How prevention-first strategies and zero trust can enhance cloud security
For better cloud security, organizations must adopt a proactive, prevention-first approach. Image: Getty Images/iStockphoto
- While cloud native application protection platforms (CNAPPs) help manage risks, they focus on alerting and remediation rather than preventing attacks, leaving cloud environments vulnerable to evolving threats.
- To secure cloud environments, organizations must adopt a proactive, prevention-first approach, including real-time, artificial intelligence (AI) powered tools and a zero-trust security model, to minimize risks before they materialize.
- CNAPPs must be paired with preventative solutions like web application firewalls (WAFs) and virtual security gateways to reduce risk severity and effectively prioritize critical threats.
In today’s cloud-driven world, cyber security is a fundamental strategic consideration.
CNAPPs have consequently gained popularity as a means of securing critical cloud environments. These security solutions are designed to protect cloud-native applications throughout their lifecycle, from development to deployment.
Although CNAPPs help identify and manage risks, they primarily focus on alerting users and suggesting remediation rather than preventing attacks. As organizations rapidly adopt cloud technologies, the evolving threat landscape exposes the limitations of CNAPPs, making their security promises incomplete.
To achieve robust cloud security, a shift towards a prevention-first, real-time security approach, including zero trust models, is essential.
Rising risks to cloud security
Globally, cloud security incidents increased 154% from 2023 to 2024. Yet, our research shows that only 4% of organizations have the capability to quickly and effectively remediate risks.
As business operations increasingly rely on global cloud networks, subject to strict compliance standards, the liability of patchwork security in the cloud skyrockets. Establishing a prevention-first cyber security posture should be a key strategic objective for every organization.
Unfortunately, cybersecurity is often viewed as something that slows down innovation. The reality is that cybersecurity is a business enabler, as strong cybersecurity enables organizations to focus on innovation and speed. CNAPPs in isolation can’t achieve this. Organizations should focus on making networks secure by design to achieve this kind of cybersecurity posture.
Reaction instead of prevention
Cloud environments are becoming more complex; with this complexity comes an ever-growing list of risks. These include misconfigurations, open-source vulnerabilities and sophisticated malware. CNAPP solutions tackle this by alerting users to potential threats and suggesting remediation steps. While alerts and suggestions may be helpful, they don’t address the core need: prevention.
One of the main features of CNAPPs is their ability to reduce alert fatigue by prioritizing critical risks. They achieve this by correlating different indicators, such as vulnerabilities and configurations, to identify the most pressing concerns. But this is where the problem lies – CNAPPs focus on alerting and managing risks, not preventing attacks from happening in the first place.
This paradox becomes clear when you consider that even though CNAPPs can pinpoint vulnerabilities, they do nothing to stop those vulnerabilities from being exploited. That is because the current model of CNAPPs is built around response and remediation, not proactive defence. In short, CNAPPs help you react to risks but don’t prevent them from materializing.
The remediation delay
Even when CNAPPs identify the most critical risks, the speed of remediation often remains a challenge. Many organizations struggle with the time it takes to address vulnerabilities, leaving a window of opportunity for attackers to exploit. The Cloud Security Alliance shows that, on average, it takes two days to address even the most critical vulnerability.
This delay is a key weakness in cloud security today. CNAPP solutions also fall short with zero-day vulnerabilities. Threat Analysis Group shows 97 zero-day vulnerabilities were exploited in 2023, a big increase over the 62 zero-day vulnerabilities identified in 2022. CNAPPs alone are unable to keep up.
Furthermore, as the number of risks grows, the percentage of vulnerabilities that are actually remediated decreases. CNAPPs can provide a false sense of security as the sheer volume of unaddressed risks continues to grow.
While CNAPPs provide valuable insights into cloud security, they can not stand alone as a complete solution.
”Embracing real-time prevention and zero trust
Organizations need to adopt a proactive approach to overcome the limitations of CNAPPs. Real-time prevention and the implementation of a zero-trust security model are essential to achieving comprehensive cloud protection. Understanding the key components of a comprehensive cloud security posture is the first step.
Real-time, AI-powered prevention on the network and the workload
Cloud environments need advanced, AI-powered WAF solutions to analyze patterns and behaviours to prevent zero-day attacks in cloud apps. This AI-powered detection is far more effective than outdated, signature-based WAF. Research shows that organizations with effective and extensive AI and automation deployments contained breaches almost 100 days faster on average than other organizations.
This kind of strategic AI also enables contextual decision-making, another crucial component of real-time prevention. Security solutions should be capable of making decisions based on the whole workload environment, including executed code and open-source components. This can reduce remediation time from hours to minutes or seconds.
Adaptive zero-trust security
Each organization should have a unified zero trust policy that applies across all cloud environments, whether they’re public, private or in an open-source system such as Kubernetes. A single pane of glass with unified policies and logs is essential for consistency and eliminating unnecessary blind spots.
Those policies should be adaptive based on identities, such as job title and function, limiting risk throughout the organization. In the same way, zero trust contains lateral movement within the network, ensuring that even if one part of the environment is compromised, the threat remains contained.
Enhanced CNAPP with preventative context
While CNAPPs are valuable, they must be paired with preventative tools like WAFs, virtual security gateways, and agent-based protection to be fully effective. Integrating these tools helps reduce risks and minimize alert fatigue by focusing on the most critical threats.
By correlating indicators such as code vulnerabilities and configuration issues, CNAPPs can detect the most severe risks. Security should span from code to cloud, beginning with comprehensive scanning in development (CI/CD pipelines, repositories, and production) to catch vulnerabilities early. This holistic approach ensures more accurate risk assessments and helps security teams prioritize meaningful alerts.
The imperative shift to prevention
While CNAPPs provide valuable insights into cloud security, they can not stand alone as a complete solution. The ever-growing threat landscape requires a shift toward real-time prevention and implementing a zero-trust model.
By adopting these proactive strategies, organizations can finally move beyond the illusion of security that CNAPPs create and achieve true protection against the evolving threats of today’s cloud environments.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
The Agenda Weekly
A weekly update of the most important issues driving the global agenda
You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.