Shifting from CWPP to CNAPP: new standards for cloud security

Learn where CNAPP and CWPP overlap, where they differ, and how the market is shifting to the more comprehensive and integrated CNAPP.

4 minutes read

Two platforms have emerged as key players in the cloud security market: the Cloud Workload Protection Platform (CWPP) and the Cloud-Native Application Protection Platform (CNAPP). Both provide features designed to enhance cloud security, but they differ significantly in their scope, capabilities, and approach. 

CWPP solutions have been on the market longer than CNAPP solutions. CWPPs were largely involved in bringing organizations with a legacy, on-premise mindset into the realm of cloud security, introducing things like agent-based scanning and looking at resource detections in isolation. However, as cloud security continues to evolve, the CWPP market is shifting to the more comprehensive and integrated CNAPP. Let's take a closer look at each platform and explore their differences.

Understanding the CWPP

 A CWPP is a security solution that focuses on protecting workloads in cloud environments, including virtual machines, containers, and serverless workloads. It offers features like continuous monitoring, threat detection, workload protection, and automated reponsess. CWPPs are typically used for vulnerability management, detection, and monitoring of cloud resources.  

Key features of a CWPP include: 

  • Continuous Monitoring. CWPPs constantly scan and monitor cloud resources to find vulnerabilities and security gaps. 

  • Threat Detection. They offer threat detection capabilities, identifying potential cyber threats and alerting administrators. 

  • Workload Protection. CWPPs provide protection for various workload types, including virtual machines (VMs), containers, and serverless workloads. 

  • Automation. They can automate response actions such as blocking malicious or suspicious files, processes, etc.  

As mentioned above, CWPP solutions were the early standard for moving organizations from on-prem into the cloud. However, as cloud security has progressed, some challenges around using CWPP solutions have surfaced: 

  • Lack of visibility. Traditional CWPP solutions may not provide complete visibility into cloud workloads and infrastructure. 

  • Agent-based limitations. Agent-based solutions require software to be installed on each protected system. This can be resource-intensive, potentially affecting system performance, and may not work well with certain types of workloads 

  • Limited coverage for new technologies. As cloud environments evolve and innovative technologies like Serverless AWS Fargate are introduced, traditional CWPPs may struggle to provide adequate security coverage. They may not be designed to handle the unique security challenges these new technologies present. 

  • Complex configuration and management. Traditional CWPPs often involve complex setup and ongoing management, which can increase the chance of configuration errors. 

  • Insufficient threat detection and response. Traditional CWPPs may take a reactive approach to threat detection and response, dealing with threats as they arise rather than proactively preventing them. 

  • Built for SecOps users. Traditional CWPPs are often designed with security operations (SecOps) teams in mind. This can be a challenge for organizations that don't have dedicated SecOps teams. 

Understanding the CNAPP 

 A CNAPP is a comprehensive security solution designed for any single or multi-cloud environment. Agentless capabilities ensure complete visibility and unmatched time to value. CNAPP’s cover a wide range of critical use cases, including everything offered by CWPP.  

Key features of a CNAPP include: 

  • Runtime Workload Protection. Like CWPPs, CNAPPs provide robust workload protection features like runtime detection and automated response actions across VMs, containers, AWS Fargate, etc. Additionally, runtime sensors improve prioritization of risk issues and threat detection issues and capture all runtime execution data to improve investigation time. 

  • Detection and response across layers. CNAPPs correlate across runtime and cloud events to identify sophisticated cloud native threats and the potential blast radius. They provide forensic collection and comprehensive response capabilities.  

  • Agentless Infrastructure Entitlement. CNAPPs enable identity and access management of cloud resources, offering visibility over entitlements and continuous access monitoring. 

  • Agentless Misconfiguration Detection. They continuously scan cloud resources, identifying and resolving vulnerabilities and misconfigurations. 

  • Accurate prioritization of issues. CNAPPs combine findings from across the environment and identify attack paths. 

  • IaC Scanning. CNAPPs scan Infrastructure as Code (IaC) files, identifying bad configurations that can lead to vulnerabilities. 

  • VCS integration. Integration with VCS to scan code at rest, looking for misconfigurations, exposed secrets, and sensitive data in your repos. 

  • One-click remediation from cloud to code. 

  • Unified policies from deployment all the way through production. 

  • Visibility and Compliance with industry standards and regulatory mandates. 

CWPP vs. CNAPP: key differences 

While CWPPs focus on protecting workloads, CNAPPs offer a more comprehensive approach, securing the entire cloud environment, including infrastructure, applications, workloads, identities, code, and APIs. CNAPP’s cover the CWPP use case but extend much further by combining secure cloud development, posture management, and cloud detection and response.

In terms of threat coverage, CWPPs mainly address threats from misconfigurations and missing updates and are focused on malware detection and malicious processes. While a CWPP, when combined with a CSPM, does identify misconfigurations — agentless CNAPP solutions offer built-in misconfiguration identification.  

CNAPP solutions detect sophisticated cloud native attacks across layers. They provide blast radius visualization, native forensic capabilities, and response actions at the cloud and workload level. Furthermore, CNAPPs simplify cloud-native security by unifying it into a single solution, reducing operational complexity and costs. CNAPPs also cover unauthorized access and API and container vulnerabilities. CNAPPs are built for use across teams, including SecOps, DevOps, SOC, Vulnerability Managment, and GRC, which can help to build a culture of shared security within organizations. This contrasts with the traditional siloed approach of using multiple cloud security tools, as seen with CWPPs. 

Moving from CWPP to CNAPP 

As organizations increasingly adopt cloud native applications and manage complex cloud environments, the need for a more comprehensive and integrated security solution like CNAPP is growing.  

Choosing between a CWPP and a CNAPP depends on your organization's maturity in cloud adoption, security needs, and plans for the future. Currently, industry trends suggest a shift towards CNAPPs, as they provide an integrated solution that reduces operational complexity and costs. Businesses planning significant growth in cloud usage or adoption of cloud native applications may want to consider a CNAPP for its scalability and comprehensive coverage. (The trend towards CNAPPs also indicates a growing recognition across the market of their comprehensive approach to cloud security.)

CWPP was an early approach to cloud security, and in its early days, it kept up with the evolution of cloud environments. But as security teams and organizations expanded their cloud environments and their investment in maturing cloud security, the requirements of a cloud security platform changed. This is when CNAPP took hold. Security in the cloud today requires visibility and context to make any misconfiguration or detection actionable. CNAPPs are the future-proof choice to cover current and future cloud security use cases. 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management