Episode 142: CNAPP - Secure Cloud Apps in a Snap With Arick Goomanovsky

August 27, 2024

In this episode of The Virtual CISO Podcast, your host, John Verry, engages in a conversation with Arick Goomanovsky, Chief Product Officer at Tenable Cloud Security, as they explore key aspects of cloud security. Join us as we discuss:

The essentials of Cloud Native Application Protection (CNAP)
The role of Cloud Security Posture Management (CSPM)
The importance of Cloud Infrastructure Entitlement Management (CIEM)
The evolution of Cloud Workload Protection Platforms (CWPP)

John Verry (00:00.02)
That sounds good Hey there and welcome to yet another episode of the virtual see so podcast With you as always your host John very and with me today Eric and I’ll probably mess up the last name gumman ops gumman, Oski That’s great Thank you, so I get a gold star for this morning my days off to a good start and your day is almost over right now I’m speaking to you. You’re in Israel right now, right? Yes

Arick (Tenable CS) (00:15.533)
That’s great. Yeah, you did extremely well.

Arick (Tenable CS) (00:27.437)
Yes, in Tel Aviv, in Forty and Roads.

John Verry (00:29.812)
Gotcha. Well, thank you. Thank you for staying on late so we can have this conversation. We start easy. Tell us a little bit about who you are and what is it that you do every day. Sure. So welcome everyone. It’s Eric Dwanowski.

Arick (Tenable CS) (00:39.693)
So welcome everyone, my name is Eric Dubinowski. Today, I’m the Chief Product Officer for Tenable Cloud Security. Basically, I run the product and research organization for Tenable on the cloud security side of things. I joined Tenable actually pretty recently, late last year. We came as a team, as a group from a startup called Hermetic that Tenable acquired in October last year.

We started Aromatic in late 2019, so we’ve been on an independent route for four years before partnering with Tenable. And what we started doing at Aromatic and continue doing even more successful now that we’re part of Tenable is helping organizations protect their public cloud infrastructure. So we work with companies that either basically lift and shift their traditional on -premise data centers into the cloud or build cloud -native applications from scratch.

that have theirs or their customer sensitive data residing in the cloud. And we help them get better vigilance into their cloud infrastructure, understand the risks their cloud infrastructure exposed to, and also help them secure their sensitive data in the cloud. So that’s kind of what we do here in Tenable Cloud Security.

John Verry (01:55.892)
So that’s kind of what we do here in Tenno Cloud Security. Excellent. And that’s what we’re here to talk about. But before we do, I always ask, what’s your drink of choice? That’s a great question. I would usually go with a signature cocktail. If there is nothing available, then my plain gin and tonic would do it. Yeah, it’s funny you should say that, because you sound like me and my wife ordering.

Arick (Tenable CS) (02:06.541)
That’s a great question. I would usually go with a signature cocktail. If there is nothing available, then my plain gin and tonic would do it.

John Verry (02:22.484)
I’ll always look for one of the cocktails, right? Always try something different. It doesn’t matter what’s in it. I’m like, all right, let me give that one a try. Blue Curacao, I don’t like it, but yeah, it sounds interesting. Let me give it a try. And then it’s funny because my wife is the straight G &T. With lemon, not lime. Any particular gin you favor? I would say Hendrix, Bombay, Saffir. Yeah, my wife is definitely a Hendrix person.

Arick (Tenable CS) (02:41.869)
I would say Hendrix and Bombay would be good.

John Verry (02:51.764)
So, yeah, more of that dry side of the gin tree, if you will. All right, so let’s get down to business, because I can talk alcohol a bit long. So, you know, there’s an old adage that says death and taxes are the only certainties in life. I think I would argue that IT and IS, the other certainty is that we’re going to create acronyms that are going to confuse you, I think, just for the sake of doing it. And one of the acronyms that has really peaked up quite a bit is CNAP, you know, and CPSM.

and then CIEM and CWPP. So I think that’s part of the problem is all of these acronyms create confusion, especially because now we see integrated applications that kind of blend a number of these together. So one of the goals of today’s podcast would be to, I’ll call it demystify this challenge and try to help folks understand what the value prop is of these tools as more and more workloads are being moved to the cloud.

So starting simple, what is a CNAP? Is there a simple definition?

Arick (Tenable CS) (03:56.909)
I hope there is, but let me try my best. Basically, when you look at the cloud infrastructure, the big difference between cloud and on -premise is that you can basically get a lot of information about the various cloud resources and configurations directly from one source, which is the cloud service provider and the API the cloud service provider gives you.

John Verry (03:57.14)
I hope there is, but let me try my best. Basically, when you look at the cloud infrastructure, the big difference between cloud and on -premise is that you can basically get a lot of information about the various cloud resources and configurations directly from one source, which is the cloud service provider and the API the cloud service provider gives you.

