As companies deployed multiple workloads in the cloud, those with networking background began to question whether existing security was naturally extensible to these new workloads. Security vendors responded with CWPP – Cloud Workload Protection Platforms.
These solutions are defined as work-load centric security protection solutions. They usually deploy an agent and address server workload protection in hybrid architectures. An example would be a hybrid data center with both on-premises or physical and virtual machines, and potentially multi-cloud IaaS infrastructures. Most also support container-based application architectures (i.e., Docker and Kubernetes). So far, sounds perfect.
The notion behind CWPP is that focusing on application security misses the broader context of cloud workloads, where deployment, monitoring, and security are all aspects of deploying workloads in the cloud. This includes items like data served to and generated by the application and network resources required to connect users and the application.
Protection for cloud workloads is based on the analysis of the security for all the components involved in running your workloads. If you look at a typical cloud workload – and note, a cloud workload is more than just the application at the core of it – most of them involve multiple layers of “networking,” many of which may simply be moving data from one user or access point to another but there is going to be some element which is exposed to the public internet, even if that is simply Secure Remote Access.Cloud Workload Protection Platform (CWPP) products are designed to protect the workload and not the vulnerabilities in the #application code itself. More details in this Rich Turner series on cloud security.Click To Tweet
Therefore, CWPP products focus their attention on protecting the workload itself, versus any vulnerabilities in the application code itself. While many of the vendors offering CWPP solutions came from the endpoint security sector, many others are “born-in-the-cloud” solutions and overlap (and in some cases also compete in) the other security sectors that we’ll discuss in future blogs.
Recently, some products began to offer extensions into compliance, for example checking configurations against best-practices benchmarks such as CIS (Center for Internet Security), but that has not been the focus of CWPP – when most of those products were first conceived, the notion of a security posture or worse, compliance as it related to IT best practices, hadn’t come to fruition.
In our next post, we will take a look at Security Information and Event Management (SEIM), another solution that has been leveraged to protect cloud workloads.
Rich est directeur marketing pour les produits de cloud public chez Barracuda. Il a rejoint l'équipe dans le cadre de l'acquisition de C2C Systems en 2014. Rich est l'un des experts du cloud public de Barracuda. Il travaille directement sur les écosystèmes cloud et est cité dans des ebooks de Microsoft sur la sécurisation du cloud public. Il est également contributeur régulier des blogs thématiques sur le cloud de Barracuda. Dans le cadre de notre travail sur le cloud, il aide au développement de stratégies et à leur exécution avec nos partenaires et nos équipes commerciales.
Vous pouvez contacter Rich par e-mail à l'adresse firstname.lastname@example.org.