Cloud Workload Protection is the process of keeping workloads that move across different cloud environments secure. The entire workload must be functional for a cloud-based application to work properly without introducing any security risks. Cloud workload security and workload protection for app services are therefore fundamentally different from application security on a desktop machine.
Cyber criminals are increasing the number of ransomware attacks and targeting enterprises. As cloud computing infrastructures proliferate, vulnerabilities increase. Security strategies that rely on preventative endpoint protection, or limiting access to endpoint devices, are missing what is happening in the cloud. To defend themselves against cyber attacks, businesses using private and public clouds need to focus on protecting themselves from harm at the workload level, not just at the endpoint.
A workload consists of all of the processes and resources that support an application and the interactions with it. In the cloud, the workload includes the application, the data generated by or entered into an application, and the network resources that support a connection between the user and the application. A cloud-based application will not function properly if any part of the workload is compromised.
Workload security is especially complicated in hybrid data center architectures that employ everything from physical, on-premises machines to multiple public cloud infrastructure as a service (IaaS) environments to container-based application architectures. Cloud workload security is particularly complex because as workloads pass among multiple vendors and hosts, the responsibility for protecting the workload must be shared.
Gartner defines a cloud workload protection platform (CWPP) as a technology solution “primarily used to secure server workloads in public cloud infrastructure as a service environments.” CWPPs allow multiple public cloud providers and customers to ensure that workloads remain secure when passing through their domain.
There are two main ways to protect workloads with CWPP: Micro-segmentation and bare metal hypervisors.
Micro-segmentation: One way to ensure workloads are protected is by implementing a network security technique called micro-segmentation. With micro-segmentation, security architects divide the data center into distinct security segments down to the individual workload level, and then define security controls for each segment. Network virtualization technology takes the place of physical firewalls and allows micro-segmentation to define flexible security policies that isolate and protect individual workloads. While endpoint protection is designed to keep threats from entering an environment, micro-segmentation prevents malware from migrating from server to server within the environment.
Bare metal hypervisor: A bare metal hypervisor may offer additional workload protection. A hypervisor is a type of virtualization software that supports the creation and management of virtual machines by separating a computer’s software from its hardware. A bare metal hypervisor is installed directly on the hardware of a physical machine, between the hardware and the operating system. Because a hypervisor creates virtual machines that are isolated from each other, if one virtual machine has a problem or is attacked, the issue is isolated to that server, meaning that workloads on the other virtual machines are not affected.
Some CWPP solutions support hypervisor-enabled security layers that are specifically designed to protect cloud workloads.
Application security refers to applications being deployed locally on desktops with one user accessing each instance of the application. The only security holes in applications on desktops exist as vulnerabilities within the application code—the rest of the environment can be ignored. Historically, IT organizations could ensure the security of applications by securing the desktop and preventing threats from reaching it.
Cloud-based applications require a different form of application security. The abstraction between the user and the application creates more opportunities for vulnerabilities, especially if an organization does not control part of the environment by using the public cloud. Because a cloud-based application cannot work without all of the parts of the workload functioning correctly, businesses must secure and monitor each part of the workload, not just the application.
The challenge of cloud-based applications is that a workload may move through several different environments, all owned and protected by different vendors and technology. CWPPs can provide workload protection across these environments. There are many benefits to implementing workload protection through a CWPP:
Workload behavior monitoring: Monitoring workload behavior is an important part of cloud workload protection. CWPPs provide two important aspects of workload security through workload monitoring: detection and response. By monitoring workload behavior, a CWPP can detect an intrusion anywhere that it is happening and send out an alert.
Visibility into and ability to configure workloads: Seeing what is happening in individual workloads and being able to configure those workloads to manage vulnerabilities is an important aspect of workload protection.
Consolidated log management and monitoring: When each part of the workload has a different security technology associated with it, it can be time consuming to monitor all of them. A CWPP provides a single pane of glass that shows what is happening with every part of the workload in every environment.
System hardening and vulnerability management: A CWPP may be able to help you eliminate potential attack vectors by identifying superfluous applications, permissions, programs, accounts, functions, code, and so on that could pose security risks.
Memory protection: Memory protection, included in only a few CWPPs, is an emerging security control that is gaining importance as hackers develop new techniques to exploit weaknesses in memory and easily bypass traditional security methods.
Up-to-date threat intelligence: Some CWPPs share threat intelligence across their customer base, providing an early warning system for new threats.
The security landscape continues to evolve, and legacy security systems are no longer sufficient for organizations that are using the cloud as part of their computing infrastructure. Businesses need to plan for workload protection across multiple cloud environments. A cloud workload protection platform can provide visibility into multiple environments while consolidating and acting on security alerts from one dashboard.