Cybersecurity

How prevention-first strategies and zero trust can enhance cloud security

Technology concept, 3D render: For better cloud security, organizations must adopt a proactive, prevention-first approach.

For better cloud security, organizations must adopt a proactive, prevention-first approach. Image: Getty Images/iStockphoto

Itai Greenberg
Chief Strategy Officer, Check Point Software Technologies
This article is part of: Centre for Cybersecurity
  • While cloud native application protection platforms (CNAPPs) help manage risks, they focus on alerting and remediation rather than preventing attacks, leaving cloud environments vulnerable to evolving threats.
  • To secure cloud environments, organizations must adopt a proactive, prevention-first approach, including real-time, artificial intelligence (AI) powered tools and a zero-trust security model, to minimize risks before they materialize.
  • CNAPPs must be paired with preventative solutions like web application firewalls (WAFs) and virtual security gateways to reduce risk severity and effectively prioritize critical threats.

In today’s cloud-driven world, cyber security is a fundamental strategic consideration.

CNAPPs have consequently gained popularity as a means of securing critical cloud environments. These security solutions are designed to protect cloud-native applications throughout their lifecycle, from development to deployment.

Although CNAPPs help identify and manage risks, they primarily focus on alerting users and suggesting remediation rather than preventing attacks. As organizations rapidly adopt cloud technologies, the evolving threat landscape exposes the limitations of CNAPPs, making their security promises incomplete.

To achieve robust cloud security, a shift towards a prevention-first, real-time security approach, including zero trust models, is essential.

Have you read?

Rising risks to cloud security

Globally, cloud security incidents increased 154% from 2023 to 2024. Yet, our research shows that only 4% of organizations have the capability to quickly and effectively remediate risks.

As business operations increasingly rely on global cloud networks, subject to strict compliance standards, the liability of patchwork security in the cloud skyrockets. Establishing a prevention-first cyber security posture should be a key strategic objective for every organization.

Unfortunately, cybersecurity is often viewed as something that slows down innovation. The reality is that cybersecurity is a business enabler, as strong cybersecurity enables organizations to focus on innovation and speed. CNAPPs in isolation can’t achieve this. Organizations should focus on making networks secure by design to achieve this kind of cybersecurity posture.

Reaction instead of prevention

Cloud environments are becoming more complex; with this complexity comes an ever-growing list of risks. These include misconfigurations, open-source vulnerabilities and sophisticated malware. CNAPP solutions tackle this by alerting users to potential threats and suggesting remediation steps. While alerts and suggestions may be helpful, they don’t address the core need: prevention.

One of the main features of CNAPPs is their ability to reduce alert fatigue by prioritizing critical risks. They achieve this by correlating different indicators, such as vulnerabilities and configurations, to identify the most pressing concerns. But this is where the problem lies – CNAPPs focus on alerting and managing risks, not preventing attacks from happening in the first place.

This paradox becomes clear when you consider that even though CNAPPs can pinpoint vulnerabilities, they do nothing to stop those vulnerabilities from being exploited. That is because the current model of CNAPPs is built around response and remediation, not proactive defence. In short, CNAPPs help you react to risks but don’t prevent them from materializing.

The remediation delay

Even when CNAPPs identify the most critical risks, the speed of remediation often remains a challenge. Many organizations struggle with the time it takes to address vulnerabilities, leaving a window of opportunity for attackers to exploit. The Cloud Security Alliance shows that, on average, it takes two days to address even the most critical vulnerability.

This delay is a key weakness in cloud security today. CNAPP solutions also fall short with zero-day vulnerabilities. Threat Analysis Group shows 97 zero-day vulnerabilities were exploited in 2023, a big increase over the 62 zero-day vulnerabilities identified in 2022. CNAPPs alone are unable to keep up.

Furthermore, as the number of risks grows, the percentage of vulnerabilities that are actually remediated decreases. CNAPPs can provide a false sense of security as the sheer volume of unaddressed risks continues to grow.

While CNAPPs provide valuable insights into cloud security, they can not stand alone as a complete solution.

Itai Greenberg, Chief Strategy Office, Check Point Software Technologies

Embracing real-time prevention and zero trust

Organizations need to adopt a proactive approach to overcome the limitations of CNAPPs. Real-time prevention and the implementation of a zero-trust security model are essential to achieving comprehensive cloud protection. Understanding the key components of a comprehensive cloud security posture is the first step.

Real-time, AI-powered prevention on the network and the workload

Cloud environments need advanced, AI-powered WAF solutions to analyze patterns and behaviours to prevent zero-day attacks in cloud apps. This AI-powered detection is far more effective than outdated, signature-based WAF. Research shows that organizations with effective and extensive AI and automation deployments contained breaches almost 100 days faster on average than other organizations.

This kind of strategic AI also enables contextual decision-making, another crucial component of real-time prevention. Security solutions should be capable of making decisions based on the whole workload environment, including executed code and open-source components. This can reduce remediation time from hours to minutes or seconds.

Adaptive zero-trust security

Each organization should have a unified zero trust policy that applies across all cloud environments, whether they’re public, private or in an open-source system such as Kubernetes. A single pane of glass with unified policies and logs is essential for consistency and eliminating unnecessary blind spots.

Those policies should be adaptive based on identities, such as job title and function, limiting risk throughout the organization. In the same way, zero trust contains lateral movement within the network, ensuring that even if one part of the environment is compromised, the threat remains contained.

How concerned organizations are with the volume of cloud security risks that require mitigation.
Image: Check Point Software 2024 Cloud Security Report

Enhanced CNAPP with preventative context

While CNAPPs are valuable, they must be paired with preventative tools like WAFs, virtual security gateways, and agent-based protection to be fully effective. Integrating these tools helps reduce risks and minimize alert fatigue by focusing on the most critical threats.

By correlating indicators such as code vulnerabilities and configuration issues, CNAPPs can detect the most severe risks. Security should span from code to cloud, beginning with comprehensive scanning in development (CI/CD pipelines, repositories, and production) to catch vulnerabilities early. This holistic approach ensures more accurate risk assessments and helps security teams prioritize meaningful alerts.

The imperative shift to prevention

While CNAPPs provide valuable insights into cloud security, they can not stand alone as a complete solution. The ever-growing threat landscape requires a shift toward real-time prevention and implementing a zero-trust model.

By adopting these proactive strategies, organizations can finally move beyond the illusion of security that CNAPPs create and achieve true protection against the evolving threats of today’s cloud environments.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Share:
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

1:56

This AI granny is taking on phone scammers

Collaboration is key to tackling cybercrime. Recent takedowns show why

About us

Engage with us

  • Sign in
  • Partner with us
  • Become a member
  • Sign up for our press releases
  • Subscribe to our newsletters
  • Contact us

Quick links

Language editions

Privacy Policy & Terms of Service

Sitemap

© 2024 World Economic Forum