Whether companies are repatriating their cloud workloads back on-premises or to colocated servers, they still need to protect them, and the market for that protection is suddenly undergoing some major changes.

Until the past year or so, cloud-native application protection platforms, or CNAPPs for short, were all the rage. These covered four distinct security product lines to protect access controls: a Cloud Infrastructure Entitlements Manager that manages overall access controls and risk management tasks; a Cloud Workload Protection Platform that secures code across all kinds of cloud-based repositories and provides runtime protection across the entire development environment and code pipelines; a Cloud Access Security Broker or CASB, which handles authentication and encryption tasks; and a Cloud Security Posture Manager that combines threat intelligence and remediation.

These distinctions are now blurring as vendors acquire new product lines. Back in 2021, Bitglass Inc. became part of Forcepoint LLC, CipherCloud Inc. joined Lookout Inc. and Masergy Communications Inc. was acquired by Comcast Corp. Palo Alto Networks Inc. is a good case in point: Its Prisma Cloud solution includes technology acquired from RedLock Inc. (cloud threat defense), Twistlock (container security) and Bridgecrew (developer-oriented cloud security).

Authentication isn’t as simple as just maintaining a single sign-on system, requiring integration to protect all kinds of clouds, across all vendors and across all on-premises equipment under a single umbrella. The nature of cloud computing itself is changing as differences among software as a service, platform as a service and infrastructure as a service have blurred together, making it harder to figure out the best protective scheme.

In Cisco Systems Inc.’s latest Hybrid Cloud report, nearly 60% of those surveyed said they are moving workloads between on- and off-premises every week. Some of these apps are running on open-source code repositories and some use in-house code. That is a lot of different use cases to protect.

Plus, clouds have gotten more complicated. Enterprises use products from multiple platforms, not just the big three of Amazon Web Services, Azure and Google Cloud but loads of other vendors. They mix together private, public and hybrid cloud approaches, such using virtual machine hypervisors, Kubernetes containers and clusters, and microservices all jumbled together.

VMware, in its latest State of Observability report, found that 57% of the respondents claimed up to 50 different technologies are used in a typical cloud app. That is a lot of moving parts. Wasn’t the cloud supposed to simplify things? Sadly, that hasn’t happened. But enterprises have certainly embraced its agility, and they use all of those approaches to construct and scale up their apps quickly.

An analysis last week of the major security platform providers by analyst Zeus Kerravala shows these trends and picks some of the leaders and potential ones to watch. Information technology and security managers want more accurate threat detection, no matter where threats enter their computing infrastructure.

The bad guys are also using legitimate cloud apps as a channel for their malware delivery. According to a recent report from Netskope, more than half of the malware they observed came from Microsoft Corp.’s OneDrive and Sharepoint and AWS’ S3 sources.

Many of the CNAPP components have come of age through one of two different pathways: from using DevSecOps principles to protect the source code of an enterprise’s application portfolio or from traditional network perimeter-type IT security practices. That means enterprises will have a harder time figuring out exactly what they do and how all the various pieces fit together.

Speaking of perimeters, that notion has yet to die out among security professionals. In interviews earlier this month at KubeCon, SiliconANGLE’s video studio theCUBE found support for running all sorts of applications at the edge of the cloud, as hard at that might be to conceptualize. What this means is that it’s important to get apps closer to where the users are, rather than relying on the internet to transport their bits there from across the planet. That is a great concept, until you have to secure everything properly.

Gartner, which ran its last “Magic Quadrant” for CASB products in the fall of 2020, now has relabeled this collection the security service edge market in its latest analysis. It claims CASB wasn’t relevant, especially since half of its clients were actually using this tool. Forrester calls things cloud security gateways. Others have brought back to life the term zero-trust network access, which was invented back in 2010 by then-Forrester analyst John Kindervag. It is nice to see these “legacy” concepts so enduring.

All this could really be just packaging. No matter the term used, what is at stake here is four important items. First, what software is tracking what’s being logged to which app across an organization’s computing infrastructure? You can’t protect what you can’t see is happening.

Second, how do you control where that data is going, and prevent it from finding its way into the wrong hands? This could be as simple — and sadly still popular among the bad guys — as gaining access to some cloud storage bucket and downloading it to the dark web. GitHub, for example, earlier this year extended its free security secrets scanning alert service for all public code repositories to try to catch these problems before an attacker can gain control.

Third, speaking of unprotected buckets, how does the proposed cloud security solution reduce misconfiguration errors? Given the pace of change with cloud computing solutions, it should use effective automation to flag and then correct the problem without a lot of manual intervention.

Fourth, how do you improve security of the applications development pipeline, commonly called “shifting left”? The ideal cloud security should be part and parcel of an organization’s DevOps frameworks, especially as more infrastructure-as-code is constructed. These tools allow an organization to see what’s going on inside each of the apps as they’re running.

Whether it’s building new cloud apps or moving them back into a data center, security needs — however packaged and classified by Gartner and others — will only get more complex as various protections are integrated into the applications and DevOps frameworks. But securing cloud assets will require a multipronged approach and careful analysis of the organization’s cloud infrastructure and data collections.

Yes, different tools and tactics will be required. But the lessons learned from on-premises security resources will point the way toward what to do in the cloud.

Image: Williams Creativity/Pixabay