Arick (Tenable CS) (04:24.813)
If you go to the on -premise world and you would think, okay, I want to secure your network environment, you would have to integrate with a variety of networking tools, firewalls, routers, what have you. You want to secure endpoints, you have to deploy an agent on servers or laptops. You want to get insights into identities, you probably have to integrate with Active Directory or Octa, those types of identity tools.

John Verry (04:25.044)
If you go to the on -premise world and you would think, okay, I want to secure your network environment, you would have to integrate with a variety of networking tools, firewalls, routers, what have you. You want to secure endpoints, you have to deploy an agent on servers or laptops. You want to get insights into identities, you probably have to integrate with Active Directory or Okta, those types of identity tools.

Arick (Tenable CS) (04:52.493)
When you’re talking about service provider, a lot of that is coming from a single source. Once all that information is coming from a single source, you can much easily integrate that information together. So you can integrate the networking insights, the workload insights, the identity insights, and bring them together and correlate them in a smart way in a single platform. And that’s what cloud native application protection actually is. It’s talking about helping you

John Verry (04:52.788)
When you talk to a cloud service provider, a lot of that is coming from a single source. Once all that information is coming from a single source, you can much easily integrate that information together. So you can integrate the networking insights, the workload insights, the identity insights, and bring them together and co -operate in a smart way in a single platform. And that’s what cloud native application protection actually is. It’s talking about helping you.

Arick (Tenable CS) (05:20.653)
basically secure your entire cloud infrastructure environments by collecting very rich, different type of information in a single place where you could do the contextual analysis in a smart way.

John Verry (05:20.884)
basically secure your entire cloud infrastructure environments by collecting very rich, different type of information in the single place where you could do the contextual analysis in a smart way. That was actually quite good. So let me boil it back even one layer of dumbness more. What is a cloud -based application?

Arick (Tenable CS) (05:48.877)
So that’s a great question. Basically Cloud Native Application is an application that is deployed and written in the cloud and leverages the variety and richness of cloud infrastructure environments. Let me give you an example. Let’s say you’re building an application on -premise, right? And it’s using a database. That means that you have to build and deploy the database.

John Verry (05:49.14)
So that’s a great question. Basically, Cloud Native Application is an application that is deployed and written in the cloud and leverages the variety and richness of cloud infrastructure environments. Let me give you an example. Let’s say you’re building an application on premise, right? And it’s using a database. And that means that you have to build and deploy the database.

Arick (Tenable CS) (06:14.605)
What you have to do to deploy database, you have to run a server, probably a physical one. On top of that server, you would run basically a virtualized server. And on that virtualized server, you would deploy a database software from one of the vendors, whether it’s Microsoft or Oracle or what have you. And probably to that server, you would also have to attach

John Verry (06:14.932)
what you have to do to deploy database, you have to run a server, probably a physical one. On top of that server, you would run basically a virtualized server. And on that virtualized server, you would deploy a database software from one of the vendors, whether it’s Microsoft or Oracle or what have you. And probably to that server, you would also have to attach…

Arick (Tenable CS) (06:40.461)
some kind of a storage device that would actually store the data. So you would have database application, you would have the storage hardware, you would have the server hardware, and you would have your application that you’ve written that basically accesses the server and fetches information, what have you, does all that work. Now, if you take that application and you move that application to the cloud,

John Verry (06:40.724)
some kind of a storage device that would actually store the data, right? So you would have data this application, you would have a storage.

Arick (Tenable CS) (07:07.789)
you’re getting a lot of things from the cloud server provider. So if you think about first generation cloud, you would think about infrastructure as a service, where basically the cloud service provider would offer you, let’s say, a virtualized server, and they would basically manage the whole infrastructure side for you. So you would not have any idea about the physical server it’s running on. You would only see the virtual server, and you would basically pay for that virtual server.

As you go, you use it, you pay for it. It’s down, you don’t pay for it. That’s very convenient and allows you to scale up and down very cost -effective. Now, if you’re going to the next generation of the cloud, which doesn’t talk only about infrastructure as a service, but actually talks about platform as a service, now the cloud service provider not only offering you the server, but also the software on top of that server. If we’re talking about the database, for example,

they will tell you, hey, you don’t have to get a server from us and deploy your database software on that. We would do that for you. We would manage the database infrastructure. You would only have to manage the application layer of the database. The work DBAs usually do. But you don’t care about like, you know, managing and paying the database server provider and operating system and the database software at all. And you don’t care about the storage behind that. That’s all taken care of, right?

So now when you’re building your application, you can actually focus only on the application layer. Furthermore, on the compute side, there are also a lot of things that the cloud service providers offer you. So for example, if you’re using containers, right, they can manage your Kubernetes cluster. So you can really only focus on writing the application layer and everything around it is basically taken care of. So that means that building an application for

John Verry (08:55.828)
building an application for the cloud is different from what it means building an application on premise. And that’s what cloud native application actually is. Excellent. So CNAP is, you know, cloud native application protection. I think the last P is platform. Is that right? Okay. So, all right. So that simplifies what a CNAP is. So, you know, within CNAP, we, you know, or prior to CNAP, I guess through a tool school,

Arick (Tenable CS) (08:58.253)
The cloud is different from what it means building an application on premise. And that’s what cloud native application actually is.

