Protecting the cloud, one workload at a time
Note: This is the third in a six-part series on public cloud security. You can follow the entire series here.
As companies deployed multiple workloads in the cloud, those with networking background began to question whether existing security was naturally extensible to these new workloads. Security vendors responded with CWPP – Cloud Workload Protection Platforms.
These solutions are defined as work-load centric security protection solutions. They usually deploy an agent, and address server workload protection in hybrid architectures. An example would be a hybrid data center with both on-premises or physical and virtual machines, and potentially multi-cloud IaaS infrastructures. Most also support container-based application architectures (i.e., Docker and Kubernetes). So far, sounds perfect.
The notion behind CWPP is that focusing on application security misses the broader context of cloud workloads, where deployment, monitoring, and security are all aspects of deploying workloads in the cloud. This includes items like data served to and generated by the application and network resources required to connect users and the application.
Protection for cloud workloads is based on the analysis of the security for all the components involved in running your workloads. If you look at a typical cloud workload – and note, a cloud workload is more than just the application at the core of it – most of them involve multiple layers of “networking,” many of which may simply be moving data from one user or access point to another but there is going to be some element which is exposed to the public internet, even if that is simply Secure Remote Access.Cloud Workload Protection Platform (CWPP) products are designed to protect the workload, and not the vulnerabilities in the #application code itself. More details in this Rich Turner series on cloud security.Click To Tweet
Therefore, CWPP products focus their attention on protecting the workload itself, versus any vulnerabilities in the application code itself. While many of the vendors offering CWPP solutions came from the endpoint security sector, many others are “born-in-the-cloud” solutions and overlap (and in some cases also compete in) the other security sectors that we’ll discuss in future blogs.
Recently, some products began to offer extensions into compliance, for example checking configurations against best-practices benchmarks such as CIS (Center for Internet Security), but that has not been the focus of CWPP – when most of those products were first conceived, the notion of a security posture or worse, compliance as it related to IT best practices, hadn’t come to fruition.
In our next post, we will take a look at Security Information and Event Management (SEIM), another solution which has been leveraged to protect cloud workloads.