Guides

CWPP

What Is a Cloud Workload Protection Platform (CWPP)?

Cloud Workload Protection Platforms (CWPPs) provide the capabilities needed to secure workloads deployed in private, public, or hybrid clouds. CWPP solutions are designed to secure the application and any associated cloud resource.

The term “cloud workload” may refer to the components used by applications residing in the cloud, including computing, storage, and networking. Cloud workloads require the implementation of unique cloud security measures, which differ from traditional IT environments.

Image credit: Gartner

In this article:

Why Are CWPP Solutions Important?

In a DevOps environment, cloud applications are pushed to production rapidly and undergo frequent changes. Because many of these applications are public facing, they are difficult to monitor and secure.

CWPP offers a low-friction, scalable solution for putting in place cloud workload protection. CWPP solutions can help control the fallout of sub-standard security practices during the fast development cycles typical of DevOps.

CWPP tools help with the following issues in cloud development:

  • Workload monitoring and detection of anomalies in your cloud environment – CWPP solutions track your endpoints and employ anomaly detection to alert you to potential attacks and report on the context of such attacks.
  • Broader view of your security workload – CWPP tools support the automatic identification of vulnerabilities within VMs, serverless functions, or containers. CWPP tools look at the various layers of your workloads and automatically monitor, warn about, and scan known vulnerabilities (CVEs) within the workload or vulnerable port configurations, including ports that are publicly accessible.
  • Minimization of security risks in high velocity development – To handle the fast pace of cloud development, CWPP integrates into development or deployment environments. Thus, security issues are identified quickly during software development and it is easier to remediate challenges when they emerge. This markedly minimizes the timeframe for possible attacks.
  • Visibility in a hybrid cloud solution – Organizations utilize a broad variety of technologies and use hybrid cloud provider approaches. Dealing with all workloads across multiple accounts, hosted with different cloud providers in various cloud regions, is complex and prone to error.

How Does CWPP Work?

A CWPP solution can protect a server workload from attack regardless of its granularity or location. Security and risk management teams can consistently view and control all server workloads. CWPP tools should first scan for known vulnerabilities and security risks during development.

How does a CWPP protect workloads?

An effective CWPP can protect workloads from various attacks at any time by combining capabilities such as application control, system integrity protection, behavior monitoring, host intrusion prevention, and anti-malware.

CWPP vs. EPP

A CWPP’s requirements differ from an endpoint protection platform (EPP) because modern business applications and services comprise multiple workloads representing compute work on the back end, running in infrastructure as a service (IaaS) environments or on-premises. Gartner recently reported that over three-quarters of enterprises use more than one IaaS provider. The main challenge with multiple providers is the higher security risk posed by different public IaaS offerings.

Protecting a variety of workloads

Most enterprises have distributed workloads running in various public cloud platforms and on-premises. This hybrid multi-cloud architecture is more challenging to protect, which is where CWPP comes in.

Workloads have different life spans and granularity, and many organizations change how they create workloads. For example, Linux containers are a popular option, while serverless platform as a service (PaaS) is also gaining popularity. Adopting a CWPP strategy can help ensure consistent visibility and control over workloads regardless of abstraction level or granularity.

Benefits of CWPP

CWPP offers three main advantages.

Less Complexity

A CWPP focuses on security in cloud native conditions, providing protection mechanisms for cloud environments that legacy tools might struggle to achieve. Legacy tools are often purpose-built for specific managed endpoints or physical servers and do not easily support containerization, virtualization, or serverless PaaS.

A CWPP provides the security needed when running workloads in VMs or containers. In these environments, organizations cannot control the entire technology stack.

Increased Consistency

Consistency is important because of the way most organizations use cloud platforms. For instance, microservices have enabled large numbers of small workloads, while DevOps has decreased the life span of individual workloads—you tear down and replace workloads with new ones depending on the release cadence. Likewise, hybrid and multi-cloud environments have enabled the concurrent use of different platforms.

On a practical level, the distributed nature of these deployments often results in reduced long-term visibility unless you take action to improve it. A CWPP provides more consistent visibility regardless of the number of workloads or their location.

Portability

Portability allows products to maintain security across different environments. The security of a workload does not depend on where it is. For instance, a workload that runs on-premises one day might move to an IaaS provider the next. Another example is a container that runs on a dedicated IaaS engine before you move it to Azure Container Instances or AWS Fargate.

Key Capabilities of CWPP Solutions

Gartner defines the following four essential features of CWPP solutions:

  1. Features for hybrid and multi-cloud architecture – CWPPs should provide capabilities that help protect physical machines, serverless workloads, VMs, and containers. However, all of these capabilities should be managed through a single console and a single set of APIs.
  2. Accessibility and automation – CWPPs need to expose all functionalities through APIs and facilitate automation in a range of cloud environments.
  3. Container protection – All CWPPs should provide container protection capabilities.
  4. Serverless protection – CWPPs should share their architecture design and roadmap for serverless protection.

In addition, there are some additional principles CWPPs should follow to provide more value:

  • Provide consistent visibility and control for all workloads regardless of size, design, or location.
  • Support both containers and serverless workloads.
  • Extend workload scanning and compliance into development environments.
  • Expose all functionality through APIs.
  • Replace antivirus-centric strategies with a zero-trust framework or default-deny approach during runtime.
  • Integrate with Cloud Security Posture Management (CSPM) solutions, to enable detection and remediation of risky misconfigurations.

What are the Differences Between CWPP and Other Solutions?

CWPP vs. CSPM

While CWPPs protect workloads internally, a Cloud Security Posture Management (CSPM) tool can protect workloads externally. It assesses compliant and secure configurations of a cloud platform’s control plane. CSPMs provide the tools to monitor compliance, integrate with DevOps processes, respond to security incidents, conduct risk assessments, and visualize risks.

A CSPM solution can identify unknown and excessive risks across the organization’s cloud ecosystem, including cloud-based storage, compute, and identity and access management services. It continuously monitors compliance, prevents configuration, and facilitates investigations by the security operations center (SOC).

A CWPP solution is probably the better option if your priority is protecting your organization’s workloads in the cloud and reinforcing application security. It is important to evaluate whether your existing security solution can handle the cloud services used for workloads. For instance, if you use containers, you should have a workload security solution that can inspect containers for security risks.

A CSPM solution may be the best option if the company’s priority is to ensure compliance with configuration best practices in the cloud. It uses the cloud service provider’s APIs to automate benchmarks and audit security checks.

CWPP vs. CIEM

Cloud Infrastructure Entitlement Management (CIEM) solutions are designed to manage identity and access in cloud environments. They focus on ensuring that permissions and entitlements are correctly configured and do not pose security risks. CIEM solutions typically provide capabilities for least-privilege enforcement, role management, and anomaly detection related to user access and entitlements.

CWPPs are focused on protecting the workloads themselves, including servers, virtual machines, and containers, from threats like malware, vulnerabilities, and unauthorized changes. While CWPPs are about securing the workloads, CIEMs are about securing who has access to what in the cloud environment. For organizations concerned about insider threats or over-privileged accounts, a CIEM solution would be a crucial complement to a CWPP.

CWPP vs. CASB

Cloud Access Security Brokers (CASBs) are security solutions that sit between cloud service users and cloud service providers to monitor all activity and enforce security policies. CASBs focus on securing cloud access, particularly for SaaS applications, by offering features like threat protection, data security, compliance, and visibility into cloud application usage.

CWPPs are specifically designed to secure workloads in cloud environments, including protection against vulnerabilities, malware, and ensuring the integrity of the workloads. While CWPPs provide in-depth security for cloud infrastructure and applications, CASBs are more about managing and securing user access to cloud services. CASBs are particularly useful for organizations that utilize numerous SaaS applications and want to maintain control and visibility over how these applications are accessed and used.

