that time was: I didn’t do anything to change the environment, why did my secure score drop so much?

The reason that those drops occurred, and are still occurring, is the lack of security guardrails at the beginning of the pipeline. In other words, when users provision new resources (for example, a new storage account) that are not using security best practices from the get-go, the number of security recommendations that will need to be applied to leverage that resource’s security posture is high, and this will negatively affect the secure score. Every time the CSPM platform performs the assessment, it will either increase the score (if the resources are secure) or drop the score (when the resources are not secure). Of course, the score can stay the same in case the environment hasn’t changed, or new resources haven’t been provisioned, but in a cloud environment, the likelihood of having many resources getting created and deleted on a daily basis is very high. The lack of guardrails at the beginning of the pipeline led organizations to realize that CSPM was not the sole solution for cloud security. Governance became imperative to ensure that resources were created with security defaults.

Another buzzword that started to become more reality around that time was shift-left. The shift-left approach encouraged practices like early testing, continuous integration, and incorporating security considerations (often referred to as DevSecOps) from the very beginning of the development process. The shift-left approach also influenced how cloud workloads were provisioned with the proliferation of IaC. Amazon Web Services (AWS) introduced AWS CloudFormation in 2011, allowing users to define and manage their infrastructure using templates. In 2014, HashiCorp released Terraform, a tool that has since become one of the most widely used IaC solutions, allowing for the codification of infrastructure in a declarative manner. All these technologies contributed to ensuring that workloads were provisioned with security best practices from the beginning, and therefore contributed to a better overall security posture.

With this context in mind, we can all agree that security posture management is a preventative control, because it helps to improve the security posture, which reduces the likelihood of successful compromise of workloads. According to Microsoft Digital Defense Report 20221, effective security hygiene can protect against 98% of attacks. This is a very important number, because it means that if you have solid security posture management, are aligned with good governance, and are constantly improving your security hygiene, you are going to strengthen your cloud environment against most attacks.

Having said that, organizations also understand that it is important to operate with the assume breach mindset. The assume breach approach gained prominence around the early 2010s, although its exact origin as a term is not well-documented. This approach emerged as cybersecurity professionals began to recognize the limitations of traditional perimeter-based defenses and the inevitability of breaches. Microsoft has been a notable advocate of the assume breach approach, incorporating it into their security strategies and guidelines in the early 2010s. This advocacy has helped popularize the term within the industry. Around 2010-2011, the cybersecurity industry started to increasingly acknowledge that breaches were not just possible but likely. This shift in mindset was influenced by high-profile data breaches and advanced persistent threats (APTs).

With the assume breach mindset, it became imperative to not only have a strong posture management with CSPM but also to actively monitor cloud workloads and detect potential attempts to compromise them. Threat detection for cloud workloads becomes a reality with Cloud Workload Protection.

Cloud Workload Protection

One of the major differences between Cloud Workload Protection (CWP) and other threat detection technologies such as Intrusion Detection System (IDS) is the variation in the threat landscape according to each type of cloud workload. For example, the threat landscape of a cloud container is not the same as the threat landscape of a cloud storage. Therefore, it becomes imperative that the analytics that are built to create detection for each workload are tailored for the needs of that specific workload.

CWP is a critical pillar in cloud security because it enables organizations to quickly identify potential attacks on their cloud workloads, while it equips Security Operations Center (SOC) teams to perform incident response. Rich threat detection aligned with a solid incident response can be the difference between identifying a threat at the beginning of the cyber kill chain (for example, during reconnaissance) to take measures that can stop the proliferation of the threat, and only identifying a threat after the threat actor was able to fully compromise the environment.

Over the years, cloud vendors started to align their threat detections with the MITRE ATT&CK (https://attack.mitre.org/) framework. This approach helps cloud administrators, security analysts, and incident responders understand which phase of the attack an alert is related to. The code below is extracted from a sample alert from Microsoft Defender for Cloud, specifically for the Defender for Containers threat detection. Notice that this alert has a field called intent, which has the value “InitialAccess”.

