Applications today are more dynamic, more distributed across the data center and
clouds(public, private and hybrid). These diverse infrastructures create a
greater attack surface and high risk for breaches.
Traditional or Perimeterbased security approach is no longer suffice. Today organizations need a whole
new approach to tackle these complex security issues.
Cloud Security is becoming a broad and complex topic day by day. Earlier, CSA (Cloud Security Alliance) defined only 14 different cloud security threats until cloud security became mainstream. Later, Gartner came mainly with 3 different cloud security tools which will cover almost every threat in cloud security known as CASB, CWP, and CSPM(Cloud Security Posture Management). I will discuss the difference, between these tools in the later part of this blog.
So, what is CWP Platform?
As Gartner Defines – “CWPP is host-centric solutions that target the unique requirements of server workload protection in modern hybrid data center architectures”
In other words, CWP provides a cloud-based security solution that protects instances on AWS, Microsoft Azure, and Google Cloud Platform(GCP). Cloud Workload Protection dynamically scales to protect the instances that may scale up or down. It is a common belief among security leaders that IaaS Providers (AWS, Azure, GCP, etc.) are solely responsible for the security of an organization’s workloads, which is not completely true. The shared responsibility of cloud infrastructure mainly for IaaS means that organizations have to maintain the security of cloud-based workloads. These workloads could be anything, whether it’s a web server, a container, virtual machines or a web app hosted on the cloud.
Why traditional security cannot be applicable?
- Traditional security such as End-Point security is not as agile as a cloud’s elastic property. Imagine infrastructure as a code where you can simply delete or create a data center using just a few lines of code.
- Traditional security is not flexible pay-for-use and annual subscription pricing models support agile business planning.
- An ideal CWP tool’s single console protects multi-cloud and hybrid cloud environments whereas it is not the case with traditionalsecurity.
Why does CWP is a must-have for hybrid infrastructure?
- Developers are trying the reusability features of programming languages and since they are not aware of security best practices required for cloud services hence code/applications are attracting more hackers.
- In the security world, it is said – you can’t protect what you can’t see! The scalability and agility features
of cloud make the infrastructure more prone to attack. So, increasing the
granular visibility across infrastructure is a basic requirement. In addition, As Gartner recognizes,
an ideal CWP comes with below mentioned 8 core capabilities –
- Hardening, configuration, and vulnerability management
- Network firewalling, visibility, and micro-segmentation
- System integrity assurance
- Application control/whitelisting
- Exploit prevention/memory protection
- Server workload EDR, behavioral monitoring, and threat
- Host-based IPS with vulnerability shielding
- Anti-malware scanning
Understanding the differences between CASB, CSPM, and CWPP – You might be wondering then what’s the core difference between CASB (Cloud Access Security Broker), CWP and CSPM (Cloud Security Poster Management). Please have a look on below mentioned Gartner’s picture which clearly depicts the security poster covered by each of these three tools.
CASB is the most crucial tool among all of these tools which protect major part of SaaS, IaaS and PaaS partially, where CWPP and CSPM concentrate on securing IaaS (workloads) mainly. You can click on the link above to read more about CASB in my other blog.
Approach to implement CWP?
Before we start understanding the implementation of CWP, let’s try to understand the criticality of security in
cloud workloads by the below image.
As we can see from the image, a good approach would be a bottom-to-top approach. A foundational part should be
covered first and then followed by operational hygienes.
There are so many vendors who are offering CWP tools with great capabilities. Before deciding to choose the vendor, security leaders should do a thorough assessment of what is critical to secure in their infrastructure as the different organizations may need a different solution. Please keep in mind that not all CWP products are capable of covering all 8 domains that should be covered by Gartner’s CWP.
This is where I believe is the time to discuss –
Evaluation Criteria for CWPP Tool
Many applications, services run over cloud storage (S3 bucket or Azure storage). Over time, these storages can
become contaminated with malware or misconfigured, leaving data vulnerable to breaches. CWP tool should be capable of protecting hybrid cloud workloads from a single console. Security leaders should make sure to check below-mentioned criteria for evaluating CWPP Vendor :
- Diversity of Workload Types Supported – should support and provide robust security across
multi-cloud and hybrid cloud data center environment.
- Console and Integrations – integration with multi-cloud infra should be easy
with IaaS providers(Azure, AWS, GCP or Oracle Cloud).
- Integration into the Development Pipeline – Integration to CI/CD development pipeline should be
easy to implement.
- Licensing Flexibility
– Flexible plan for payment such as pay-as-you-go, no upfront cost, cost
optimization features are recommended.
- Use of Analytics and Machine Learning.
In brief, the ideal CWP should be as close as possible to Gartner’s defined CWP along with Other CWPP Market Adjacencies.
[This marks the end of this blog post. Hope now you have a better understanding of what is CWP, its capabilities, and how to use it. We wish you good luck on your journey! ]