Evaluating CNAPP Solutions for AWS
Table of Contents
- Introduction
- Agentless Deployment
- Kubernetes Support
- Group Resources / AWS Accounts by Business Unit, Environment, etc
- Image & Container Scanning
- Scan File Systems (EBS & EFS)
- Customizable Scheduled Scans & On-Demand Scans
- Inventory Management
- Patch Management
- Flag Insecure Cloud Configuration
- IAM Scanning: Flag Privilege Leaks / Overly Permissive Policies / Permission Escalations
- Anti-Malware
- Scan Infrastructure as Code (IaC) & Configuration as Code (CaC)
- CIS Benchmarks: AWS, Kubernetes & EC2 OS
- Integration with AWS Security Services: GuardDuty, CloudTrail, etc
- Customizable Security Policies
- Third-Party Integrations
- Multi-Cloud & On-Prem Support
- Comprehensive, Customizable, Scheduled Reporting & Executive Dashboards
- Intrusion Detection & Lateral Movement Detection
- Data Classification: PII / PHI in S3, etc
- Conclusion
- About the Author ✍🏻
Introduction
CNAPP stands for Cloud-Native Application Protection Platform. CNAPP is a new category of software security products, that encompass the functionalities of products from the Cloud Security Posture Management (CSPM) & Cloud Workload Protection Platforms (CWPP) categories.
Coined by Gartner, CNAPP recognizes the need for solutions that address every aspect of security in a cloud-native environment, including ephemeral, containerized & serverless environments.
QloudX has been evaluating several CNAPP solutions for one of our enterprise clients, for several months now. This article sums up the aspects & key features we look for in a product, during our POCs.
Agentless Deployment
Having used agent-based solutions for years, we realize very well the amount of effort it takes to maintain agents. We’re also painfully aware that no matter how hard we try, there’s always a significant percentage of our workloads that have broken, misconfigured, or just plain missing agents. As such, an agentless solution to cloud security would be very welcome indeed.
Having said that, we also recognize the limitations of agentless solutions & where agents shine. For example, getting runtime process information from EC2 instances is clearly something you need agents for.
So what we’re looking for is a hybrid solution, one that can gain most of its insights from the very comprehensive AWS service APIs, but also provide an optional agent for workloads where we need additional visibility.
Kubernetes Support
70%+ of our workloads run on Kubernetes, so Kubernetes security is a big deal for us. Solutions are welcome that can either use AWS IAM & Kubernetes RBAC to delve into our clusters, or maybe provide a container agent we can deploy into our clusters, like say a DaemonSet.
Group Resources / AWS Accounts by Business Unit, Environment, etc
Operating at the scale we do, grouping accounts & resources into business units or by application environments like dev, QA, prod, and delegating their management & responsibility to individual teams, is a must-have for us.
This grouping must reflect across the CNAPP product, especially in reporting since you really can’t hold a team accountable for a part of your cloud footprint unless they have their own “view” & reports & dashboards for their apps & infrastructure.
Image & Container Scanning
As mentioned earlier, 70%+ of our apps run in Kubernetes, so image & container scanning is unavoidable.
Image scanning refers to scanning static Docker images at rest in Docker registries like (private) ECR. The CNAPP solution must be able to access these images via AWS APIs & scan them for software security vulnerabilities like in open-source dependencies.
Container scans refer to the practice of scanning running containers in Kubernetes clusters in real time & continuously & highlighting potential/confirmed newly discovered security vulnerabilities in them, that might not have been discovered in their Docker images before deployment.
Scan File Systems (EBS & EFS)
Scanning EBS volumes is critical because:
- This is the only way an agentless CNAPP can scan OS packages, and also because
- EC2-based applications tend to store a lot of their data outside of databases as well, mostly on their underlying file systems
As such, the ability to scan file systems in general is very useful for further scans such as looking for vulnerable / outdated OS packages, misplaced secrets, sensitive data, etc.
Customizable Scheduled Scans & On-Demand Scans
Most security services come with their own cadence of when & how they conduct their security scans. Although the ability to customize this is pretty standard, it’s still something you should verify on your end. Depending on whether the scans are conducted on your cloud infra or in the CNAPP solution’s SaaS environment, the scans can have a measurable impact on your workloads. Hence, the ability to schedule them outside business hours for example, is very important.
On-demand scans are very useful in some cases. For example, we build golden AMIs & golden Docker images for our entire organization & the convenience of scanning them right there in the pipeline, while they’re being built, is a big plus.
Inventory Management
Once again, our scale makes it quite difficult to keep track of all our cloud infrastructure. The simple ability of a CNAPP solution to use AWS APIs to maintain an always up-to-date inventory of our resources is very useful, especially in cases where this data can be used to gain insights like which boxes are missing agents.
Patch Management
Building on the ability to scan EC2 root volumes & OS packages, there is a clear need for a centralized view of which instances are running outdated / unpatched / potentially vulnerable packages & address them on a regular cadence.
