CNAPP: what it is and how it could change the cloud security landscape

As if there weren’t already enough acronyms in the alphabet soup that comprises cloud terminology, it seems there’s one more to add to the pile: CNAPP. 

Dell’Oro Group Research Director Mauricio Sanchez told Silverlinings that CNAPP – or cloud-native application protection platforms – will be a key part of the cloud security landscape in 2023 as enterprises work to address vulnerabilities in the design and development phase of the application lifecycle. 

Mauricio Sanchez, Dell'Oro Group
(Mauricio Sanchez, Dell'Oro Group)

Sanchez explained there are three primary phases in the aforementioned lifecycle: Design and development, deployment and runtime. Strangely, cloud security providers seem to have worked backwards when it comes to addressing these, he added.  

It all started with cloud security posture management (CSPM), he said, which was introduced in the late 2000s to provide runtime protections to ensure API calls weren’t being subverted by boundary attacks or that hackers weren’t trying to inject malware into the network via a vulnerable library. Then came the cloud workload protection platform (CWPP) in the late 2010s. That helped ensure that deployments were configured correctly to avoid accidentally exposing credentials or other sensitive data and prevent data breaches.  

Now, there’s CNAPP, which is designed to address all three stages of the application lifecycle, including design and development. Sanchez said tackling the latter is critical given the rise of open-source tools to ensure that the libraries and code being used to build enterprise applications haven’t been infiltrated.  

CNAPP isn’t completely new – the term was coined by Gartner at least two years ago. But as companies hustle to “catch up to where they should have been when they embraced the public cloud” to avoid what Sanchez called a “CNN moment” (see also, a major breach), enterprise cloud architects can expect to hear the term more often. A lot more. 

Dell’Oro predicted the cloud workload security market will surpass $6 billion in 2023, up from around $1.5 billion in 2020. 

While CSPM and CWPP solutions are still also on the table, Sanchez said “the momentum is behind the platform play that covers all three. There are still pure play tools…but by and large the market makers are fully behind CNAPP and I think that’s what enterprises will quickly land on.” 

In terms of what vendors are playing in this space, IDC data showed Trend Micro led the worldwide cloud workload security market as of the end of 2021. It was followed by Trellix, Sophos, Palo Alto Networks, Check Point, Lacework, CrowdStrike, Broadcom and Cisco. 

Sanchez said he thinks of the market as including three types of vendors: hyperscalers such as Microsoft and Google, portfolio vendors like CrowdStrike, Palo Alto and Cisco, and pure-play startups like Lacework and Orca. 

“That’s kind of the horse race that I’m tracking right now,” he concluded. “It will be very interesting the types of dynamics between these vendors.”