School of Informatics

Department of Information Technology

SEMINAR ON
Cryptography and N/w Security

Assignment title: - Cloud – Native Application protection platform (CNPP)

By: Wogayehu Gechere

ID NO: Pgw/87923/15

Submitted to: Desta Dana(Assistant Prof.)

Wolaita ,Ethiopia August , 2016 E.C

1
Table of Contents

1. Introduction.............................................................................................................................................3
Cloud – Native Application protection platform (CNPP)............................................................................3
2. How Works (CNAPP).............................................................................................................................4
3. Components.............................................................................................................................................4
4. Advantages..............................................................................................................................................4
5. Challenges and Limitations.....................................................................................................................5
6. Types Cnapp............................................................................................................................................5
7. Goals of Cloud-Native Application Protection Platform............................................................5
8. Characteristics.........................................................................................................................................6
3. Objectives (CNPP).................................................................................................................................6
3.1 Key supporting tooling includes............................................................................................................7
3.3 components of Architecture...................................................................................................................9
4.1 Three main cloud storage types.....................................................................................................11
4.2 Cloud storage type, a comprehensive CNPP........................................................................................11
4.3 Two Types of cloud computing services (CNPP)................................................................................12
5. Five type of cloud computing services needs to address........................................................................12
5.1 Future trends in (CNAPP):..................................................................................................................13
5.2 Conclusion...........................................................................................................................................15

2
1. Introduction

Cloud – Native Application protection platform (CNPP)

The Cloud-Native Application Protection Platform (CNAPP) is a unified security solution
designed to protect applications that are built and deployed using cloud-native technologies, such
as containers, micro services, and server less computing. CNAPP integrates various security
functions to provide comprehensive protection throughout the application lifecycle, from
development to production, ensuring that cloud-native applications remain secure against
evolving threats.

3
2. How Works (CNAPP)
CNAPP works by integrating multiple security controls into a single platform, automating the
process of securing cloud-native applications. It typically includes capabilities such as
vulnerability management, compliance monitoring, threat detection, and workload protection. By
continuously monitoring cloud environments, CNAPP identifies and mitigates security risks in
real time, ensuring that applications remain secure as they are developed, deployed, and run in
dynamic cloud environments.

3. Components of CNAPP

 Workload Protection: Secures workloads, such as containers and virtual machines, by

providing runtime protection and threat detection.
 Vulnerability Management: Identifies and mitigates vulnerabilities in code, containers,
and infrastructure.
 Identity and Access Management (IAM): Controls access to resources, ensuring that
only authorized users and services can interact with applications.
 Compliance Monitoring: Ensures that cloud environments and applications comply with
industry standards and regulations.
 Network Security: Provides network segmentation and firewall capabilities to prevent
unauthorized access and data breaches.
 Data Security: Protects sensitive data stored and processed in the cloud.

4. Advantages

 Unified Security: CNAPP consolidates multiple security functions into one platform,
simplifying management and reducing the need for multiple point solutions.
 Automation: Automates security tasks, such as vulnerability scanning and policy
enforcement, reducing the workload on security teams.
 Real-Time Protection: Continuously monitors cloud environments and applications,
providing real-time detection and response to security threats.
 Scalability: Designed to scale with cloud-native applications, CNAPP can handle the
dynamic nature of cloud environments.

4
  Compliance: Helps organizations maintain compliance with industry regulations and
standards by continuously monitoring and enforcing policies.

5. Challenges and Limitations

 Complexity: Integrating various security tools into a single platform can be complex and
requires careful planning.

 Cost: Implementing and maintaining a CNAPP can be expensive, especially for smaller
organizations.
 Vendor Lock-In: Relying on a single vendor for a comprehensive security solution can
lead to dependency and reduced flexibility.

6. Types Cnapp

 Integrated CNAPP: Offers a fully integrated solution that combines all security
functions into a single platform.
 Modular CNAPP: Allows organizations to choose specific modules or components
based on their needs, offering more flexibility.
 Managed CNAPP: Provided as a managed service, where a third party handles the
deployment, management, and maintenance of the platform.

7. Goals of Cloud-Native Application Protection Platform

 End-to-End Security: Provide comprehensive security coverage across the entire

application lifecycle, from development to production.
 Simplification: Reduce the complexity of managing security by consolidating multiple
tools into a single platform.
 Agility: Enable organizations to respond quickly to security threats and compliance
requirements in dynamic cloud environments.
 Automation: Minimize manual intervention by automating security tasks and processes.