This value represents the MITRE ATT&CK Initial Access (https://attack.mitre.org/tactics/TA0001) phase, which makes it easier for whoever is investigating this incident to understand the techniques that were potentially used in this attack.

CSPM and CWP are heavily utilized in the protect, detect, and response pillars. When you increase your security posture, you reduce the likelihood of successful compromise, which means you will likely have fewer threats to detect because your attack surface is more restricted. This will positively affect the SOC team, because they will have fewer alerts to triage, and they can invest more in proactive threat hunting in the environment.

Understanding this perspective that CSPM and CWP are different platforms, but should always work together, many vendors started to offer one single solution for CSPM and CWP. This was the case for Azure Security Center, which, since 2021, has been called Microsoft Defender for Cloud (MDC). Since its origins back in 2015 when Azure Security Center was released in Public Preview, CSPM and CWP have always been part of the platform. The goal was always to improve the security posture while detecting threats against cloud workloads. Over time, the product became more mature and created a feedback loop that allows cloud administrators to learn from incidents and see which gaps must be filled in their security posture to avoid that same type of attack happening again.

Some workloads, such as VMs, may require a separate agent to be installed to be able to have deeper visibility, real-time threat detection, and response. While many organizations don’t like to have an extra agent installed, the reality is that there are many functions that require an agent. For example, an agent can be used to analyze the behavior of applications and processes to identify anomalies that might indicate a compromise. This means that depending on the type of workload, the CWP platform may require the installation of an agent to provide better functionality and protection. For example, if VMs are very short-lived and may be reprovisioned every second day, and there is no publicly exposed workload running, an agentless approach might be sufficient. And that’s why most CWP providers offer both solutions.

Cloud Native Application Protection Platform

In less than a decade, cloud security technology grew from security posture management with CSPM to an amalgamation of many other platforms that were created to address specific issues within the cloud security space, such as Cloud Infrastructure Entitlement Management (CIEM), which is focused on managing identities and their entitlements (permissions) within cloud environments. In addition to CIEM, other platforms started to proliferate, such as:

Organizations started to adopt these tools by using the rationale of adopting the best-of-breed strategy. While a best-of-breed strategy can provide some benefits in terms of performance and functionality, it also involves challenges such as increased complexity in integration, potential compatibility issues, and the need for skilled IT management to maintain and support a heterogeneous environment. In addition to that, the growth of multicloud adoption added even more challenges when it comes to managing all these tools in different dashboards, across different cloud providers.

In 2021, Gartner introduced the term Cloud-Native Application Protection Platform (CNAPP) to describe a new category of security platforms designed to provide comprehensive protection for cloud-native applications throughout their lifecycle.

The goal was to integrate various security functionalities, such as vulnerability management, compliance, runtime protection, and identity and access management, into a unified platform, aiming to address the complex security needs of cloud-native environments. In 2023, Gartner published the Market Guide for Cloud-Native Application Protection Platforms2, which documents the architecture of a CNAPP solution, which includes elements shown in Figure 1.3:

Figure 1.3: CNAPP architecture

As shown in Figure 1.3, a CNAPP solution must contain these major pillars, which start with artifact scanning. This component describes the platform’s capability to scan different types of artifacts, including traditional workloads such as VMs, storage accounts, and containers, as well as code and Application Program Interfaces (APIs). The insights generated by artifact scanning will help enhance the security posture of the DevOps lifecycle and take into account the different aspects of cloud configuration, which includes IaC. These components will also integrate with runtime protection, which contains CWP. As you evaluate which CNAPP vendor you will adopt, you must ensure that the vendor’s solution is aligned with these components.

Attack disruption

One of the main benefits of having the artifact scanning capability integrated with the other elements of this platform is the possibility of sharing and crossing information to allow a better understanding of the assets and using this information to prioritize risk mitigation.

The artifact scanning will generate a series of insights that can be leveraged by the platform. For example, the artifact scanning of a storage account may find the following insights about the storage account: