Understanding the differences between Cloud Native Application Protection Platforms and Attack Surface Management


What is the difference between cloud security solutions, and platforms that protect all of my cyber assets and broader attack surface?

We regularly field questions about how the JupiterOne platform compares with cloud security tools like Wiz, Orca Security, and Lacework. This makes sense given the overlap of functionality in the cybersecurity market. We recently wrote about the differences between attack surface management and vulnerability management, as well as how the growing category of Data Security Posture Management (DSPM) fits into the broader cybersecurity ecosystem. Today, we’ll take a look at what we believe are two complementary solutions: Cloud Native Application Protection Platforms (CNAPP) and Attack Surface Management (ASM).

We realize that no one calls an analyst and says “I need a CNAPP or CAASM solution.” Security leaders and practitioners are looking for answers to solve specific business and security challenges. 

Those conversations likely sound more like:  

  • “I don’t know what I have in my cloud.”
  • “My CMBD was supposed to have all of my asset information, but that isn’t the case.”
  • “I don’t know who owns these assets.”
  • “I don’t know where my vulnerabilities are.”
  • “I don’t know what to prioritize.”

Let’s talk about how these different categories of technology address those challenges.

CNAPP vs ASM at a high level

Cloud Native Application Protection (CNAPP) and Attack Surface Management (ASM) are fundamentally focused on solving different challenges for enterprise security teams. 

  1. CNAPP is an in-depth look at all of the things in your public cloud infrastructure, including the applications running there. CNAPP solutions look for security issues in your cloud infrastructure, generally focused on the main cloud service providers (CSPs) including AWS, GCP, and Microsoft Azure. 
  2. Attack Surface Management (ASM) on the other hand is a holistic view of your entire cyber asset ecosystem, not limited to applications and infrastructure running in the cloud. ASM solutions should ingest data from every tool in your technology stack, giving you a wider breadth of knowledge and insights into your entire attack perimeter.

Attack surface management analysis, visibility, and insights

CNAPP and cloud workload protection - deep cloud security protection for your cloud infrastructure and apps

According to Gartner, Inc., “CNAPPs address the full life cycle protection requirements of cloud-native applications from development to production. Security and risk management leaders responsible for cloud security strategies should use this research to analyze and evaluate emerging CNAPP offerings.”

CNAPP detailed view
©Gartner, Inc., 2023 Market Guide for Cloud-Native Application Protection Platforms, March 2023

CNAPP tools are focused on solving many of the challenges related to building applications using the cloud. They run in-depth checks on cloud configurations and actively scan for vulnerabilities or misconfigurations. This can also be referred to as Cloud Security Posture Management (CSPM), although that is a broad term that can be solved a number of different ways (Defining cloud security posture requirements is an entire topic on its own. Look for more on this later). CNAPP solutions also parse containers and cloud workloads to see what’s actively running on your cloud infrastructure, which can also be referred to as Cloud Workload Protection Platform (CWPP). Some CNAPP tools even have add-ons for code scanning including checking Infrastructure-as-Code deployments and CLI tools to look for risks introduced as early as the pull request stage. This level of understanding application and infrastructure security risks is invaluable to security teams, and a top priority for CISOs.

Based on all of that, it doesn’t sound like you’d need much else to do cloud security well. However, these things can all be true at the same time:

  • Cloud infrastructure is a major attack vector
  • Securing public cloud infrastructure is a main priority for security teams
  • There are many digital and cyber assets that exist outside of your CSPs
  • Those assets also create risk and need to be identified, understood, and secured.

Attack Surface Management is the holistic view of your entire asset ecosystem

Attack surface management is focused on aggregating and understanding data across your entire digital footprint. While cloud infrastructure is a key attack vector, it only represents a portion of a modern organization’s total attack surface. Here we have to explore cyber assets, as they are the building blocks that make up your attack surface.

