What Is a Cloud Native Application Protection Platform (CNAPP)?

4 min. read

Cloud Native Application Protection Platforms (CNAPPs) integrate and centralize otherwise disparate security functions into a single user interface. CNAPP – a category designated by Gartner, which we at Palo Alto Networks have historically called Cloud Native Security Platforms (CNSPs) – combine functionality for Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), Cloud Infrastructure Entitlement Management (CIEM) and CI/CD security into a unified, end-to-end solution to secure cloud native applications across the full application lifecycle.

This approach provides visibility across silos and ensures security, cloud infrastructure and DevOps teams can deliver full-stack security. With CNAPPs, a single platform can protect applications at runtime while also integrating security into development workflows to identify and fix flaws early in the application lifecycle.

From Code to Cloud: Why You Need a Platform Like CNAPP

The problem for many organizations is that responses to cloud native security have been reactive, rather than proactive – dealing with issues as one-off problems, rather than addressing cloud security more holistically. They have adopted individual solutions or tools for each issue that comes up, and end up with a patchwork approach, which introduces even more problems, like:

  • Point solutions create more work. Managing a growing stack of tools eventually becomes its own workstream, and because most solutions don't communicate with each other without yet more work, teams get limited visibility and protection.

  • You can't apply consistent protections. Dozens of security tools can perform checks at single points in the application lifecycle, but without consistent controls across development, deployment and runtime, security and risk teams are stuck comparing disparate vulnerability and misconfiguration findings.

  • Separation creates blind spots. Most cloud security teams need to analyze threats across cloud services, workloads or applications, networks, data, and permissions. Without a single tool, blind spots emerge in the gaps between solutions.

For all this, CNAPPs offer a number of clear benefits.

Distributed Problems Need Integrated Solutions

One of the primary drivers for a comprehensive, integrated security platform is that cloud security requires multiple teams to navigate a difficult combination of both granular and overlapping duties across functional areas.


Teams need to understand where their responsibilities begin and end regarding the shared responsibility model – data consistently shows that organizations tend to overestimate the protections and alerts their CSP will provide on their behalf. In addition, there are overlapping needs from networking, storage and compute instances for CSPM, but each of those environments also need controls for access and permissions that stem from CIEM.

Workloads and Applications

Similarly, the workloads and applications on that infrastructure require vulnerability management, compliance monitoring, policy enforcement and runtime protection. These are traditionally areas where either security teams or DevOps teams are expected to ensure protections are in place. However, those tools must be integrated with the data coming from CI/CD pipelines and extending into runtime for web applications and APIs.


These applications require a network that delivers reliable and safe connectivity. Securing network communications requires least-privileged access for workloads accessing other workloads and inline threat prevention.

Identity and Permissions

Underlying all of these areas, entitlements and permissions for cloud infrastructure and services must balance the need for distributed access with risk management to ensure there aren't excessive or outdated permissions that undermine all of your other efforts.

Coding and Development

Developers and DevOps teams are responsible for delivering high-quality code, which in most cases also means secure code, but it's up to security teams to provide the insights that DevOps needs to create secure code. Injecting security guardrails as early as possible requires cohesive tools that can cross the entire application lifecycle.

Each team needs to work closely to ensure these protections are consistently enforced, and CNAPPs are the integrated tools that help break down the silos that currently separate them.

How Did We Get Here?

Cloud native application development has matured to the point where certain assumptions can be taken more or less as facts. One early realization was that cloud environments are inherently diverse, disparate and distributed. For the professionals responsible for managing these dynamic, complex environments, a natural response was to turn around and impose consistency and uniformity. The logic is that managing risk in these environments would be made more difficult when coordinating a large set of point products suited to a specific set of requirements. 

In order to secure cloud native applications and infrastructure, organizations need to adapt to be more agile and integrated. They need to be able to proactively address threats beginning in development and provide continuous security throughout the full development lifecycle, all the way through to runtime environments. In order to achieve this agility, they need new tools that are purpose-built for cloud native environments, which can span the full application development lifecycle and provide critical security information at the right point and right time.

We strongly believe that Prisma Cloud maps to the Gartner CNAPP category. You can download the complimentary report and review the full set of recommendations for yourself.