CWPP Security 101
November 18, 2019
Key Insights into Gartner’s 2019 Cloud Workload Protection Platform (CWPP) Market Guide
Gartner’s 2019 CWPP Market Guide highlights the burgeoning shift towards public cloud IaaS and containers, driving new requirements for securing cloud workloads. Gartner’s recommendations underscore the need for cloud workload protection platforms (CWPP) in addressing the unique and dynamic requirements of multicloud and containerized environments. In the report, Gartner acknowledged Lacework as a representative CWPP vendor.
Rapidly Evolving Cloud Workload Security Landscape
Currently, enterprises are increasingly opting for container-based applications and serverless PaaS. These offer significant business benefits, although, at the cost of new risk exposures.
As more enterprises adopt containers and public cloud IaaS, the need to comprehensively secure cloud workloads increases all the more. However, Gartner’s findings show that currently there are many organizations that continue to deploy containers and serverless workloads without ensuring protection during development or at runtime.
The evolving requirements to secure virtual machines, containers, orchestration platforms, and serverless workloads defy conventional security thinking. Security and risk management leaders must address challenges related to hyper-dynamic cloud environments where rule-based and antivirus-centric tools aren’t adequate. Moreover, as organizations increase their cloud-native footprint, they must address security needs specific to the new cloud architectures and the technology stack.
Gartner defines CWPP as solutions that cater to these unique protection requirements of server workloads in single, hybrid, and multicloud data center architectures.
A CWPP is expected to provide consistent visibility and control for physical servers and VMs, containers, and serverless workloads, regardless of location and size. As organizations adopt DevOps-style execution patterns, cloud workloads are becoming more granular with shorter life spans (as illustrated in figure 1). CWPP solutions have to factor in the dynamic lifespan and the increasing granularity of cloud workloads.
Figure 1: Increasing granularity and abstraction of cloud workloads
Key Insights Into Cloud Workload Protection Platforms (CWPP)
Gartner’s market guide provides some key insights into evaluating CWPP solutions. According to the report, securing cloud workloads involves a combination of network segmentation, system integrity protection, application control, behavioral monitoring, host-based intrusion prevention, and optional anti-malware protection.
Some CWPP vendors incorporate the full-stack of capabilities in their products, while others incorporate only a few layers of the stack. In the CWPP world, the below considerations can provide helpful guidance to evaluate them for your business use case.
Support for Diverse Workload Types
The ubiquity of Linux in the cloud mandates CWPP solutions to support Linux-based physical and virtual servers and vendor-specific Linux platforms (e.g. AWS Linux). It is a mandatory market requirement for Linux-based platforms to understand the container-context and interface with Docker and Kubernetes APIs.
The platform also needs to support security for workloads in newer architectures using microservices and container-as-a-service. In addition to explicit support for Kubernetes, support for managed Kubernetes services like Amazon Elastic Container Service for Kubernetes (Amazon EKS), Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE), etc. is important. Managed orchestration-as-a-service architectures are also becoming popular with AWS Fargate and Azure Container Instances (ACI), etc.
The security paradigm for serverless applications is somewhat different. Some CWPP vendors may already have hooks for serverless functions to future-proof their solution.
Application of Machine Learning and Analytics
In dynamic cloud environments, solutions using behavior-based machine learning offer a scalable approach to reliably detect and prevent threats. These platforms first create a baseline of normal behavior for cloud workloads. Continuous runtime monitoring and advanced machine learning algorithms can detect anomalies and flag potential threats.
Machine learning can also be used instead of signatures for static analysis of code to detect malware before the code is executed.
Ease of Visualization and Management
Superior visualization simplifies triage and forensics. A holistic view of the runtime environment coupled with the ability to group workloads makes it easier to drill down into a problematic workload for root-cause analysis.
In multicloud environments, if your CWPP management console can interface with APIs from AWS, Azure, Google, and others, then you may efficiently leverage the programmatic features of the underlying cloud platform.
DevSecOps Integration is Crucial to Protect Workloads
The increasing shift to cloud-native application development requires security to shift-left and integrate with the development (DevSecOps) cycle.
As organizations adopt DevOps-style execution, early integration of security is helpful to proactively protect workloads before they are deployed. As such, the CWPP solution needs to integrate with native CI/CD tools such as Ansible, Chef, Jenkins, Puppet, etc., and also IaaS provider’s DevOps tools (AWS CodePipeline, Azure DevOps, etc.) in public cloud environments.
In dynamic container environments, from a user standpoint, endpoint or device-based licensing for protection is suboptimal. Licensing based on every workload-OS protected provides a more dynamic way to track the cost of protection as workloads are spun up and down based on demand. More granular pricing, such as per VM per minute are also offered by some CWPP vendors.
Threat-Detection: Network vs. Host-Based
Network-based intrusion detection systems (IDS) can’t provide visibility into inter-VM or inter-container traffic. Since traffic is terminated at the host workloads, a host-based IDS which can monitor inter-process traffic is a better architectural option for workload protection.
In the market guide, Gartner states:
“In public cloud IaaS, workload-centric host-based CWPP solutions provide an easier architectural option for enforcing security policy than traditional in-line network-based security controls. Workload-based offerings automatically scale-out and back as the number of workloads increases and decreases.”
A host-based IDS can monitor process hierarchy, process and machine communications, any changes in user privileges, internal and external data transfers, and all other cloud activity.
Lacework Secures Cloud Workloads Comprehensively
The Lacework cloud workload protection platform is a next-gen solution to comprehensively secure cloud workloads. Lacework’s container-aware approach to cloud security overcomes the drawbacks of traditional security using the network and endpoint-based point solutions.
It is impossible to manage cloud workloads with finer granularity and diminishing lifespans with human-centric security. The Lacework platform automates security for the entire application lifecycle and across all layers of the technology stack. After automatically establishing a behavioral baseline for each workload, Lacework continuously monitors communications, launches and other cloud runtime behaviors, and uses unsupervised machine learning to detect and accurately alert abnormal behaviors in real-time.
Gartner recommends deep visibility into workload behaviors as a key CWPP capability. Lacework functions at the process-level which maximizes visibility into events, communication, new connections, and images across containers, workloads and the orchestration layer. Since the events are logged at the process level, the logs continue to persist even when the containers are torn down – an essential capability to triage ephemeral workloads.
Lacework’s fully-automated, continuous compliance checks ensure that cloud workloads are protected from misconfigurations and other inadvertent error conditions. During the pre-build stage, Lacework scans through the containers stored in the cloud to detect known vulnerabilities (CVEs), misconfigurations, malware, unnecessary code, etc. What’s unique about Lacework’s approach is that it integrates the findings in development to add the security context at runtime.
Figure 3: Lacework platform for comprehensive protection
Gartner predicts by 2022, 60% of server workloads will use application control in lieu of antivirus, which is an increase from 35% at YE18. Lacework is well-positioned to address this shift in the cloud security landscape. Lacework’s cloud workload protection platform offers the benefits of a single security solution to protect diverse cloud workloads from the time they are built, tested, deployed all the way through runtime.
Photo by Siberian Art on Shutterstock.