What Is Cloud Workload Protection?
July 4, 2020
A shift to cloud computing among organizations of all sizes is well underway. The current rapid adoption of cloud workloads owes in large part to the way they allow developers to focus on innovation rather than having to reinvent common functionality. Today’s developers often reuse code from a variety of places like GitHub, and leverage cloud workloads to create and deliver applications with unprecedented speed. Additionally, small and medium-sized enterprises are not only migrating their on-premise workloads to the cloud but are also transforming legacy applications into cloud-native technologies. However, as cloud usage grows, so does the attack surface. This increases the need for new ways of securing applications and sensitive data. Among these, cloud workload protection platforms (CWPPs) comprise one of the latest and most important innovations in security.
What Exactly is a Cloud Workload?
Companies are moving workloads to the cloud for a variety of reasons. It allows them to adopt platforms that streamline everything from solution development to storing, analyzing, and accessing customer data. Consequently, over half of workloads already run in the cloud, and that share is expected to grow by 10% annually for the foreseeable future.
Transforming into digital businesses typically requires building applications on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP) and Kubernetes. In addition, DevSecOps in these public cloud services is a prime concern for any business that stores any form of sensitive customer data.
Moreover, developers of cloud-native applications spread workloads over numerous compute solutions, ranging from virtual machines (VMs) to containers to serverless computing. Alone or in combination, these enable cloud-native applications running on instances that can be spun up or down extremely rapidly. So, in essence, a cloud workload comprises whatever is running on one of these ephemeral instances at any particular moment.
According to Gartner, a Cloud Workload Protection Platform is a “workload-centric security solution that targets the unique protection requirements” of workloads in modern enterprise environments. Unlike endpoint protection and other security tools, cloud workload protection focuses on the securing workloads regardless of type or location.
Safely Navigating a Cloud-First Landscape
The superior speed and agility gained by shifting workloads to the cloud represents a huge benefit for application developers as well as business users. But along with it comes new cybersecurity challenges. For example, without adequate automation, how do you protect workloads running on an instance that may last just hours, or even minutes?
However, many security professionals have not fully grasped the risks posed by having critical data, business applications, and development hosted outside the firewall by a third-party vendor or linked across a network. Securing cloud workloads requires a different approach than protecting old-school assets in a data center or on virtual endpoints. An effective security posture in the cloud era requires understanding new threat vectors and how to protect these new cloud-based workloads.
One common misperception is that cloud providers take on the burden of protecting their customers’ workloads. In fact, according to the Oracle and KPMG Cloud Threat Report 2020, 75% of users feel that the cloud is more secure than their on-premise systems. But you can’t count on the cloud providers to do everything, and they cannot prevent your users and developers—or manual processes—from creating vulnerabilities.
To ensure strong cloud workload security, organizations first need to understand the new threat landscape. Cloud workloads represent a fundamental architectural and conceptual change from perimeter-protected applications. While these workloads used to live in on-premise data centers, they have now moved beyond this relatively safe harbor to reside across a diverse and highly connected architecture that is mostly out of the company’s control.
What is a Cloud Workload Protection Platform?
Worldwide adoption of public cloud infrastructure as a service (IaaS) is forecasted to grow from $51 Billion in 2020 to $82 Billion in 2022. With more small-and medium enterprises adopting public IaaS and hybrid/multi-cloud strategies comes heightened demand for cloud security and compliance.
However, the evolving best practices for securing virtual machines, containers, container orchestration platforms, and serverless workloads runs counter to conventional security thinking. Security and risk management leaders must address challenges related to hyper-dynamic cloud environments where rule-based and antivirus-centric tools aren’t adequate. As organizations increase their cloud-native footprints, they must also address security needs specific to the new cloud architectures and the technology stack.
Nonetheless, many organizations continue to deploy containers and serverless workloads without ensuring protection during development or at runtime. What is required to protect IT assets is a Cloud Workload Protection Platform. The ubiquity of Linux in the cloud further necessitates CWPP solutions to support Linux-based physical and virtual servers and vendor-specific Linux platforms. A CWPP should be designed around the mandatory requirement for Linux-based platforms to understand the container-context and interface with Docker and Kubernetes APIs. Developers are also rapidly adopting a secure container approach achieved by creating and onboarding cloud-native services and products using the Kubernetes ecosystem.
Requirements for effective cloud workload protection
Applications built on public cloud infrastructure are complex and change constantly. This makes securing cloud workloads and services at scale impossible when relying on manual tasks and disparate security point tools. This means a cloud workload protection platform must see and understand cloud changes at scale without requiring manual interventions by security teams every time a new cloud service or technology is adopted.
It should also run natively in the cloud and provide continuous build to run-time threat detection, behavioral anomaly detection, and compliance across multi-cloud environments, workloads, accounts, containers, and Kubernetes. This approach provides a single platform solution that will help DevOps and IT Security teams quickly develop applications, while staying safe during both build-time and run-time in their efforts to shift left.
It should also provide automated, continuous compliance checks to further ensure that cloud workloads are protected from misconfigurations—a major risk—and other inadvertent error conditions.
A CWPP must provide comprehensive security across everything from VMs to hybrid clouds
In today’s small and medium-sized enterprises, the infrastructure, data, and apps developed and run in the cloud comprise the foundation of a modern digital business. Consequently, cloud workload protection platforms must protect this infrastructure and the workloads that run on it from a variety of threats. First and foremost, look for a CWPP that is capable of protecting your cloud infrastructure and virtual machines. It must also support container-based application security. Finally, it needs to provide the requisite visibility and observability to monitor and protect public, private, or hybrid-cloud environments for threats.