The Uptycs unified CNAPP and XDR platform was named as a representative vendor in the 2023 Gartner® Market Guide for Cloud-Native Application Protection Platforms (CNAPP).
Here are our top six takeaways from the 39-page report:
1. The attack surface of cloud-native applications is increasing—driving a desire for simplicity and unification.
As cloud native applications grow in number and scale, it’s not surprising that security teams are struggling to keep up with an increasingly complicated attack surface. This complexity also opens gaps that threat actors know how to take advantage of.
The Gartner CNAPP market guide explains the problem this way: “The attack surface of cloud-native applications is increasing. Attackers are targeting the misconfiguration of cloud infrastructure (network, compute, storage, identities and permissions), APIs and the software supply chain itself.”
Unfortunately, a piecemeal approach to cloud security where you have a different solution for CWPP, CSPM, CIEM, etc. isn’t helping but only creating more work and security visibility siloes. Organizations are looking to CNAPPs to identify and close cloud security gaps and make their DevOps and security teams more productive.
Gartner explains this consolidation trend this way: “Another driver is the desire to reduce complexity by consolidating the number of security vendors. Data from the 2022 Gartner CISO: Security Vendor Consolidation XDR and SASE Trends Survey indicates a clear customer preference to consolidate vendors in the security space, with 92% of enterprises indicating they will be actively pursuing a vendor consolidation strategy by year-end 2022.”
CNAPPs need to unify various cloud security capabilities. Gartner makes this recommendation:
“A single vendor should implement a single data lake, data model and unified graph database for all event logging, reporting, alerting and relationship mappings. This enables the vendor to deliver against the vision of RiskOps — finding the root cause of the risk, identifying the person/team responsible for fixing it and risk-prioritizing the remediation efforts. This reduces the attack surface and shortens remediation times.”
Figure 1: Explosion in the Risk Surface Area of a Cloud-Native Application
2. CNAPP is about de-risking and integrating the full application lifecycle to achieve unified visibility.
The goal of unified CNAPP visibility is identifying, prioritizing, and remediating risk for cloud native applications. As Gartner puts it in the market guide: ““The most significant driver is the need to unify risk visibility across the entire hybrid application and across the entire application life cycle. This simply cannot be achieved using separate and siloed security and legacy application testing offerings.”
Discrete CWPP, CSPM, CIEM, and other offerings offer data points—such as a software vulnerability, a connection to a known-malicious IP address, or risky entitlement—but do not tie together that information in a way that highlights the combined risk. CNAPP will help in that regard, according to Gartner: “CNAPP offerings operationalize cloud-native application risk (a concept referred to as RiskOps and introduced in Seven Imperatives to Adopt a CARTA Strategic Approach) by “connecting the dots” to help understand the effective risk across the multiple layers of a modern cloud-native application. Risk-prioritizing the findings is critical as developers and security professionals are overloaded with alerts and findings of siloed tools.”
Figure 2: Code-to-Cloud Risk Visibility, Prioritization and Remediation
3. CNAPP has evolved rapidly in the past few years and will continue to evolve and expand in scope to further consolidate niche tools.
CNAPP started as CSPM or CWPP, then added the other capability, and now it includes a broad array of cloud API, infrastructure, and identity components pulling from a broad array of other market segments and tools. According to Gartner, most organizations will have collapsed CWPP and CSPM tooling in a couple years: “By 2025, 60% of enterprises will have consolidated cloud workload protection platform (CWPP) and cloud security posture management (CSPM) capabilities to a single vendor, up from 25% in 2022.”
At Uptycs, we believe that telemetry from endpoints, SaaS providers like GitHub, and identity providers are critical to securing cloud native applications. That’s the raison d'etre for our Uptycs Unified CNAPP + XDR platform.
Figure 3: CNAPP Detailed View
4. Purchasing the right CNAPP for your org requires a cross-functional team with insight into various parts of your cloud estate
Including the CISO, application security, security operations, and cloud architects. Given the goal to unify visibility across the organization and increase collaboration across teams, Gartner recommends a vendor-selection team that spans departments: Build a team for the evaluation and selection of CNAPP offerings with skills spanning cloud security, workload security (including containers), application and middleware security, development security and developers.” This is where a vendor with a single data model and a configurable, API-first approach will shine, as each team will likely be able to meet their unique requirements.
5. CNAPP requires balancing agility with security so prioritize flexibility when choosing a CNAPP vendor.
You want your developers to keep moving fast. Your developers don’t want to expose the company to liability. The way to balance these two priorities is for the security team to build guardrails into the development and build process. Gartner offers an apt analogy: “There is a desire to integrate security and compliance testing seamlessly and transparently into modern DevOps (referred to as DevSecOps) in a manner that balances security and speed and doesn’t unnecessarily slow down digital innovation. Information security’s role shifts to one of providing the guardrails across the entire development pipeline, not gates. An analogy would be a racetrack where the guardrails are encountered by the driver only if there is a serious issue. Likewise, developers are allowed to innovate at their desired speed with little or no friction from security, unless a critical risk issue is identified. CNAPP offerings enable the construction of guardrails for a modern cloud-native application development pipeline.”
CNAPP vendors that offer a number of options when it comes to runtime visibility will also help, providing options for broad coverage (agentless workload scanning) and continuous runtime visibility (eBPF agents). Gartner emphasizes the need for flexibility: “Favor CNAPP vendors that provide a variety of runtime visibility techniques, including traditional agents, Extended Berkeley Packet Filter (eBPF) support, snapshotting, privileged containers and Kubernetes (K8s) integration to provide the most flexibility at deployment.”
6. Developers are key stakeholders and users of CNAPP and are increasingly responsible for security and operations within their organizations as it pertains to the cloud.
As such, CNAPPs need to integrate into existing developer workflows and CI/CD tooling, and provide as much context as possible in their alerts so that the developer can quickly understand the level of urgency and what needs to be done. In the market guide, Gartner notes: “Cloud security leaders looking to secure the rapid development needs of cloud-native applications should consider CNAPP offerings as an integrated, developer-centric solution. CNAPPs can improve the developer experience by integrating into their native development toolset as seamlessly and transparently as possible by reducing false positives and noise, by risk-prioritizing their remediation efforts and by providing specific remediation guidance to resolve the identified risk.”
Figure 4: Developers' Expanded Scope of Responsibility for Cloud-Native Applications
We’re seeing the market for cloud security rapidly evolve before our eyes as end-users scale their cloud native application deployments. The new Gartner market guide for CNAPP is a milestone, signaling a maturation of customer requirements and the vendor landscape. Are you thinking about CNAPP? We’ve put together the ultimate CNAPP buyer’s guide to help you prioritize the capabilities that are most important for your situation.
Gartner, Market Guide for Cloud-Native Application Protection Platforms, Neil MacDonald, Charlie Winckless, Dale Koeppen, 14 March 2023.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.