Cloud Workload Protection Platforms (CWPP): An In-Depth Look

What Is a Cloud Workload Protection Platform (CWPP)?

The term “cloud workload” may refer to the components used by applications residing in the cloud, including computing, storage, and networking. Cloud workloads require the implementation of unique cloud security measures, which differ from traditional IT environments.

Cloud Workload Protection Platforms (CWPPs) provide the capabilities needed to secure workloads deployed in private, public, or hybrid clouds. CWPP solutions are designed to secure the application and any associated cloud resource.

In this article:

What Is a Cloud Workload?

A workload consists of resources and processes that are required to run an application. Cloud workloads often include an application as well as data generated by and served to the application. Additionally, a cloud workload includes all network resources needed to connect several different components of the application and to connect users to the application.

Many organizations have workloads that consist of multiple compute options as well as cloud service providers (CSPs). To properly protect cloud workloads, organizations must secure multiple types of cloud infrastructure—virtual machines (VMs), serverless workloads, and containers—across both public and private clouds.
The Importance of CWPP Solutions
In a DevOps environment, cloud applications are pushed to production rapidly and undergo frequent changes. Because many of these applications are public facing, they are difficult to monitor and secure.

CWPP offers a low-friction, scalable solution for putting in place cloud workload protection. CWPP solutions can help control the fallout of sub-standard security practices during the fast development cycles typical of DevOps.

CWPP tools help with the following issues in cloud development:

  • Workload monitoring and detection of anomalies in your cloud environment – CWPP solutions track your endpoints and employ anomaly detection to alert you to potential attacks and report on the context of such attacks.
  • Broader view of your security workload – CWPP tools support the automatic identification of vulnerabilities within VMs, serverless functions, or containers. CWPP tools look at the various layers of your workloads and automatically monitor, warn about, and scan known vulnerabilities (CVEs) within the workload or vulnerable port configurations, including ports that are publicly accessible.
  • Minimization of security risks in high velocity development – To handle the fast pace of cloud development, CWPP integrates into development or deployment environments. Thus, security issues are identified quickly during software development and it is easier to remediate challenges when they emerge. This markedly minimizes the timeframe for possible attacks.
  • Visibility in a hybrid cloud solution – Organizations utilize a broad variety of technologies and use hybrid cloud provider approaches. Dealing with all workloads across multiple accounts, hosted with different cloud providers in various cloud regions, is complex and prone to error.

Key Capabilities of CWPP Solutions

Gartner defines the following four essential features of CWPP solutions:

  1. Features for hybrid and multi-cloud architecture – CWPPs should provide capabilities that help protect physical machines, serverless workloads, VMs, and containers. However, all of these capabilities should be managed through a single console and a single set of APIs.
  2. Accessibility and automation – CWPPs need to expose all functionalities through APIs and facilitate automation in a range of cloud environments.
  3. Container protection – All CWPPs should provide container protection capabilities.
  4. Serverless protection – CWPPs should share their architecture design and roadmap for serverless protection.


In addition, there are some additional principles CWPPs should follow to provide more value:

  • Provide consistent visibility and control for all workloads regardless of size, design, or location.
  • Support both containers and serverless workloads.
  • Extend workload scanning and compliance into development environments.
  • Expose all functionality through APIs.
  • Replace antivirus-centric strategies with a zero-trust framework or default-deny approach during runtime.
  • Integrate with Cloud Security Posture Management (CSPM) solutions, to enable detection and remediation of risky misconfigurations.

8 Layers of CWPP Controls

Gartner defines the following eight layers of CWPP controls:

  • Hardening
  • Configuration
  • Vulnerability management
  • Network firewalling
  • Visibility and microsegmentation
  • System integrity assurance
  • Application control and allowlisting
  • Exploitation prevention and memory protection

The foundational layers: hardening, configuration and vulnerability management
These layers require hardening images according to industry standards. They also require hardening and configuring systems according to the guidelines of the organizations. Additionally, systems should be patched promptly.

The infrastructure layers: network firewalls, microsegmentation, and visibility
These layers secure workloads by firewalling and segmenting the communication of workloads with other resources. They also support microsegmentation of east-west traffic in data centers and monitor communication flows. There are solutions that offer additional security in the form of network traffic encryption.

The system integrity assurance layer
This layer consists of the following two phases:

  • A pre-boot phase – A CWPP measures components before they are loaded. These components may include the firmware on a cloud resource, the hypervisor, and virtual machines.
  • A post-boot phase – A CWPP monitors the integrity of the workloads once they’ve been launched, checking configuration and system files. It also monitors the integrity of your Windows registry, drivers, startup folders, and boot loader.

The application control/allowlisting layer
CWPP tools use application controls to manage the executables that are allowed to run on the server, in order to implement a deny-by-default policy. This layer blocks any malware executables by default. The majority of CWPP tools provide built-in features for application control.

The memory protection layer
This layer prevents vulnerability exploits by combining operating system functions with application control. The capabilities offered in this layer can help mitigate threats when there are no available patches.

Layers that are executable independently of the workload
Required controls for CWPP include endpoint protection for workloads, host-based IPS, threat detection, behavioral profiling, and antivirus.

Cloud Workload Protection with Calico

Calico Enterprise and Calico Cloud offer four ways to implement pod-level workload access controls. This can help protect containerized environments from outside threats, while enabling applications and workloads to securely communicate with resources—whether they are outside the cluster, behind a firewall, or other control point.

Calico Enterprise and Calico Cloud provide:

  • Egress Access Gateway to leverage existing firewalls for access control
  • DNS Policy to control access from within the cluster
  • Namespaced NetworkSets to group IP addresses for use in global network policy
  • GlobalNetworkSets to write portable network access policies across clusters by using labels to select groupings of IP CIDRs

Calico’s common network policy model uses Kubernetes constructs like labels and selectors to provide granular, pod-based control and restrict access to specific external resources.

Next Steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!