Arick (Tenable CS) (09:12.813)
Correct. Correct.

John Verry (09:23.028)
CSPM, Cloud Security Posture Management. Now it seems that most CNAPs incorporate CSPM. So what is CSPM and why is it so important? Absolutely. Maybe I’ll start from another point that you just mentioned that basically CNAP today is standing on three core pillars. CSPM, CNAP with EMK, or CIM. You mentioned those.

Arick (Tenable CS) (09:34.893)
Absolutely. So maybe I’ll start from another point that you just mentioned that basically CNAP today is setting on three core pillars, CSPM, CWP and Kib, right? Or CIM. You mentioned those in the beginning of our conversation that I guess we will mention each and every one of those as we go through the conversation. And probably CSPM was the first part in cloud security, right?

John Verry (09:52.66)
because I guess we will mention each and every one of those as we go through the conversation. And probably CSPM was the first part in cloud security. In this evolution of CNAP, we started with CSPM, we then added CWP, we then added Keen, then we created CNAP, and then CNAP started covering more and more areas that we would also probably touch on in this conversation. Now, CSPM was basically the…

Arick (Tenable CS) (10:04.045)
in this evolution of CNAP, we started with CSPM, we then added CWP, we then added Kim, then we created CNAP, and then CNAP started covering more and more areas that we would also probably touch on in this conversation. Now, CSPM was basically the, if you want to think of that, cloud generation, cloud generation one. If you think again about the model of organization moving from on -premise to the cloud,

John Verry (10:21.556)
If you want to think of that cloud generation, cloud generation one, right? If you think again about the model of the organization moving from on -premise to the cloud, we understand that the infrastructure is basically managed in many cases by the cloud service provider, which means that they are offering their customers a configurable platform. So if you want a server, give us the configuration of the server you want.

Arick (Tenable CS) (10:33.325)
We understand that the infrastructure is basically managed in many cases by the cloud service provider, which means that they are offering their customers a configurable platform. So if you want a server, give us the configuration of the server you want for how much time you want it. And you got to get it. You want a storage, give us the configuration of the storage, you’ll get the storage. You want a database, provide us with the configuration of the database you want, and we will provide that for you.

John Verry (10:50.164)
for how much time you want it and you’re going to get it. You want a storage, give us a configuration of the storage, you’ll get the storage. You want a database, provide us with the original.

Arick (Tenable CS) (11:02.989)
Okay, that’s easy. Now, where does the security kick in? If the cloud service provider is taking care of all the infrastructure, the core element of the security becomes how good is this configuration that the customer is providing the service provider in order to define the infrastructure they want to have? Now, if I’m providing a good configuration, I’m going to get a secure infrastructure. If I’m providing a bad configuration,

I probably won’t get as good of a cloud infrastructure to work on. It probably will have some problems. Great example, it might have data stores accessible directly from the internet, databases or storage services. We all heard about publicly accessible storage services, S3 buckets, right? When I’m asking from AWS for a storage service, I can define through a configuration whether the storage can be accessible and by whom. If by mistake, I claim.

to get a storage that is accessible by everyone, AWS will provide me a storage, just as I asked for it, that is accessible by everyone. And if I make the mistake of putting my or my customer -sensitive data in the database or storage, everyone will be able to get that data from me, right? So the crooks of security becomes how secure my configuration is. And this is exactly what the CSPM tools were looking for. They aid.

gave customers visibility in what their cloud configuration looks like and what they have in the cloud. They were able to help customers enforce security policies and check for what is called misconfigurations, what are called misconfiguration, basically security problems in those configurations, and then alert customers on those misconfigurations so they have an opportunity to go and check those. Another core element of CSPM tools was also compliance checks.

Obviously, security is tightly coupled to compliance. Security does not mean compliance, and compliance does not necessarily mean security, but there is a strong alignment between the two. And many compliance standards have a variety of requirements that you can translate to good configurations of your cloud infrastructure. For example, one of those requirements would be that you will not have publicly accessible data storage.

Arick (Tenable CS) (13:26.061)
Another requirement would be, for example, that passwords of users should be periodically rotated. And all these elements are configurable within the cloud infrastructure environments and therefore could be validated by tools like CSPMs that look and search for security misconfigurations. So therefore, just to sum it up, what CSPM tools have given us is A, visibility into our cloud infrastructure, B, the ability to enforce security policies, detect and resolve misconfigurations,

and also translate all these misconfigurations into compliance reports and basically a lot of compliance requirements.

John Verry (14:01.588)
basically a lot of compliance requirements. So to oversimplify, I’m an organization that has established that I want to align my cloud infrastructure with something like the CIS benchmarks. My CSPM, I’m going to be able to go to my CSPM and say, hey, I’m going to point it at my cloud instances or multiple cloud instances across multiple vendors. I’m going to say, hey, if anything is out of compliance with the CIS benchmarks, please let me know. And then,

Then let me ask the questions beyond that. So A, will the CSPM directly fix my challenge, right? Can it take action? And then B, can it also work more like a tripwire in that somebody makes a configuration change and they, let’s say using your example, an S3 bucket goes public and we have a policy, our own policy that says S3 buckets will never be public. Will the CSPM handle those two circumstances?