5
8. Characteristics

 Cloud-Native: Specifically designed to operate in cloud environments, leveraging cloud-

native technologies like containers and microservices.
 Continuous Monitoring: Provides ongoing monitoring of applications and
environments, ensuring real-time threat detection and response.
 Integration: Seamlessly integrates with existing cloud services and development tools,
enhancing overall security without disrupting workflows.
 Scalability: Can scale alongside cloud-native applications, handling increasing
workloads without compromising security.
 Flexibility: Offers the flexibility to adapt to different cloud environments and application
architectures.

3. Objectives (CNPP)
1. Secure Cloud-Native Architectures

Protect cloud-native applications, including containers, server less functions, and micro services,
from security threats and vulnerabilities. This is essential as these architectures are increasingly
targeted by cyber threats due to their complexity and widespread adoption in modern software
development.

 Ensure the security and integrity of the underlying cloud infrastructure, including
compute, storage, and networking resources.
2. Maintain Visibility and Control
 Provide comprehensive visibility and awareness of the security posture across the entire
cloud-native stacks, including applications, workloads, and cloud services.
 Enable centralized management and control of security policies, configurations, and
security controls.
3. Automate Security Processes
 Integrate security seamlessly into the DevOps and cloud orchestration processes to enable
continuous security automation.
 Ensure that security is embedded throughout the cloud-native application lifecycle, from
development to deployment and runtime.

6
 4. Enhance Compliance and Governance
 Help organizations maintain compliance with industry regulations, standards, and internal
security policies in the cloud-native environment.
 Provide audit trails, reporting, and regulatory compliance features to demonstrate
adherence to security requirements.
5. Detect and Respond to Threats
 Implement advanced threat detection and incident response capabilities to identify,
investigate, and mitigate security threats in the cloud-native environment.
 Leverage machine learning, behavioral analysis, and threat intelligence to enhance the
accuracy and speed of threat detection and response.
6. Support Scalability and Elasticity:
 Ensure the CNPP solution can scale and adapt to the dynamic and ever-changing nature
of cloud-native environments.
 Provide the necessary scalability, high availability, and resilience to support the rapid
growth and changes in cloud-native applications and infrastructure.
7. Improve Security Posture and Reduce Risk
 Enhance the overall security posture of the cloud-native environment by identifying and
remediating security vulnerabilities, misconfigurations, and other security risks.
 Reduce the attack surface and mitigate the risk of security breaches, data leaks, and other
security incidents in the cloud-native ecosystem.

3.1 Key supporting tooling includes

1. Cloud Security Monitoring and Logging
 Tools like cloud-native SIEM (Security Information and Event Management) solutions,
which aggregate and analyze security logs and events across the cloud environment.

2. Infrastructure as Code (IaC) Security Scanning:

 Tools that analyze Infrastructure as Code (IaC) templates, such as Terraform or Cloud
Formation, to identify security misconfigurations and vulnerabilities.

3. Container Security Scanning

7
  Tools that scan container images for vulnerabilities, misconfigurations, and compliance
issues, both in the development and runtime phases.

4. Server less Security Scanning:

 Tools that assess the security posture of server less functions, including code analysis,
event monitoring, and runtime protection.

5. Identity and Access Management (IAM) Auditing:

 Tools that analyze and validate the complex web of IAM permissions and roles across
the cloud environment.

6. Threat Intelligence Integration

 Tools that integrate with external threat intelligence sources to enrich security monitoring
and detection capabilities.

7. Compliance and Regulatory Frameworks:

 Tools that provide pre-built templates, policies, and automation for compliance with
various industry standards, such as NIST, HIPAA, or PCI-DSS.

8. Incident Response and Automation:

 Tools that support incident response workflows, including ticketing, playbook

management, and security orchestration and automated response (SOAR).

6. Cloud Infrastructure Entitlement Management (CIEM):

 Manages and monitors the complex web of permissions and identities

across the cloud environment.
 Enforces the principle of least privilege and helps prevent privilege
escalation and unauthorized access.

7. Threat Detection and Response:

 Provides advanced threat detection capabilities, including behavioral

analytics, anomaly detection, and incident response automation.
8
  Enables early identification and mitigation of security threats in the cloud-
native ecosystem.

8. Compliance and Regulatory Support:

 Assists in meeting various industry regulations and compliance standards,

such as HIPAA, PCI-DSS, and SOC 2.

