Google’s acquisition of Wiz, announced last week, is a pivotal moment as it marks a strategic shift in how cyber security will evolve over the next few years. It instantly turns Google into a major player in security, adding Wiz to other building blocks Google has racked up in the past couple of years, most notably Mandiant and Google Chronicle.
Google will be a new gorilla in the security market, just as Microsoft created a thriving, multi-billion dollar business out of the Defender product line. But while Microsoft has a long history of “owning” operating systems, servers, and Office applications, and is leveraging that to expand its footprint, Google is new to the enterprise security business.
CNAPP is Dead! Long Live CNAPP!
In the first phase of public cloud adoption, the “lift and shift” phase, CSPM (cloud security posture management) emerged to ensure proper configuration of cloud services, and CWPP (cloud workload protection platforms) to monitor and protect workloads running in the cloud.
The second phase of cloud adoption, the cloud native phase, driven by technologies such as containers, serverless functions, CI/CD, and orchestration (Kubernetes), imparted an even more dramatic change in security – the integration of multiple silos of application related security information.
It introduced integrated shift left capabilities, providing a broader risk-based approach to vulnerability management, hardening, and incident management. Thus CNAPP (cloud native application protection platforms) was born.
In the early days of cloud services, the cloud providers adopted the shared responsibility model in which some responsibilities were borne by them (such as infrastructure and physical security), others were clearly on the shoulders of customers (configuring of services, their data, their users, their applications), and there’s been a non-negligible area of “shared responsibility” where the answer is often “it depends”.
I believe that with this move, Google is shifting the borders within this model and will be offering more of the posture management and visibility to customers as part of its infrastructure. After all this is what Wiz has become famous for – agentless scanning of the cloud estate, providing broad visibility and risk assessment. And this is something a cloud provider can easily integrate into cloud operations. Microsoft is already there, and AWS will quickly close the gap.
Runtime protection is harder and much more specific to the application, and will always remain the responsibility of the application owner. Installing agents and integrating into code development processes is a demanding, time-consuming, and customer-specific journey. On the other hand, it provides much better security with real prevention capabilities and continuous improvement.
The next phase of cloud security is setting the demarcation line at the application boundary, letting cloud providers ensure that the infrastructure is hardened and well provisioned, while enterprise security teams connect “code to runtime and back”, ensuring a trusted application flow, and providing the SOC with better quality and broader context for alerts and incidents in cloud native applications.
So no, I don’t think CNAPP is dead – but it is moving into its next stage of maturity, one with a different emphasis.
What does the future hold for our customers?
Our focus was always about protecting cloud native applications, from code to runtime. I believe that code, application and workload security for cloud native applications will remain the purview of end-user organizations. After all, it is these applications that differentiate them competitively, not cloud infrastructure.
We’ve been hearing time and again from our customers that posture and risk management are just stage one of their cloud native security strategy. They understand that they must apply rigorous practices and controls over code development, continuously improving it – now more than ever with the increasing use of GenAI and LLMs. This keeps the known bad code and configurations out of production.
Customers also understand that no one can keep everything bad out of production. Real-time prevention, mitigation, detection and response are must-have capabilities that cannot be left to generic SIEM and XDR tools.
Additionally, despite promises to keep cloud provider solutions “multi-cloud”, many customers have an understandable aversion to having one cloud provider guard their assets running on other clouds, or on-prem. ”Continuing to support multiple clouds” and ”all features equally supported on all clouds” are not the same thing. Aqua’s strategy of truly supporting every platform that runs containers and serverless workloads equally has been one of the reasons for our success in large, multi-national enterprises.
While I cannot predict what others will do, I know where we are placing our bets – securing our customers’ cloud native applications now and into the future in a complex, multi-cloud and AI-driven future.