Arick (Tenable CS) (14:59.597)
Sure, absolutely. Now that really depends on the configuration of your CSPM and how advanced it is. Some offer just recommendations to some problems. Some offer automatic resolution possibilities. Some actually offer that three -part methodology. They detect a problem and then go and resolve that problem specifically automatically or raise an alert, right?

John Verry (14:59.86)
Sure, absolutely. And now that really depends on the configuration of your CSPM and how advanced it is. Some offer just recommendations to some problems. Some offer automatic resolution possibilities. Some actually offer that three -part methodology. They detect a problem and then go and resolve that problem specifically automatically or raise an alert, right?

Arick (Tenable CS) (15:26.541)
And the more advanced CSPMs also integrate and we’ll touch upon that later with infrastructure as code capabilities and offer developers that are building those cloud native applications the ability to resolve those problems in code. Basically, it allows you to open a pull request on your code repository, which is the most advanced type of remediation that we have today in CSPM tools.

John Verry (15:26.836)
And the more advanced CSPMs also integrate and will touch upon that later with infrastructure as code capabilities and offer developers that are building those outdated applications the ability to resolve those problems in code. Basically, it allows you to open a pull request on your code repository, which is the most advanced type of remediation that we have today with the CSPM tools. Okay. Well, I know we had originally talked about maybe talking about infrastructure as code protection later, but…

sort of seems like a logical place for our conversation to touch on it now. So with so much of our cloud configuration these days in more pipelined, if you will, applications being infrastructure as code, realistically ensuring that we’ve got a secure cloud configuration ensures that our infrastructure as code doesn’t contain anything that will create a non -compliant, non -secure configuration. So…

I think what you’re saying is that infrastructure as code and CSPM are tightly interrelated if everything is happening through infrastructure as code.

Arick (Tenable CS) (16:33.133)
Yes, and even furthermore, so you can think about the infrastructure as code as the shift left of the CSPF. Now infrastructure as code, there are two main use cases. The first use case speaks about a developer building their cloud native application and writing and defining that cloud native application and code and want to ensure that there are no problems in the code to your point before they actually push that code to production, right? So they want to avoid that.

public button being created so they scan their code before it actually goes to production, which allows them to catch the problems early on and fix those problems in the development, build, deploy stage before it actually appears in the public cloud. That’s one use case. The second use case is actually to look at the cloud infrastructure environments. And for every problem that you do identify there, to do two things. One is to identify that misconfigured resource and guide that.

resource in the cloud back to the piece of code that is basically used to define that resource. That’s one. And secondly, when you’re doing the remediation of the problem, do the remediation in code. Because if you would do the remediation in the cloud, but actually the code goes and redeploys the resource, it would be redeployed with all the problems, right? Because it is defined in the code. So you have to solve the problem at its core, at its source.

And the source in this case is the source of the infrastructure as code. So the more advanced CSPM tools, what they’re doing, they’re not only having IEC or infrastructure as code security component that allows you to scan your Terraform files or Cloud formations before they’re moving to production, but furthermore, they allow you to resolve the problems that they identify on the right -hand side in runtime in the production, in the code that

that was originally used to create those resources.

John Verry (18:29.172)
Yeah, which is ideal, right? Preventative versus detective versus corrective. If we can get to preventative, that’s certainly a superior option. So realistically, this just integrates into their workflows or to their pipeline. So on a pull from Git or something of that nature, the IAC component of the CNAP application is going to scan that code and recognize any potential issues.

and we’ll then, at that point, alert, I’m assuming, the developer to the issue so that it can be addressed prior to deployment. That’s true. Okay, cool. All right, so another piece which is definitely super important is the CIEM component. So what is CIEM and why is it important? So CIEM is basically something I’m super excited about.

Arick (Tenable CS) (19:08.333)
That’s true.

Arick (Tenable CS) (19:23.213)
So CIM is basically something I’m super excited with because this is a category that our team at Aromatic originally created together with Gartner many years back. And that talks about everything that has to do with identity security in the cloud. Now, we all know that in the cloud, identity is basically the new perimeter. This is correct for software as a service, obviously for any cloud application, but also,

true for cloud infrastructure. Basically, identities are the main control surface for anything you do in the cloud. Once you have a root user or a privilege user in your AWS or Azure environments, you can go and configure whatever you want in any way you want. Because it’s the main control plane, it’s also the biggest attack surface for threat actors.

and all the threat actors are looking for privileged cloud users to take over cloud infrastructure environments. The thing is that it’s coupled with the fact that because of the richness of cloud infrastructure,

Sorry, excuse me. Identities in the cloud are also extremely complex. And because they’re complex, the chance of misconfigurations goes through the roof. It’s very difficult to make sure that a specific user, and we talk about users, we can be talking about John and Eric, human administrators, but we can also talk about service accounts and application accounts. It’s very difficult to ensure that users operate according to what we call the principle of list privilege.

that they have just the right permissions that they need in order to do their job. And it’s very easy to over -provision identities, give them more permission than they require. And by working with thousands of customers over the years and scanning millions and millions of cloud identities and resources, we’ve seen statistics that between 10 % to 15 % of all the identities in the cloud tend to be admin.

