Not so long ago, when security admins deployed an application, they could trust some things would remain static. For example, an application deployed to a physical host on premises would be the same state -- same host, same network, same configuration, same technology substrate -- it was left in after two weeks.
In modern ecosystems, however, this is the exception rather than the rule. A workload might be deployed to a VM or private cloud today only to find it running on a Docker container in a public cloud environment tomorrow.
From a security point of view, this is a major challenge. For example, if constant monitoring via a network intrusion detection system is assumed in the environment a workload is deployed in, what happens when it is moved to run in a different environment that doesn't?
The situation is further compounded with the rise of multi-cloud. It's rare for an organization to employ just one trusted IaaS or PaaS provider nowadays. In fact, supporting just one application can involve two or three -- or more -- different providers and environments. This increases complexity and makes it difficult to ensure the right controls are deployed in the right places for the right workloads.
This article is part of
A new category of security systems is emerging that promises to help. By unifying management across multiple cloud providers, packaging controls together with workloads and ensuring controls are designed to be cloud-native, cloud workload protection platforms (CWPPs) are a strategy for security implementation that helps address these challenges.
What are cloud workload protection platforms?
The term CWPP, coined by Gartner, refers to security strategies designed for cloud-native protection of workloads. To understand this, it's important to start with what a workload is in the first place. In general, a workload refers to an atomic unit of functionality or capability, along with anything required to run it -- i.e., data, network connectivity, etc. It's a unit of cloud functionality.
In practice, a workload can be anything. One might be an API that forms part of a customer-facing application, another might be a compute component that handles back-end processing and yet another might be the front end for an internal business application. Workloads can be VMs -- in a traditional IaaS or private cloud, for example -- or they might be containerized applications, i.e., an application and its supporting middleware running inside a container engine, such as Docker.
The idea behind a CWPP is to provide a mechanism to protect those workloads in a consistent way; in a way that plays well with multiple cloud environments, including an organization's own private or hybrid cloud; and in a way that has the same security properties and risk reduction value, regardless of what's going on around it.
Top 3 benefits of CWPPs
The implications of a CWPP are pronounced and fall into three main categories.
1. Reduced complexity
Because CWPPs target security for cloud-native conditions, they provide protections in the cloud that might be harder -- and more expensive -- to accomplish with legacy tools. Many legacy tools were designed around a managed endpoint or a physical server; they weren't necessarily designed with virtualization or containers in mind -- and still less for use in serverless PaaS or function as a service. As a baseline, CWPPs provide the security value as expected even when running inside a container or VM where organizations don't control the lower levels of the technology stack.
Next up is consistency. This is relevant given how most organizations use cloud. For example, from a usage standpoint, microservices architecture has led to more numerous and smaller workloads; DevOps has led to decreasing the lifespan of each individual workload, as workloads are torn down and replaced with newer ones according to release cadence; and multi-cloud and hybrid cloud have led to different environments being used in tandem. These equate to reduced visibility over the long term unless actions are taken to prevent it. CWPPs provide a more consistent view, no matter how many workloads there are or where they are located.
The third implication is portability, meaning products that foster security regardless of where a workload is or what it is -- for example, a workload running in an on-premises hypervisor today that is moved to an IaaS provider tomorrow or a container running on an engine in a dedicated IaaS today moving into AWS Fargate or Azure Container Instances tomorrow.
CWPP features and providers
It's important to note that not all CWPP-oriented products offer each and every benefit. Quite the contrary: Some systems are specific to the service provider, thus limiting portability; some are specific to usage -- for example, targeting virtual workloads but not containers -- thus limiting consistency; and others focus only a subset of security controls -- e.g., vulnerability scanning, encryption or configuration management.
Given the large scope, there are numerous CWPP products that vary depending on the security proposition they provide and how they provide it. Some tools are available from cloud vendors. For example, Microsoft's Azure Security Center aims to provide consistent security management -- including network-level visibility, configuration evaluation and threat protection -- across multiple OSes. Also available is Amazon Inspector, which helps with vulnerability and configuration issues.
Other more broad offerings come from well-established and longstanding security players, such as Palo Alto Networks' Prisma Cloud that focuses on segmenting workloads and providing additional security capabilities to both container and virtualized workloads. Some CWPPs are more specific, focusing on a smaller subset of the problem, including Capsule8's attacker detection capability or Anchore's container-based vulnerability scanning.
These are, of course, just a subset of the large number of vendors and players that are in the space. However, from a security practitioner's point of view, understanding the underlying changes in the marketplace -- and what those changes imply as we move forward -- is helpful and valuable.