Cloud Workload Protection Platform (CWPP) as defined by Gartner
is a “workload-centric security solution that targets the unique protection requirements” of workloads in modern enterprise environments.
Workloads in modern environments have evolved to include physical servers, virtual machines (VMs), containers, and serverless workloads.
These workloads provide the underlying computing, transport (network), and storage of the data that deliver application functionality have evolved. As illustrated in Figure 1, they are shrinking with a focus on a smaller, more specific task that lends itself to the overall application.
These workloads often reside on-premise, in colocation-type environments like third-party datacenters or in the public cloud.
Finally, depending on its type and the application it supports, a workload may be persistent or non-persistent. While a server is expected to be in place and functioning for years, VMs may be spun up on a monthly or weekly basis and containers may only be used one time and discarded.
The ability to apply protection to ever-shrinking workloads that may be on-premise or in the cloud and may or may not persist in the environment means that the very nature of the techniques and solutions to secure them have to change.
As a result, CWPP has evolved to be distinct from Endpoint Protection Platforms (EPP). It is specifically focused on the protection of workloads regardless of type or location. A well-architected CWPP solution will also work seamlessly with a Cloud Security Posture Management (CSPM) solution.
Why is CWPP important?
The transformation from legacy to cloud-native applications isn’t automatic. Organizations can’t “copy and paste” to the cloud an application that is currently on-premise. Here are four reasons why Cloud Workload Protection Platform (CWPP) is important:
- Most companies have legacy applications and infrastructure that prevent a complete movement of functionality to the cloud.
- Most organizations are deliberately using multiple cloud vendors, depending on their specific needs. As a result, most enterprises—by circumstance or design—are working in a hybrid, multi-cloud environment. This makes it difficult for security professionals to know, see, and manage where applications and data are in a fragmented environment.
- Today, application developers grab code from a variety of places like GitHub, leverage workloads to create an application and publish it directly to their target audience of consumers. This approach is called Development Operations (DevOps) and is a cycle of “continuous innovation and continuous development” (CI/CD) where they can quickly respond to customers and improve that response and experience for their customers and partners in weeks or days.
- The tradeoff of process for speed and the constant improvement of applications means that security is no longer a strict gate for application production. Security professionals can’t apply controls at application run time as they used to be able to do. The risk to data and applications due to the changing nature of workloads, lack of visibility and control, and the rise of the “always on” DevOps environment makes CWPP an important security solution in the modern enterprise.
How does CWPP work?
A comprehensive Cloud Workload Protection Platform (CWPP) solution should give you the ability to discover workloads that have been deployed in your on-premise and public cloud environments. You should be able to add the ability to manage any unmanaged workloads you discover.
From a security perspective, you should be able to do a vulnerability assessment of the workload by comparing it to a relevant set of policies. Based on the outcome of the vulnerability assessment, you should be able to apply security such as integrity protection, immutability or whitelisting, memory protection and host-based intrusion prevention. Note that from a pure security perspective, anti-malware protection is less critical. Anti-malware may be tightly coupled to the regulations that govern your industry, however, that it may be required.
There are several other considerations.
Incorporate into the CI/CD pipeline
Since workload protections cannot always be applied at run time as a natural and ideally invisible part of application development. By shifting security further to the left of the application process, you can increase its ubiquity and effectiveness.
Align with CSPM Solutions
CWPP should be tightly aligned with, or even ideally part of the same solution as, Cloud Security Posture Management (CSPM). Where CWPP assesses the workloads and provides the means of securing them, CSPM is designed to do the same for the cloud accounts in which those workloads are deployed. The two solutions very naturally fit together so they should be part of the same user experience.
Link CWPP solution to infrastructure
CWPP solution should seamlessly link to the rest of your security infrastructure. Where CWPP focuses on protecting workloads that run applications, Data Loss Prevention (DLP) focuses on protecting the data that applications use and store. From a different perspective, a Security Operations Center (SOC) can significantly enrich its view of complex attacks if it can detect ones that originate from or extend themselves into the cloud. And until the SOC can detect and remediate cloud-native threats and vulnerabilities, investigators will be partially blind to certain types of attacks.
What are the key benefits of CWPP?
Cloud Workload Protection Platform (CWPP) provides a solution for addressing the unique aspects of Zero Trust Security for cloud workloads, which include:
- Workloads:Server, VM, container and serverless; on-premise or in the cloud; persistent or non-persistent
- Security constraints: At run-time or in the development process
- Hybrid environments: Movement from on-premise to the cloud
- Multi-cloud environments: Enterprise use of more than one cloud service provider
- Discoverability and visibility: Being able to find and manage workloads in a hybrid, multi-cloud environment
A comprehensive CWPP solution, in turn, lends itself to accelerating development of cloud-native applications and unlocking the “power of the cloud.” Key benefits include:
- Cost: Lower upfront costs, reduced cost of hardware, lower maintenance & operational overhead
- Flexibility: Scale up and scale down application capacity, according to demand
- Improved Customer Service: Respond better and faster to customer requests, driving more business
- Ease of Use: Stand up, use from anywhere and collect analytics from applications
- Security: Shared responsibility and evolution of cloud security
Skyhigh Cloud Workload Protection Platform (CWPP)
Skyhigh’s CWPP solution is part of a broader effort to secure cloud-native applications. We are taking a decidedly different approach in doing so. Our ultimate objectives are to:
- Focus on business outcomes rather than technical solutions to different pieces of the problem.
- Provide comprehensive threat and data protection across all workloads, environments, and cloud service providers.
- Reduce management overhead by synthesizing user workflows into an ongoing continuum rather than separating by function or workload type.
From a security perspective, Skyhigh’s CWPP solution will deliver those objectives based on five fundamental pillars:
- Discovery and risk-based classification:
You can’t protect what you can’t see. Discovering workloads, regardless of what or where they are is the first key to managing risk. The next step is to classify account and workload vulnerabilities based on the risk to your organization. If you can quickly understand those risks relative to each other, you can quickly prioritize your remediation reducing overall risk as quickly as possible.
- Shift Left posture and vulnerability:
By moving security into the CI/CD pipeline and make it easy for developers to incorporate into their normal application development processes and ensuring that applications are secure before they are ever published reduces the chance of introducing new vulnerabilities and minimizing threats to the organization.
- Zero Trust policy control:
Skyhigh’s CNAPP solution supported by CWPP focus on Zero Trust network and workload policies. This approach not only allows you to gain analytics about who is accessing your environment and how—an important component of your SOC strategy—but it also ensures that people and services have appropriate permissions to perform necessary tasks.
- Unified Threat Protection:
CWPP unifies threat protection across workloads in the cloud and on-premise. It also synthesizes workload protections and account permissions into the same motion. Finally, by connecting cloud-native application protection to XDR, you are able to have full visibility, risk management, and remediation across your on-premise and cloud infrastructures.
- Governance and Compliance:
The ideal solution for protecting cloud-native applications includes the ability to manage privileged access and address threat protection for both workloads and sensitive data, regardless of where they reside.