Arick (Tenable CS) (21:29.772)
Over 25 to 35 % are very privileged. They might not be admins, but they effectively have access to any data in the cloud or what have you. And that’s overwhelming. And in the cloud, we have way more identities because we have a lot of application identities that are created automatically. So we’re talking about hundreds of thousands of identities with privileged access. This is not a situation we’re used to from on -premise environments for organizations over time by leveraging tools like

Pam and Tim learned to control privileged identities. So that creates a huge, huge attack landscape. And we realized that early on, and we don’t believe that today you can have a comprehensive cloud infrastructure security solution or CNAP without a strong component of cloud infrastructure entitlement management, which is CIM, that basically gives you visibility to A, who all your privileged identities are.

What are the risks that related to those privileged identities? Do they have excessive permissions? Are they not protected with MFA, et cetera, et cetera? And also tie the context of those identities to the broader picture. So for example, we mentioned service accounts. So if a service account, if you have an administrative service account and it is used by your deployment pipeline, right? Your infrastructure is code that creates new resources. That’s fine. But if it’s used by a server,

in your environment and that server has critical vulnerabilities on the workload protection side, that’s a big issue because the fact that that server has a critical vulnerability puts the admin identity at risk, right? Because someone can actually basically break into that server, leverage that vulnerability, exploit that, compromise the server, take control over the server. The moment they do that, they take control over the privileged identity.

And that’s what we call in our lingo toxic combination, right? That’s a combination between a privileged account and a vulnerable server. And these toxic combinations really present basically realistic tax scenarios against your infrastructure. And if you look at the IM, the one that is identified or vulnerability management tools alone that focus on servers, they can’t actually connect the dots. And this is where CNA basically kicks in.

John Verry (23:39.924)
And it looked at, yeah, I have one that was my dip, or vulnerability management tools alone that focus on first, they can’t actually connect the dots. And this is where CNAB basically kicks in because it gives you this comprehensive context and allows you to connect those dots in a very intelligent way. Again, oversimplifying for folks that are used to old school. Yeah, this is the idea of that. You know, we’ve got an app running on RHEL.

Arick (Tenable CS) (23:53.165)
because it gives you this comprehensive context and allows you to connect those dots in a very intelligent way.

John Verry (24:08.756)
And we want to make sure that the security administrator, Rell, is not the DBA, is not the lead developer. So this separation of privilege, least privilege concept moved to the cloud, oversimplified. All right, so that brings us to the last major component that it seems that we talked about earlier, which is CWPP. I think to most people, it seems conceptually pretty similar to CSPM.

Arick (Tenable CS) (24:22.381)
Correct.

John Verry (24:38.26)
And I think part of the challenge is I think many people would struggle to define what a workload actually is, what the definition of a workload is. So I’ll ask you two questions. One, what is a workload? And then two, what exactly is CWPP? Sounds good. So basic workload is anything that…

Arick (Tenable CS) (24:54.509)
Sounds good. So basically workload is anything that performs a computational action in the cloud or on -premise, right? So traditional workloads would be servers, physical servers, or virtual servers. And virtual machines are the most basic concept of workloads when we talk about cloud infrastructure. Now, when you think about how we traditionally secure servers,

We deployed security agents, anti -viruses, EPPs, EDRs. That’s the evolution of basically endpoint protection on -premise. When people started using the cloud, they basically tried to take the same tools or same concepts and adjust those concepts to the cloud. By the way, that’s what most security vendors have done. They tried to make sure that…

their agents, EPP, EDR, what have you, vulnerability manage agents here at Tenable would operate on cloud machines. But then cloud workloads have evolved, right? And for example, we mentioned earlier the transition from infrastructure as a service where you have access to the virtual machine to platform as a service when you don’t have access to the virtual machine. So if you don’t have access to the virtual machine,

How do you do security? So maybe the traditional agent -based approach does not work that great way anymore. So by the way, you have lambdas, serverless computes, right? Containerized environments that are serverless, function -based environments that are serverless. So obviously the way you do security for compute resources also had to adapt and evolve and adjust itself to what computes in the cloud look like.

So today, when we talk about cloud workload protection, the way we do it, we do that in a number of ways. Some of those ways are agent -based. Some of those ways are agentless. And it really depends on what type of a compute resource in the cloud you’re trying to protect. Is it a workload you have access to? What type of access you have to that? Maybe you don’t have access to the actual workload, et cetera, et cetera.

