TNS
VOXPOP
How has the recent turmoil within the OpenAI offices changed your plans to use GPT in a business process or product in 2024?
Increased uncertainty means we are more likely to evaluate alternative AI chatbots and LLMs.
0%
No change in plans, though we will keep an eye on the situation.
0%
With Sam Altman back in charge, we are more likely to go all-in with GPT and LLMs.
0%
What recent turmoil?
0%
Cloud Native Ecosystem / Security

Seamlessly Secure Your Cloud Workloads

A look at how cloud workload protection programs (CWPPs) work, examples of workloads that you can secure and the importance of automation.
Apr 1st, 2022 9:00am by
Featued image for: Seamlessly Secure Your Cloud Workloads
Featured image via Pixabay

Chris Tozzi
Chris Tozzi has worked as a Linux systems administrator and freelance writer. He has more than 10 ten years of experience covering the tech industry, especially open source, DevOps, cloud native technology and security.

You’ve secured your cloud identities. You’ve hardened your cloud security posture. You’ve configured strong cloud access controls. But there’s still one more thing you need in order to secure your cloud environment: a cloud workload protection platform, or CWPP.

Cloud workload protection platforms secure the workloads that run on your cloud — which are distinct from the infrastructure, user identities and configurations that form the foundation of your cloud environment.

This article examines why a CWPP is a critical ingredient in any cloud security strategy. It explains how CWPPs work, identifies examples of workloads that you can secure with CWPPs and discusses the importance of automation within the context of a CWPP.

What Is Cloud Workload Protection?

Cloud workload protection is the practice of securing workloads that you deploy in the cloud. In other words, cloud workload protection mitigates risks that exist at the workload level of your cloud environment, as opposed to the infrastructure or configuration level.

The workloads in question could be software, data or a combination thereof that your organization hosts in the cloud. For example, cloud workload protection could apply to the operating system and application running in a cloud-based VM instance, or it could secure the data inside an object storage bucket.

What Is a CWPP?

Tools that provide cloud workload protection are often called cloud workload protection platforms, or CWPPs. Protecting cloud workloads is important because most other types of cloud security practices don’t address workload risks.

Cloud security posture management, or CSPM, alerts you to problems within cloud infrastructure configurations that could create security issues, like IAM policies that provide public access to sensitive data. But CSPM doesn’t cover configuration risks within workloads, such as a lack of encryption for data as it moves within an application.

Likewise, you can track cloud metrics and logs to identify potential security threats. But that data originates mostly from cloud IaaS providers, not individual applications, so it does little to reveal security risks that are specific to applications or data you’ve deployed in the cloud.

CWPP solutions fill these gaps by ensuring that you can protect the code and data that actually run on your cloud, not just the underlying cloud environment.

It’s also worth noting that cloud workload protection platforms help you secure workloads across multiple clouds. Because CWPPs focus on your workload rather than the cloud that hosts it, you can use cloud workload protection to identify security risks in any type of cloud-based workload, even as it moves across clouds.

CWPPs at Work: Some Examples

To contextualize cloud workload protection further, consider how it applies in the following domains.

Containers

When you deploy cloud workloads using containers, you must address special security challenges. You need to make sure that containers can’t run in privileged mode, for example. You must also scan container images for malware.

Cloud workload protection for containers ensures that you have the specific processes in place that are required to protect containerized workloads, independent of other security processes that you apply to your cloud environment.

Kubernetes Security

Kubernetes, too, poses a variety of special security challenges that can only be addressed at the workload level. You must ensure that Kubernetes RBAC policies and security contexts are configured properly, for instance. You should also use Kubernetes audit logs to monitor for potential security risks that arise within your Kubernetes environment.

VM Security

Even if your cloud VM service is properly configured, security issues may lurk inside your VMs. The images you use could contain malware or just configurations (like the absence of a kernel hardening framework) that lead to a weak security posture. Cloud workload protection alerts you to these risks.

Vulnerability Scanning

Vulnerabilities can arise in any number of places across a cloud environment — within applications, within operating systems, within container images and so on.

Cloud workload protection lets you scan for vulnerabilities across all components and layers of your workloads. Think of it as one-stop shopping for vulnerability discovery and management at the workload level, regardless of which workloads you run or which clouds host them.

Serverless Security

Serverless functions abstract applications from the underlying server environment, which reduces potential attack surfaces. But the functions themselves could still contain vulnerabilities. They could also be configured in ways that increase risks. Cloud workload protection automatically discovers problems like these within serverless functions.

Application Security

Cloud-based applications come in many forms, but they can all contain security risks — such as malware, vulnerable software components and a lack of security controls like encryption. By scanning applications for risks like these, cloud workload protection helps ensure application security across your cloud environment.

Choosing a Cloud Workload Protection Platform 

When integrating cloud workload protection into your cloud security strategy, strive to implement a solution that is:

  • Fully automated, because you can’t feasibly manage workload-level security risks by hand.
  • Cloud-agnostic, so you can deploy to secure any workload on any cloud.

A service such as Torq.io meets both of these requirements. It lets anyone — not just cybersecurity experts, but any member of your organization — define security rules that workloads must meet. Then Torq automatically and continuously scans your cloud workloads for deviation from these rules.

The result is fully secure and automated cloud workload protection, no matter how your cloud environment is configured or what you run on it.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Pragma, Torq.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.