The cloud security solutions market is growing rapidly, and there are many types of solutions to support your specific business needs. But figuring out the right tool—let alone the right type of tool—can be difficult. Gartner has five security archetypes that fall under the broader cloud security management platform umbrella. This article gives a quick look into the CWPP archetype:
- Cloud Access Security Broker (CASB)
- Cloud Workload Protection Platform (CWPP)
- Cloud Security Posture Management (CSPM)
- Cloud Infrastructure Entitlement Management (CIEM)
- Cloud-Native Application Protection Platform (CNAPP)
What is a cloud workload protection platform (CWPP)?
According to Gartner, CWPPs are workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multi-cloud data center architectures. In plain english, CWPPs help organizations protect their capabilities or workloads (applications, resources, etc.) running in a cloud instance. CWPP capabilities vary across vendor platforms but typically include functions like system hardening, vulnerability management, host-based segmentation, system integrity monitoring, and application allow lists. CWPPs enable visibility and security control management across multiple public cloud environments from a single console.
Gartner divides CWPP vendors into eight categories:
- Broad, Multi-OS Capabilities
- Vulnerability Scanning, Configuration, and Compliance Capabilities
- Identity-Based Segmentation, Visibility, and Control Capabilities
- Application Control/Desired State Enforcement Capabilities
- Memory and Process Integrity/Protection Capabilities
- Server EDR, Workload Behavioral Monitoring, and Threat Detection/Response Capabilities
- Container and Kubernetes Protection Capabilities
- Serverless Protection Capabilities
In its 2020 Market Guide for Cloud Workload Protection Platforms, Gartner states that workloads are becoming more granular—with shorter life spans—as organizations continue to adopt DevOps-style development patterns, with multiple iterations deployed per week or even per day. The best way to secure these rapidly changing and short-lived workloads is to take a proactive approach. By incorporating security via DevSecOps through the use of Infrastructure as Code (IaC) templates, pre-deployment vulnerability management and code scanning, workloads are protected from the very beginning.
When should you use cloud workload protection platforms (CWPPs)?
Gartner states that the best possible context for a CWPP is a single-provider IaaS, particularly where there are requirements for additional security capabilities to protect workloads.
Benefits and limitations
- Provide visibility into and control over workloads.
- Provide comprehensive protection against workload risks deployed in IaaS. This is significant because workloads are difficult to protect, and as more organizations adopt container-based service deployments, the difficulty of protecting workloads will persist.
- Can alert and escalate issues; local policy scripting at the workload level permits posture changes, such as firewall changes and application whitelist changes.
- Lack identity and access management (IAM) functions.
- Cannot provide overall risk management services across all cloud deployments.
- Cannot perform event monitoring outside of workloads.
For a deeper dive into Gartner’s cloud security archetypes, read: A Practical Guide to Gartner’s Cloud Security Archetypes.