Arick (Tenable CS) (27:09.709)
So there are a combination of tools that organizations are using today. And what we have built at Tenable is a very intelligent way to combine the best of tools in a way that fits the best of platforms you’re using in the cloud. So if you have a machine that is a stable, what we call in our cloud lingo, a path, right? It’s a server that’s constantly running. Let’s say it’s running your…

you know, your Active Directory, right? It’s not something that’s going to be scaling up and down constantly. It’s a machine. Then this machine you probably want to deploy an agent on because you want to give it the best protections and obviously agents do give the best protection. They have intimate access to the system and it’s easy to deploy because it’s a stable machine. But then you might have Kubernetes clusters that are scaling up and down and there maybe you don’t want to deploy agents every time they’re scaling up and then delete those agents every time they’re scaling down. It creates other issues.

So there an agentless approach for security might be better. And I don’t want to go into the technical details, but you have to understand that workload security today is a little bit more complex because workloads themselves are more complex. Now, what is workload security in a sense? So it’s a combination of capabilities. One is obviously vulnerability detection. So vulnerability management, you want to understand if you have any vulnerabilities on your machine.

malware detection, right? You want to be aware if you have someone drop the malware in your machine. Threat detection in general, so suspicious behavior, suspicious communication in and out of your machine, suspicious processes running on your machine. These are the kind of most interesting features. If you look at that from a posture perspective, I would say that vulnerability management.

is very important and from the detection and response perspective suspicious behavior and malicious file detection is is most important.

John Verry (29:03.028)
So is it fair to analogize it to endpoint protection in current environments where an endpoint protection has the capability of detecting vulnerabilities?

Arick (Tenable CS) (29:19.309)
Yes, yes and more. But in a sense, yes, workload protection is basically endpoint protection where endpoint has a vault and it’s not only your historical physical or virtual server, there are a lot of different flavors to these endpoints and therefore the tools have adjusted themselves in a meaningful way.

John Verry (29:38.036)
in a meaningful way. Excellent. So I think we have agreed that if you look at most of the CNAP products, those are the sort of the Holy Trinity, if you will, of the components that they all have. And then it seems that different products then will add additional capabilities onto those. Particularly in your case, you added the Kubernetes Security Posture Management.

So A, what is Kubernetes security posture management about? And then B, what other tools have you guys added into your CNAP product?

Arick (Tenable CS) (30:17.773)
Sure, great question. So there are a number of tools that we basically added. We talked about infrastructure as code security, which is basically taking the CSPM capabilities and shifting those left in an intelligent way. So we mentioned that. Kubernetes security, again, we talked about the different types of workloads that organizations are using today.

Kubernetes is basically becoming the de facto standard for container orchestration. By the way, there are other container orchestration platforms that are not necessarily built on Kubernetes. AWS has ECS, which is Elastic Container Service, which is another orchestrator, and some other vendors have other types. But Kubernetes is really becoming the de facto standard that was initiated by Google many years back, but it’s an open standard.

IBM adjusted that and created what they call OpenShift, which is their version. So it’s a growing field. When we talk about Kubernetes security, you can think about Kubernetes as basically a separate cloud, private cloud that also has its own configurations. You can run a Kubernetes cluster on your physical server in your on -prem data center, or you can run that in the cloud on a server that you got from a cloud service provider.

Or you can run it in the cloud where it’s managed. So you don’t actually have access to the server it’s running on. So you can have that as on -premise, you can have that in an IaaS version, and you can have it in a PaaS version. So all three versions exist. And it’s basically a cloud of its own. It has its own computes, it has its own networking configuration, it has its own identity service accounts, et cetera, et cetera. So everything we talked about, CNAP,

as applying to the large cloud service providers like AWS, Azure, GCP, Oracle, IBM, Ali, et cetera, applies to Kubernetes clusters. And you can build CNAP for Kubernetes. And the part of CSPM for Kubernetes that looks at the configuration, the orchestration configuration, networking configuration, that’s what KSPM. Basically, KSPM at large is a CNAP for configuration platforms. You can add to that a vulnerability management capability.

Arick (Tenable CS) (32:33.965)
agentless, agent -based, et cetera, et cetera. And now you have a CNAP platform for Kubernetes environments, and that’s what KSPM is. Now, in addition to KSPM, which is very important, we see a growing trend to expand CNAP capabilities. What we have been doing lately here at Tenable Cloud Security, working on two core additional capabilities that will be coming out pretty soon. One is data security posture management,

which basically ties to the overall CNAP space by helping you also understand where you have sensitive data in your environment. So which of your data stores and databases have PII, PCI sensitive customer data? Because understanding that you have publicly exposed databases or storage services is interesting. But the most interesting question is which of those actually have any sensitive data? If you have also, if John or Eric has access to a database,

might be okay or it might not be okay. The interesting question whether we have access to sensitive data in the environment. And this is what the SPM stands for. And another module that we’re also have. Yeah, sure.