Attack surface expansion leads to exposures
©Gartner, Inc., 2023 Emerging Cybersecurity Market Trends and Growth Opportunities, June 2023

Cyber assets make up your attack surface

As the definition of a cyber asset evolves, so does your attack perimeter. It’s not like it used to be. Not too long ago IT and security teams only had to worry about the things that they could physically hold in their hands and put a barcode sticker on, such as printers, keyboards, or monitors. Assets then evolved to include devices and resources in your datacenters. Now, with the addition of the cloud, teams are responsible for securing anything that can be software defined or ephemeral. This includes things like findings, policies, users, and configurations. Everything that makes the cloud so effective has also opened up new risks and entry points for attackers. 

We also need to understand how these software defined assets impact one another. The relationships between assets are just as important to security as the assets themselves. The insights and business context we get from connecting the dots between assets becomes the foundation for true attack surface management. The category of Cyber Asset Attack Surface Management (CAASM) was created recently to highlight this specific, structural look at an organization through an asset-centric lens. 

How do CNAPP and ASM solutions complement each other?

Once we’ve separated out the functionality, we see that cloud security tools are an integral source of data that provides necessary details into the cloud attack surface of an organization. These tools scan and find critical misconfigurations and vulnerabilities in your cloud infrastructure and applications. Other security tools such as Identity and access management (IAM), endpoint detection and response (EDR), and vulnerability management (VM) also collect important information about your overall risks and security posture with a focus on different classes of data.

Attack surface management solutions become the central point of data aggregation and visibility for any security program. These platforms bring together data from all of the disparate systems in your technology stack and allow security teams to analyze the data, discover important insights that you can’t get without a unified view, and prioritize work based on business context and risk. 

Sources of infrastructure and security data that can be combined by ASM solutions include:

  • Cloud infrastructure
  • On-premises infrastructure
  • SaaS applications
  • Identity and access
  • Business tools/CRM
  • Vulnerabilities
  • Events
  • Endpoints
  • External attack surface
  • Devices
  • Code
  • IT services
  • Network
  • Training
Attack surface management central point

So which solution do I need? 

Modern enterprise security needs change depending on where the organization is at in its security journey and maturity. The majority of companies today know they need a cloud security solution and are working to implement one. Some leverage the native tools in AWS like Amazon Inspector or GuardDuty. This kind of analysis becomes more difficult in multi-cloud environments, where we see tools like Wiz and Orca Security being deployed. As teams start to dig into the data, they start to realize that other risks still persist outside of their cloud environments, and they have no way to find, view, or correlate everything across their technology stack.

Cloud Native Application Protection Platforms like Wiz (more coming soon) and Orca Security work alongside JupiterOne helping our customers secure their hybrid, multi-cloud, and sprawling asset environments. Using these solutions in tandem, SecOps teams can combine in-depth cloud security data with all of the other asset information in their environments for a holistic view of risk, one with even more context and insights than using either solution in isolation. Request a demo today to see how you can bring these insights to bear in your security program.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Kevin Miller
Kevin Miller

As Director of Product Marketing at JupiterOne, you can usually find Kevin researching competitors, digging into strategy, or collaborating with the product team on upcoming enhancements. With experience in FinTech, AppSec, and Cybersecurity, Kevin has a knack for simplifying technical concepts and communicating them effectively to the market.

Keep Reading

Why Your Business Needs Cloud Asset Management
April 10, 2024
Why Your Business Needs Cloud Asset Management

Organizations are transitioning to the cloud faster than ever to keep up with the changing consumer and business climate. According to Gartner, by 2023, 40% of all

‘Type and go’ - New JupiterOne search bar enhancements
October 30, 2023
‘Type and go’ - New JupiterOne search bar enhancements

JupiterOne aggregates and normalizes data from hundreds of different sources so you can identify and triage security risks easily.

Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix
October 6, 2023
Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix

It seems like a simple question. “Are any of our deployed user endpoint devices missing an endpoint detection and response agent?”

15 Mar 2022
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.