This post was previously published on The New Stack
You’ve secured your cloud identities. You’ve hardened your cloud security posture. You’ve configured strong cloud access controls. But there’s still one more thing you need in order to secure your cloud environment: a cloud workload protection platform, or CWPP.
Cloud workload protection platforms secure the workloads that run on your cloud — which are distinct from the infrastructure, user identities and configurations that form the foundation of your cloud environment.
This article unpacks why a CWPP is a critical ingredient in any cloud security strategy. It explains how CWPPs work, identifies examples of workloads that you can secure with CWPPs and discusses the importance of automation within the context of a CWPP.
What Is Cloud Workload Protection?
Cloud workload protection is the practice of securing workloads that you deploy in the cloud. In other words, cloud workload protection mitigates risks that exist at the workload level of your cloud environment, as opposed to the infrastructure or configuration level.
The workloads in question could be software, data or a combination thereof that your organization hosts in the cloud. For example, cloud workload protection could apply to the operating system and application running in a cloud-based VM instance, or it could secure the data inside an object storage bucket.
What Is a CWPP?
Tools that provide cloud workload protection are often called cloud workload protection platforms, or CWPPs. Protecting cloud workloads is important because most other types of cloud security practices don’t address workload risks.
Cloud security posture management, or CSPM, alerts you to problems within cloud infrastructure configurations that could create security issues, like IAM policies that provide public access to sensitive data. But CSPM doesn’t cover configuration risks within workloads, such as a lack of encryption for data as it moves within an application.
Likewise, you can track cloud metrics and logs to identify potential security threats. But that data originates mostly from cloud IaaS providers, not individual applications, so it does little to reveal security risks that are specific to applications or data you’ve deployed in the cloud.
CWPP solutions fill these gaps by ensuring that you can protect the code and data that actually run on your cloud, not just the underlying cloud environment.
It’s also worth noting that cloud workload protection platforms help you secure workloads across multiple clouds. Because CWPPs focus on your workload rather than the cloud that hosts it, you can use cloud workload protection to identify security risks in any type of cloud-based workload, even as it moves across clouds.
CWPPs at Work: Some Examples
To contextualize cloud workload protection further, consider how it applies in the following domains.
When you deploy cloud workloads using containers, you must address special security challenges. You need to make sure that containers can’t run in privileged mode, for example. You must also scan container images for malware.
Cloud workload protection for containers ensures that you have the specific processes in place that are required to protect containerized workloads, independent of other security processes that you apply to your cloud environment.
Kubernetes, too, poses a variety of special security challenges that can only be addressed at the workload level. You must ensure that Kubernetes role-based access control policies and security contexts are configured properly, for instance. You should also use Kubernetes audit logs to monitor for potential security risks that arise within your Kubernetes environment.
Virtual Machine Security
Even if your cloud VM service is properly configured, security issues may lurk inside your VMs. The images you use could contain malware, or just configurations (like the absence of a kernel hardening framework) that lead to a weak security posture. Cloud workload protection alerts you to these risks.
Vulnerabilities can arise in any number of places across a cloud environment — within applications, within operating systems, within container images and so on.
Cloud workload protection lets you scan for vulnerabilities across all components and layers of your workloads. Think of it as one-stop shopping for vulnerability discovery and management at the workload level, regardless of which workloads you run or which clouds host them.
Serverless functions abstract applications from the underlying server environment, which reduces potential attack surfaces. But the functions themselves could still contain vulnerabilities. They could also be configured in ways that increase risks. Cloud workload protection automatically discovers problems like these within serverless functions.
Cloud-based applications come in many forms, but they can all contain security risks — such as malware, vulnerable software components and a lack of security controls like encryption. By scanning applications for risks like these, cloud workload protection helps ensure application security across your cloud environment.
Choosing a Cloud Workload Protection Platform
When integrating cloud workload protection into your cloud security strategy, strive to implement a solution that is:
- Fully automated, because you can’t feasibly manage workload-level security risks by hand.
- Cloud-agnostic, so you can deploy to secure any workload on any cloud.
A service such as Torq.io meets both of these requirements. It lets anyone – not just cybersecurity experts, but any member of your organization – define security rules that workloads must meet. Then Torq automatically and continuously scans your cloud workloads for deviation from these rules.
The result is fully secure and automated cloud workload protection, no matter how your cloud environment is configured or what you run on it.