3.3 Components of Cloud Computing Architecture

1. Client Layer
 This layer comprises the end-user devices, such as desktops, laptops,
smartphones, and tablets that access the cloud services.
 The client layer interacts with the cloud through web browsers,
mobile apps, or specialized software clients.
2. Application Layer
 This layer consists of the cloud-based applications and
services that users access and utilize, such as web applications,
enterprise software, and SaaS (Software-as-a-Service)
offerings.
 The application layer is hosted and managed by the cloud
service provider.
3. Platform Layer
 This layer provides the runtime environment, tools, and
frameworks for developing, deploying, and managing cloud-
based applications.
 It includes Platform-as-a-Service (PaaS) offerings, such as
cloud-based databases, middleware, and application
development platforms.
4. Infrastructure Layer:

9
  This layer comprises the fundamental computing resources,
including virtual machines, containers, storage, and
networking, that form the backbone of the cloud infrastructure.
 It includes Infrastructure-as-a-Service (IaaS) offerings, such as
cloud-based compute, storage, and network services.
5. Data Center Layer
 This layer represents the physical data centers and server
hardware that house the cloud infrastructure and support the
computing, storage, and networking resources.
 Cloud service providers manage and maintain the data center
layer to ensure availability, scalability, and reliability of the
cloud services.
6. Management and Orchestration Layer
 This layer oversees the provisioning, configuration, and
management of the cloud resources across the different layers.
 It includes tools and services for resource allocation, load
balancing, automation, and monitoring of the cloud
environment.
7. Security and Governance Layer
 This layer encompasses the security controls, policies, and
compliance measures implemented to protect the cloud-based
systems, data, and user access.
 It includes identity and access management, data encryption,
compliance monitoring, and security incident response.
8. Network and Connectivity Layer
 This layer manages the network infrastructure, including the connectivity
between the client devices, cloud services, and data centers..

10
4.1Three main cloud storage types

1. Object Storage
 Object storage is often used to store data for cloud-native applications, such as
user-generated content, media assets, and backups.
 A CNPP needs to provide security controls and policies to protect data stored in
object storage, such as access management, encryption, and versioning.
2. File Storage
 File storage is commonly used for shared file access and content repositories in
cloud-native environments.
 A CNPP should offer security mechanisms to control access, manage permissions,
and protect the integrity of data stored in file storage.
3. Block Storage
 Block storage is often used to provide persistent storage for cloud-native
applications, such as databases and virtual machine disks.
 A CNPP should integrate with block storage services to ensure secure
provisioning, access control, and data protection for these critical storage
resources.

4.2 Cloud storage type, a comprehensive CNPP

 Identity and Access Management: Enforce strict access controls and identity-
based policies to govern who can access and interact with cloud storage resources.
 Data Encryption: Offer transparent encryption of data at rest and in transit to
protect the confidentiality of sensitive information.
 Threat Detection: Monitor cloud storage usage and activities to detect and
respond to suspicious behavior or potential security breaches.
 Compliance and Regulatory Support: Assist in meeting industry regulations
and compliance standards related to data storage and protection.
 Backup and Disaster Recovery: Integrate with cloud storage services to enable
secure backup, restoration, and disaster recovery capabilities.

11
4.3 Two Types of cloud computing services (CNPP)
1. Deployment model
2. Service model
Deployment model three types
 public cloud
 Hybrid cloud
 Private cloud
1. Public cloud
 A public cloud is a cloud computing model where services are delivered over the internet
by third-party providers. Resources like servers and storage are shared among multiple
tenants.
 CNAPP in Public Cloud: CNAPP solutions are essential in the public cloud to ensure
security across diverse and potentially unsecured environments. They provide continuous
monitoring, threat detection, and compliance management tailored to the shared
infrastructure of public clouds.
Example
 Amazon web service (AWS
 Google cloud),etc.

2. Hybrid cloud
 Hybrid cloud is just what it sounds like a combination of public and
private cloud environments.
 This enables the organization to meet its technical and business objectives
more effectively than it cloud with public or private cloud alone.
Example
 Microsoft, AWS, Google, etc.

3. Private Cloud

 A private cloud is a cloud computing environment exclusively dedicated to a single

organization, either managed internally or by a third party.
 CNAPP in Private Cloud: CNAPP helps enforce stringent security controls in
private clouds, providing tailored protection for sensitive workloads. It ensures
compliance with internal policies and industry regulations, while also offering
deep visibility and control over all applications running within the private cloud.