John Verry (33:37.876)
sensitive data in the environment. And this is what DSPM stands for. And another module that also – Real quick, real quick. Let’s talk about DSPM, because that’s an exciting field to me. So what it sounds like that does is that adds the ability into, as an example, if one of the CSPM features I was taking advantage of was payment card industry data security standard compliance, you know.

How do I know where to apply that in my environment? And how do I know if PCI is leaking into a part of my environment where I don’t have that applied? So that’s where the DSPM comes in, is it allows me to dynamically see that and then alert myself to that and be able to make those changes, whether it’s shut down that resource or whether I apply those additional policies to that resource. Absolutely, that’s absolutely correct. Basically, it allows you to bring the data sensitive context to anything you’re doing in CNA, vulnerabilities.

Arick (Tenable CS) (34:22.861)
Absolutely, that’s absolutely correct. Basically, it allows you to bring the data sensitive context to anything you’re doing in SINA, vulnerabilities, access, misconfigurations, right? You can look at that from a data security lens.

John Verry (34:31.508)
access, misconfigurations, right? We can look at that from a data security list. Got you. And then,

John Verry (34:44.244)
How will this overlay with privacy? So, you know, cause now the next thing of course is, is that under, you know, I, we have one client that’s got to be 59 or 62 different privacy regulations that we deal with with them. How does this interact with privacy? Will we, will this support, you know, servicing a data subject access request? Absolutely. If you think,

Arick (Tenable CS) (35:07.309)
Absolutely. If you think of that, the reason we’re investing a lot at the ESPN because it ties well to the fact that we are the leaders and key in the access, identity and access management in the cloud. So for example, today our CNAP platform also has a just -in -time access manager, which basically allows people to request and be granted either automatically or through an approval process.

access to specific cloud resources. Now we can tie that also to the sensitivity of the data they’re asking access for, right? Look at these requests from the perspective of data security or privacy. And then we can say, okay, John can ask, for example, to be granted access to sensitive databases or private databases, but only for one hour, as opposed to general databases where he can get admin privileges automatically for eight hours.

Maybe in those cases, we can ask for a second tier or third tier of approval when we’re talking about access permissions to sensitive or private data. So again, this combination of anything that has to do with access rights and permissions and data security has a very, very natural alignment. And that’s why we are investing a lot in DSPM because we believe that our unique CIM capabilities can help customers address very, very

unique and interesting use cases that otherwise it would be very difficult for them to solve.

John Verry (36:35.668)
interesting use cases that otherwise it would be very difficult for them to solve. What do you call that extension that gives you sort of that lapse capability for the cloud? What is, is that covered by the DSPM or is that covered by a different part of the CNAP stack? It’s covered today in our CNAP solution called Just -In -Time Access. Okay, Just -In -Time Access. Okay. Yes. Excellent. We beat this up pretty good. Did we miss anything?

Arick (Tenable CS) (36:51.565)
It’s covered today by our Synapse solution, we call it Just -In -Time Axis or JIT. Yes.

Arick (Tenable CS) (37:04.909)
So maybe just one more concept. So a lot of the SINAF capabilities we talked about are preventive capabilities. They basically help you prevent your environment from being bridged by identifying toxic combinations, vulnerabilities, and helping you resolve those either in runtime or even take that left towards the developer. But we always have to assume bridge, right? So what about the detection and response part? How do we monitor the environment? And if…

John Verry (37:05.172)
So maybe just one more concept. So a lot of the SINAF capabilities we talked about are preventive capabilities. They basically help you prevent your…

Arick (Tenable CS) (37:32.685)
God forbid it is compromised, how were you able to detect that and alert on that and hopefully respond to that in a very short period of time. So that kind of all that falls into the, you know, into a nascent area in cloud security that is up and coming, that is called cloud detection response. It focuses on basically taking all these preventive capabilities and moving them into detection response. And another capability that we’re working on,

which is also very exciting and in my view, it kind of deserves a session of its own, is cloud detection response. And we’ve been investing in that for over some time. We already have very strong anomaly detection capabilities within our product today and malware detection capabilities, which also fall into the cloud detection response. And we’re adding more and more capabilities in that area over time with the goal overall to

have a full mirror between our preventive capabilities and our detection response capabilities. So our customers that will be working with Stainable Cloud Security can get the ultimate umbrella and protection for their cloud infrastructure environments, both helping them prevent breaches, but also helping them detect those breaches and remediate the breaches in no time.

John Verry (38:53.94)
breaches in no time. Yeah, I would like to, you know, let’s chat about that. I would like to have you on and talk about CDR because that’s another area that I think is confusing to people and understanding how much the tools are doing themselves versus how much this has to be integrated into your into a SIM or a sock. You know, it’s funny. There’s this, I guess, natural awareness lifecycle that happens like, wow, this is great. We moved all this crap to the cloud and then, OK, what about this? wait, I’ll just forget the tool.

