Cloud Workload Protection Platforms (CWPPs) provide the capabilities needed to secure workloads deployed in private, public, or hybrid clouds. CWPP solutions are designed to secure the application and any associated cloud resource.
The term “cloud workload” may refer to the components used by applications residing in the cloud, including computing, storage, and networking. Cloud workloads require the implementation of unique cloud security measures, which differ from traditional IT environments.
In this article:
A workload consists of resources and processes that are required to run an application. Cloud workloads often include an application as well as data generated by and served to the application. Additionally, a cloud workload includes all network resources needed to connect several different components of the application and to connect users to the application.
Many organizations have workloads that consist of multiple compute options as well as cloud service providers (CSPs). To properly protect cloud workloads, organizations must secure multiple types of cloud infrastructure—virtual machines (VMs), serverless workloads, and containers—across both public and private clouds.
In a DevOps environment, cloud applications are pushed to production rapidly and undergo frequent changes. Because many of these applications are public facing, they are difficult to monitor and secure.
CWPP offers a low-friction, scalable solution for putting in place cloud workload protection. CWPP solutions can help control the fallout of sub-standard security practices during the fast development cycles typical of DevOps.
CWPP tools help with the following issues in cloud development:
A CWPP solution can protect a server workload from attack regardless of its granularity or location. Security and risk management teams can consistently view and control all server workloads. CWPP tools should first scan for known vulnerabilities and security risks during development.
An effective CWPP can protect workloads from various attacks at any time by combining capabilities such as application control, system integrity protection, behavior monitoring, host intrusion prevention, and anti-malware.
Image Source: Gartner
A CWPP’s requirements differ from an endpoint protection platform (EPP) because modern business applications and services comprise multiple workloads representing compute work on the back end, running in infrastructure as a service (IaaS) environments or on-premises. Gartner recently reported that over three-quarters of enterprises use more than one IaaS provider. The main challenge with multiple providers is the higher security risk posed by different public IaaS offerings.
Most enterprises have distributed workloads running in various public cloud platforms and on-premises. This hybrid multi-cloud architecture is more challenging to protect, which is where CWPP comes in.
Workloads have different life spans and granularity, and many organizations change how they create workloads. For example, Linux containers are a popular option, while serverless platform as a service (PaaS) is also gaining popularity. Adopting a CWPP strategy can help ensure consistent visibility and control over workloads regardless of abstraction level or granularity.
Gartner defines the following four essential features of CWPP solutions:
In addition, there are some additional principles CWPPs should follow to provide more value:
CWPP offers three main advantages.
A CWPP focuses on security in cloud native conditions, providing protection mechanisms for cloud environments that legacy tools might struggle to achieve. Legacy tools are often purpose-built for specific managed endpoints or physical servers and do not easily support containerization, virtualization, or serverless PaaS.
A CWPP provides the security needed when running workloads in VMs or containers. In these environments, organizations cannot control the entire technology stack.
Consistency is important because of the way most organizations use cloud platforms. For instance, microservices have enabled large numbers of small workloads, while DevOps has decreased the life span of individual workloads—you tear down and replace workloads with new ones depending on the release cadence. Likewise, hybrid and multi-cloud environments have enabled the concurrent use of different platforms.
On a practical level, the distributed nature of these deployments often results in reduced long-term visibility unless you take action to improve it. A CWPP provides more consistent visibility regardless of the number of workloads or their location.
Portability allows products to maintain security across different environments. The security of a workload does not depend on where it is. For instance, a workload that runs on-premises one day might move to an IaaS provider the next. Another example is a container that runs on a dedicated IaaS engine before you move it to Azure Container Instances or AWS Fargate.
While CWPPs protect workloads internally, a Cloud Security Posture Management (CSPM) tool can protect workloads externally. It assesses compliant and secure configurations of a cloud platform’s control plane. CSPMs provide the tools to monitor compliance, integrate with DevOps processes, respond to security incidents, conduct risk assessments, and visualize risks.
A CSPM solution can identify unknown and excessive risks across the organization’s cloud ecosystem, including cloud-based storage, compute, and identity and access management services. It continuously monitors compliance, prevents configuration, and facilitates investigations by the security operations center (SOC).
A CWPP solution is probably the better option if your priority is protecting your organization’s workloads in the cloud and reinforcing application security. It is important to evaluate whether your existing security solution can handle the cloud services used for workloads. For instance, if you use containers, you should have a workload security solution that can inspect containers for security risks.
A CSPM solution may be the best option if the company’s priority is to ensure compliance with configuration best practices in the cloud. It uses the cloud service provider’s APIs to automate benchmarks and audit security checks.
Gartner defines the following eight layers of CWPP controls:
The foundational layers: hardening, configuration and vulnerability management
These layers require hardening images according to industry standards. They also require hardening and configuring systems according to the guidelines of the organizations. Additionally, systems should be patched promptly.
The infrastructure layers: network firewalls, microsegmentation, and visibility
These layers secure workloads by firewalling and segmenting the communication of workloads with other resources. They also support microsegmentation of east-west traffic in data centers and monitor communication flows. There are solutions that offer additional security in the form of network traffic encryption.
The system integrity assurance layer
This layer consists of the following two phases:
The application control/allowlisting layer
CWPP tools use application controls to manage the executables that are allowed to run on the server, in order to implement a deny-by-default policy. This layer blocks any malware executables by default. The majority of CWPP tools provide built-in features for application control.
The memory protection layer
This layer prevents vulnerability exploits by combining operating system functions with application control. The capabilities offered in this layer can help mitigate threats when there are no available patches.
Layers that are executable independently of the workload
Required controls for CWPP include endpoint protection for workloads, host-based IPS, threat detection, behavioral profiling, and antivirus.
Calico Enterprise and Calico Cloud offer four ways to implement pod-level workload access controls. This can help protect containerized environments from outside threats, while enabling applications and workloads to securely communicate with resources—whether they are outside the cluster, behind a firewall, or other control point.
Calico Enterprise and Calico Cloud provide:
Calico’s common network policy model uses Kubernetes constructs like labels and selectors to provide granular, pod-based control and restrict access to specific external resources.
Next Steps:
Get updates on blog posts, workshops, certification programs, new releases, and more!