12
4. Five type of cloud computing services needs to address
Service model five types
 Infrastructure as a Service IaaS
 Platform as a Service PaaS
 Software as a Service Saas
 Function as a Service (CaaS)
 Container as a Service (CaaS)

1. Infrastructure as a Service (IaaS)

 Provides on-demand access to fundamental computing resources, such as virtual
machines, storage, and networking.
 A CNPP should integrate with IaaS providers to secure the underlying infrastructure,
manage access, and ensure compliance.
2. Platform as a Service (PaaS)
 Offers a complete platform, including operating systems, middleware, and
runtime environments, for building and deploying applications.
 A CNPP should extend its protection to the platform components, including
securing the application runtime, development tools, and platform-level
configurations.
3. Software as a Service (SaaS)
 Delivers software applications over the internet, with the provider managing the
infrastructure and software.
 A CNPP should integrate with SaaS applications to enforce access controls,
monitor user activities, and ensure data protection.
4. Function as a Service (FaaS)
 Provides a serverless computing model where the cloud provider manages the
execution of individual functions or microservices.
 A CNPP should secure the FaaS environment, including managing function-level
access, monitoring function invocations, and protecting function-related data.
5. Container as a Service (CaaS)
 Offers a platform for managing and orchestrating containerized applications, such
as Docker and Kubernetes.
 A CNPP should integrate with the CaaS platform to secure container images,
enforce container-level security policies, and monitor container runtime activities.

13
5.1 Future trends in (CNAPP):
1. Increased Automation and AI Integration

Future CNAPPs will likely incorporate more advanced automation and artificial
intelligence (AI) capabilities. AI-driven threat detection and response will enable
faster identification and remediation of security incidents. Machine learning
algorithms will continuously learn from new threats, improving the accuracy and
efficiency of security measures.

2. Zero Trust Security Models

As the Zero Trust security model gains traction, CNAPPs will increasingly adopt
its principles. This approach assumes that no entity, whether inside or outside the
network, should be trusted by default. CNAPPs will focus on verifying every
access request, ensuring robust identity and access management across cloud-
native environments.

3. Integration with DevSecOps

The integration of security into the DevOps pipeline—commonly known as

DevSecOps—will become more seamless. CNAPPs will be designed to integrate
directly with continuous integration/continuous deployment (CI/CD) pipelines,
enabling security checks to be automated at every stage of the development
process. This shift will help catch vulnerabilities earlier and ensure that security is
a shared responsibility among development, operations, and security teams.

4. Expansion of Multi-Cloud Support

As more organizations adopt multi-cloud strategies, CNAPPs will need to offer

robust support for securing applications across multiple cloud providers. This
trend will drive the development of platforms that can provide consistent security
controls, visibility, and compliance management across diverse cloud
environments.

5. Focus on Data-Centric Security

14
 With the increasing importance of data privacy and protection, future CNAPPs
will place a stronger emphasis on data-centric security. This will involve
advanced encryption, data masking, and tokenization techniques to protect
sensitive data throughout its lifecycle, regardless of where it resides in the cloud.

6. Enhanced Container and Kubernetes Security

As containers and Kubernetes become standard in cloud-native application

development, CNAPPs will evolve to offer more specialized security features for
these technologies. This includes enhanced runtime protection, vulnerability
scanning, and compliance checks tailored specifically for containerized
applications and Kubernetes clusters.

7. Improved User Experience and Usability

To accommodate the growing complexity of cloud environments, future CNAPPs will focus on
improving user experience (UX) and usability. Simplified interfaces, intuitive dashboards, and
streamlined workflows will make it easier for security teams to manage and monitor security
across large-scale, dynamic cloud environments.

8. Proactive Threat Hunting

Proactive threat hunting capabilities will become a key feature of CNAPPs.

Instead of solely relying on automated threat detection, these platforms will
enable security teams to actively search for and neutralize threats before they
cause damage. This proactive approach will be driven by advanced analytics and
real-time threat intelligence.

9. Security as Code (SaC)

Security as Code (SaC) will become more prevalent, with security policies and
configurations being defined and managed as code. CNAPPs will support SaC by
allowing organizations to codify security practices and integrate them directly into
the development and deployment process. This will ensure that security is
consistently applied and easily repeatable across different environments.

15
5.2 Conclusion

The Cloud-Native Application Protection Platform (CNAPP) is a critical tool for organizations
adopting cloud-native technologies. By integrating multiple security functions into a unified
platform, CNAPP provides comprehensive, scalable, and automated protection for modern cloud
environments. While it offers significant advantages, such as real-time protection and
compliance, organizations must also consider challenges like complexity, cost, and potential
vendor lock-in. Overall, CNAPP represents a strategic investment in securing cloud-native
applications, aligning security with the dynamic and flexible nature of the cloud.

16