And it just seems like this national evolution of like all of the tools and techniques and capabilities that we had non cloud, right? Or all effectively being ported over to the cloud. And it seems to me, CDR is like one of the last components, which is, is troublesome, right? Because if you look at, I don’t think most people fully understand the shared responsibility matrix, right? You know, from an infrastructure platform, even software as a service, it’s like, well, then.

Arick (Tenable CS) (39:48.141)
That’s true.

John Verry (39:51.764)
We moved to the cloud, it’s secure. No, no, no, you still own a third roughly of the security requirements, right? You still own the data, you still own access control. You need to make sure you get this stuff configured right. And if you look, I mean, statistically, the number of breaches that occur either through a third party vendor associated with the cloud or through their implementation of the cloud themselves, it’s a pretty high percentage at this point. Even if it was a social engineering attack on the front side, right? I mean, if you look at the Microsoft attacks, right? What happened, right? Wasn’t it that they, somebody’s identity?

Privileged identity was stolen for Git or one of the systems and it gave them unfettered access for an extended period of time. So I think that’s really cool. Just one quick question for you because I’m just curious about it. On the CDR side, is that actually a SIM unto itself or is the idea that this is going to actually feed to your SIM SOC, whatever you’ve got in place at this point in time?

Arick (Tenable CS) (40:48.237)
So first of all, I think it’s a terrific question. And I think the jury is still out how it will ultimately form out. I think the good analogy would be your EDRs that people have been operating for a few years now. I think all the alerts ultimately go to some same product that you have a security operations center that monitors that.

John Verry (40:48.532)
So first of all, I think it’s a terrific question. And I think that you’re still out how.

Arick (Tenable CS) (41:12.973)
But then once you have an alert in a specific area in your environment, so for example, if it’s an endpoint, you would not investigate that with the SIEM, right? You would go to your EDR tool that has deeper visibility. SIEM would go to cloud, right? You would have the alert on your SIEM, but then you would say, okay, it’s in my cloud servers, it’s my cloud environments. Let me call my cloud experts, and they would open the SDR tool, and that’s where they would do the investigation, just because it has deeper access.

to the cloud environment, it also gives them in the same place, not only the history of the attack, but also the configuration of the various resources. So they can say, okay, this resource was compromised because it’s misconfigured in a specific way and this is the alert, right? So you can actually tie all the dots together, which you can’t do in the same way.

John Verry (42:00.98)
what you can’t do in the same, right? Yeah, it’s going to be interesting because now that the evolution beyond that is the evolution of data forensics and incident response to the cloud, you know, even more so, right? Because I, you know, I think most of the people that have been in that space have been in that space for a long time and adapting to these new realities is going to be a fun thing to see. If folks wanted to get in touch with you or get in touch with Tenable to talk about CNAP, what would be the best way to do that?

Arick (Tenable CS) (42:30.701)
So first of all, you know, my LinkedIn account is open to everyone. Eric Gubanowski, feel free to reach out on my email, agubanowski at tenebel .com or just ping us on our website and we’ll be back with you immediately.

John Verry (42:30.804)
Sure, so first of all, my LinkedIn account is open to everyone, Eric Gwunowski. Feel free to reach out on my email, agwunowski at tenebel .com or just ping us on our website and we’ll be back with you immediately. Eric, this has been fun, man. Thank you. Absolutely, John. Thank you so much.

Arick (Tenable CS) (42:49.741)
Absolutely, John. Thank you so much.

Pivot Point is now part of CBIZ. Click Here for more information.

Episode 142: CNAPP – Secure Cloud Apps in a Snap With Arick Goomanovsky

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

What is a Cloud Native Application Protection Platform (CNAPP) and What Can It Do for My Business?

What is Cloud Infrastructure Entitlement Management (CIEM) and Why Is It Becoming So Important?

What is the CMMC Assessment Process (CAP) Handbook and Why Should DIB Orgs Care?

ISO 27001 vs NIST 800-53: All You Need to Know

ISO 27001 vs NIST Cybersecurity Framework: What’s the Difference?

The Primary Importance of CUI Scoping for CMMC Certification

Know the Difference between ISO 27001 vs 27002 vs 27003

What is Content Disarm and Reconstruction and Why Should I (as a Recipient of Digital Documents) Care?

The Role of Leadership in ISO 27001 Compliance

Why File-Based Malware Dominates Cyberattacks

Data Detection and Response for Privacy and Compliance

DIB SMBs Rate Their Cybersecurity as Much Better than It Actually Is – Why?

Top 5 Insights from Radicl’s DIB Cybersecurity Maturity Report 2024

How Should Crisis Management Connect with Incident Response?

CMMC Certification vs. CMMC Compliance: Which One Do You Need?

CMMC Certification: How Long Does It Take to Get Certified?

What Privacy Roles Does My Business Need?

What is a Secure Web Gateway and How Does It Support Zero Trust?

18 US States Have Now Passed Privacy Laws – Time to Start Building Trust

Risk Tolerance: To Avoid, Transfer, Mitigate or Accept—That Is The Question!

How can we help you?

Services

Compliance

Insights

Pivot Point Security