Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security


What is CNAPP?

As organizations move workloads from on-premises to public cloud IaaS, the overall number of IaaS workloads goes up rapidly. A majority of enterprises are now piloting or using container-based applications and are experimenting with serverless PaaS. Skyhigh Security addresses this problem by providing the Cloud-Native Application Platform Protection, or CNAPP.

CNAPP is a licensed product provided through the Skyhigh Security Cloud tenant that makes developing and deploying cloud-based applications more secure. The three basic functional areas of CNAPP are the Cloud Security Posture Manager (CSPM), the Cloud Workload Platform Protection, (CWPP), and the Apps and Data used in the cloud. In CNAPP, the user experience and workflows are optimized. Within Skyhigh Security Cloud, administrators have unified policies and integrated workflows, across all types of accounts, Cloud Services Providers (CSP), containers, Virtual Machines (VMs), hybrid from a business perspective, specifically from, a business risk perspective.

CNAPP enables administrators to:

  • Identify the business security risk
  • Give security teams the tools to solve the problem
  • Bring the risk to the organization down 

Other security companies are taking a bottom-up approach, which is to give security practitioners independent tools to find the problems. This is a very siloed perspective on security. CNAPP looks across the entire spectrum of CSP, to the customers' apps across any workload and processing strategy which is evaluated against centralized policies driven by the business and centrally managed.

With cloud-native applications, workload security must start proactively in development. Increasingly, container and serverless workloads are scanned for vulnerabilities and misconfigurations in development, but are deployed with little or no runtime protection within the workload and instead rely on external network instrumentation and event monitoring to detect threats. 

As security scanning for workload shifts back into development, it is also advantageous to scan the cloud configuration for excessive risk as well. Security and risk management leaders responsible for infrastructure security should require the CWPP vendor to offer integrated CSPM capabilities to identify risky configurations.

There is synergy in combining CWPP and CSPM capabilities. The combination will create a new category of CNAPP that scans workloads and configurations in development and protects workloads and configurations at runtime.



  • Was this article helpful?