CWPP vs. CNAPP

CWPPs focus on protecting workloads within the cloud environment, specifically addressing security at the workload level. Cloud-Native Application Protection Platforms (CNAPPs) provide a more comprehensive security approach, combining the capabilities of CWPPs and CSPMs. CNAPPs are designed to secure cloud-native applications throughout the entire lifecycle – from development to runtime. They offer integrated security for containerized environments, serverless functions, and microservices.

While CWPPs are primarily concerned with runtime protection and vulnerability management within workloads, CNAPPs also focus on code security, application dependencies, and configuration management. CNAPPs are a good choice for organizations that require a holistic security approach for their cloud-native applications, covering both workload protection and posture management.

Implementing CWPP in the CI/CD Pipeline

Incorporating a CWPP into your CI/CD pipeline can help ensure the security of your cloud workloads and applications throughout the development lifecycle. Here are some steps to incorporate CWPP into your CI/CD pipeline:

  • Assess your cloud environment: Analyze your existing cloud infrastructure, workloads, and applications to understand the security risks, requirements, and compliance needs. This will help you select the appropriate CWPP solution and tailor it to your specific environment.
  • Choose a suitable CWPP solution: Select a CWPP solution that integrates well with your CI/CD pipeline tools and provides the necessary features for workload protection, such as vulnerability management, threat detection, configuration management, and data protection.
  • Integrate with CI/CD tools: Connect your CWPP solution to your existing CI/CD pipeline tools, such as Jenkins, GitLab CI/CD, or CircleCI. This integration enables you to automate security checks, vulnerability scanning, and policy enforcement as part of your build and deployment processes.
  • Automate security scans: Configure your CWPP to automatically scan code repositories, container images, and infrastructure-as-code (IaC) templates for vulnerabilities and misconfigurations during the build phase. This helps identify and remediate potential security issues before they are deployed to production.
  • Policy enforcement: Define and enforce security policies within your CI/CD pipeline using your CWPP solution. This can include setting access controls, managing secrets, and ensuring compliance with industry standards and regulations.
  • Implement monitoring and alerts: Integrate your CWPP with monitoring and alerting tools, such as Prometheus, Grafana, or ELK Stack, to provide real-time visibility into the security posture of your cloud workloads. Set up alerts to notify your development and operations teams of potential security incidents.
  • Continuous feedback and improvement: Regularly review the security metrics, reports, and alerts generated by your CWPP solution to identify areas for improvement in your cloud workload security posture. Use this information to refine your security policies and practices, and continuously improve the security of your CI/CD pipeline.
  • Security training and awareness: Educate your development and operations teams about the importance of cloud workload security and the role of CWPP in your CI/CD pipeline. Ensure that your teams are familiar with the CWPP solution and understand how to address security issues and incorporate security best practices into their daily workflows.

By incorporating CWPP into your CI/CD pipeline, you can achieve a more proactive and automated approach to cloud workload security, reducing the risk of security incidents and ensuring the protection of your applications and data throughout the development lifecycle.

Cloud Workload Protection with Calico

Calico Enterprise and Calico Cloud offer four ways to implement pod-level workload access controls. This can help protect containerized environments from outside threats, while enabling applications and workloads to securely communicate with resources—whether they are outside the cluster, behind a firewall, or other control point.

Calico Enterprise and Calico Cloud provide:

  • Egress Access Gateway to leverage existing firewalls for access control
  • DNS Policy to control access from within the cluster
  • Namespaced NetworkSets to group IP addresses for use in global network policy
  • GlobalNetworkSets to write portable network access policies across clusters by using labels to select groupings of IP CIDRs

Calico’s common network policy model uses Kubernetes constructs like labels and selectors to provide granular, pod-based control and restrict access to specific external resources.

Next Steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!