Flag Insecure Cloud Configuration
There are so many nuances to every AWS service & so many ways to configure them improperly. Some of these might cost a lot more that a broken workload. A CNAPP solution that can look for misconfigured / neglected AWS resources like open security groups or unencrypted storage, comes in very handy in such cases.
IAM Scanning: Flag Privilege Leaks / Overly Permissive Policies / Permission Escalations
An extension to the above point, enforcing least privilege in IAM user & role policies & resource policies, is not easy. There’s only so much a code reviewer can do to ensure no insecure policies make it from Terraform to the cloud, but the only way to continuously scan for such slip-ups is via CNAPP automation.
Anti-Malware
If a solution can scan OS file systems, it can also use those scans to look for malware, apart from other points of interest like PII or secrets. Detecting malware on a system could be a symptom of a larger issue like an intrusion into your network. Malware therefore, must be address immediately.
Scan Infrastructure as Code (IaC) & Configuration as Code (CaC)
We rely heavily on Terraform & Ansible for creating & managing our cloud footprint. A service that can scan the Terraform & Ansible code for issues, before they get deployed, would be a very welcome addition.
CIS Benchmarks: AWS, Kubernetes & EC2 OS
Ensuring ongoing compliance to the tens of CIS benchmarks standards out there, for everything from AWS to Kubernetes to EKS & EC2, is an endless project in itself. Having our CNAPP help up with this would be great.
Integration with AWS Security Services: GuardDuty, CloudTrail, etc
At the very least, any CNAPP solution should be able to pull events from sources like GuardDuty & CloudTrail. It’s even better if these events can be used as additional context to prioritize issues detected by the CNAPP. Clearly, an open-to-public default security group that came with your AWS account out of the box, if much less priority than an open-to-public EC2 instance that GuardDuty reports as being the target of a brute force attack.
Customizable Security Policies
No organization can adhere 100% to the policies that come out of the box with any compliance framework. There are always organizational policies that make more sense of the environment you’re operating in. As such, a CNAPP annoying you with irrelevant alerts from inapplicable policies is the last thing you need. You must be able to snooze / silence / disable security policies that do not apply to you.
Third-Party Integrations
No single tool can do it all. Integrations with other tools is essential for developing a workflow that is much more effective at addressing the issue at hand. For example:
- Integrate your CNAPP with Jira to create actionable issues out of security alerts, that are auto-assigned to the right people
- Integrate your CNAPP directly into your code repository to scan application code at rest, Terraform, Ansible, etc
- Integrate your existing workflows with the CNAPP’s APIs to create custom automation flows for increased productivity
Multi-Cloud & On-Prem Support
Multi-cloud is a reality these days. It’s a simple fact that some services are just better in other clouds. If you’re serious about creating the best apps, you might end up using a few services from other clouds. Your CNAPP should be able to accommodate this as well.
Operating at the scale we do, we still have a significant on-prem footprint. There exists a whole different suite of tools to keep them secure but if a CNAPP can extend off-cloud & on-prem, that would be great too. Especially in cases where agents are involved, it should be possible to install the same agents you use in EC2 instances, in on-prem virtual machines.
Comprehensive, Customizable, Scheduled Reporting & Executive Dashboards
Reporting is crucial. No reporting equals no visibility in most cases. Since a org-wide CNAPP will be the go to place for executives to track the enforcement of security policies, dashboards & customizable, scheduled reports are something we cannot ignore.
Intrusion Detection & Lateral Movement Detection
Although not a core CNAPP capability, the ability to detect malicious or anomalous activity, either within an EC2 using agents, or within the cloud environment in general, would be a welcome addition to our security tooling. If using agents across VMs, it’s possible for the CNAPP platform to provide a history of an intruder’s lateral movement across our systems, which is very useful during the postmortem of such events, allowing us to quarantine the right systems, instead of taking a blanket approach.
Data Classification: PII / PHI in S3, etc
This falls quite some way outside a CNAPP’s expected capabilities but can fit in very well with CNAPP features like file system & S3 scanning. Since the CNAPP already has access to data at rest, it’s possible to build a system (primarily using regular expressions) to look for sensitive data that shouldn’t be there, or that should be either obscured or secured better.
Conclusion
Although this list of requirements might seen daunting & it looks like we’re looking for a unicorn, we do understand that no single product might be able to provide all these features & do them well. However, this is still a good starting point of lenses you can use to look at the product, based on which requirements are must-have for your cloud environment & which aren’t. I hope this article serves as a good reference if & when you embark on a journey of acquiring a CNAPP solution. 😊
About the Author ✍🏻
Harish KM is a Principal DevOps Engineer at QloudX & a top-ranked AWS Ambassador since 2020. 👨🏻💻
With over a decade of industry experience as everything from a full-stack engineer to a cloud architect, Harish has built many world-class solutions for clients around the world! 👷🏻♂️
With over 20 certifications in cloud (AWS, Azure, GCP), containers (Kubernetes, Docker) & DevOps (Terraform, Ansible, Jenkins), Harish is an expert in a multitude of technologies. 📚
These days, his focus is on the fascinating world of DevOps & how it can transform the way we do things! 🚀