There are several advantages to consuming software as a service (SaaS). For starters, it allows companies of any size to leverage enterprise-grade software (CRM, service desk, security, etc.) in a pay-as-you-go model to avoid spending large sums of money on shelfware that may never get put to use. SaaS also offers customers the ability to scale or change the usage of their software with little to no advance notice, and makes them more agile in delivering products to market. It even enables customers to save a lot of time shifting maintenance responsibilities from their IT department to a vendor like Snyk.  

For some enterprise organizations, however, SaaS is not an option. They still manage their IT infrastructure in private environments where data can remain completely isolated from public connections. For some companies, especially those in the financial, healthcare, or public sectors, this might be due to industry-wide compliance regulation in which the organization must control the flow of data, keeping it from flowing to the public internet.

To answer this market need, Snyk has developed a self-hosted version of its platform to help enterprises automate security controls into their developer workflow, from open source code in the IDE to container images in Kubernetes — in their private environment. Customers can now leverage a cloud native software appliance that can be deployed into their private AWS environments to ensure they have deep visibility into application security risks while meeting strict compliance regulations.

Snyk Cloud Native Appliance (CNA): Batteries included

Snyk Cloud Native Appliance (Snyk CNA) is a self-hosted, dedicated instance of Snyk that can be deployed directly onto a customer’s cloud infrastructure. Snyk CNA is designed to integrate securely with existing developer workflows, whether located on-premises or running in the cloud, and was developed so that customers could easily customize the network connectivity between Snyk and their cloud or bare-metal infrastructure.

To make things easier on our customers, we’ve built Snyk CNA in a way that requires a very minimal amount of prerequisite setup. The customer only needs to use their account ID and their credentials for that account, as well as the credentials we’ve provided to access their Snyk license. From there, Snyk’s automated installer  provisions the entire application for them. Every two weeks, the customer’s appliance will communicate with Snyk over a private cloud link to download the latest Snyk release without any application downtime, giving our customers a very SaaS-like experience without giving Snyk access to their data. Customers can also install a corporate VPN to allow Snyk CNA to  with privately hosted source code, image registries, and more.

We understand that cloud infrastructure is complex, so in order to mitigate some of the cost of operations, Snyk CNA has created a very operator-friendly experience for our customers. Since we provision what the infrastructure looks like in Snyk CNA, we’ve made the platform as turnkey as possible, making it so that customers and their security teams don’t need a robust cloud skillset in order to deploy and manage it. The Snyk team has aligned all of the infrastructure with the technology that underpins the Snyk platform, so that any investment we make in improving our flagship SaaS platform is also automatically reflected in Snyk CNA. Additionally, because we provision the infrastructure on the appliance, Snyk CNA will be able to scale up or down to help optimize resource consumption in the customer’s environment.

Snyk CNA on AWS GovCloud

AWS GovCloud is a version of AWS with higher level of security scrutiny that helps customers address compliance concerns around things like Personally Identifiable Information (PII), sensitive patient medical records, and financial data, giving customers and their partners the flexibility to create secure solutions that comply with the FedRAMP High Baseline, as well as other compliance regimes.

Snyk has now tailored Snyk CNA to make AWS GovCloud one of our supported environments, allowing our federal customers to use our software within their security constraints.

Broker: Snyk’s hybrid model for expanded security 

Some customers want to integrate Snyk into their on-prem developer workflow, while using our SaaS platform. Snyk Broker is an open source tool that provides multiple levels of security within a customer’s environment, whether that customer is running in a dedicated instance or not.

If a customer has their source control running in a private network for extra security, for example, Snyk might not be able to connect to their BitBucket or GitHub enterprise server because it’s running in the customer’s private network. As a result, Snyk has developed a “Broker”, which is a server that we provide to our customers as container images with two-way connectivity. Snyk Broker establishes a secure connection between Snyk’s SaaS platform and the customer’s source control server, allowing customers to leverage Snyk using privately hosted integrations, but without requiring a VPN between the Snyk service and the customer’s single-tenant environment. Using Snyk Broker, customers can ensure that all data — both in transit and at rest — is encrypted.

Snyk Broker makes it so that the credentials for the customer’s servers never leave their infrastructure. Snyk will make an API call where the credentials would be, and the customer would configure the credentials on the Broker server that they’re running on their end, ensuring that those credentials never leave their network.

In addition to making a connection to private source control servers, Snyk can also connect to private container registries with the Broker plus a container registry agent. The container registry agent handles the additional load of scanning the container images in your private registries and uses the broker to handle the communication and authentication. 

Understanding that building and operating a VPN has historically been a time-consuming issue for most, Snyk has built an application-level solution to this networking issue by using a more lightweight server to manage that flow of data.

Learn more about Snyk CNA

If you’d like to learn more about Snyk CNA, or which delivery model might fit your organization’s needs, reach out to a Snyk representative to schedule an evaluation today!