Cloud Workload Protection

Yes, a CSPM or CWPP solution should provide compliance reports showing how the current situation of cloud resources configuration and permissions compares to common compliance standards such as SOC2, ISO-27001, PCI-DSS and more, and what are the gaps that need to be treated in order to reach 100% compliance.

A CSPM or CWPP solution should have the ability to easily integrate into the company’s cloud environments, independently learn and analyze the current situation and provide hardening recommendations of the cloud resources and user permissions. In addition, the ability to detect, correlate and block attempts of data breaches by malicious actors.

The main security challenges a CSPM or CWPP solution aims to solve are excessive permissions of employees, misconfigurations of cloud workloads and resources, and detecting data breaches attacks early in the attacker kill chain.

A cloud workload protection platform is a solution specifically designed to protect resources in (mostly) public clouds like; AWS, Azure, GCP, Oracle. Features can differ wildly depending on the vendor, but overall the idea is to secure your cloud in the following ways:

• Visibility – Provides a real time insight into what is running in the cloud
• Misconfigurations – Looking for poor security, for example leaving data buckets open to the public
• Vulnerability – Scanning your workloads for known weaknesses and exploits
• Threat detection – Using machine learning and behavioral analytics to highlight suspicious activity in your cloud estate
• Compliance & reporting – Ensuring your workloads are compliant with certain standards, like ISO-27001 or SOC2. And providing a way to report on that
• Shift left or IaC – Providing a way to examine code used to build cloud environments, stopping problems before they begin
• Runtime protection – Agents on workloads providing insights into the behavior of applications, software installed, and individual processes running (live) in memory

In the modern age the typical deployment of a cloud workload protection platform is done at the hypervisor account level (that is AWS, GCP, Azure). The process is pretty painless and can be automated, or followed by simple on-screen prompts. Once a tool has been given access to your cloud estate it will begin scanning for all configurations and asserts within that estate in a non-intrusive way. In order to see what software is running on workloads (without an agent) a digital twin is made of servers, which is then unpacked and scanned in a secured environment in order to send metadata about the server to the CWPP. Once all assets, configurations and servers have been scanned the CWPP will start to piece together the interdependence of these items, the severity of the findings and begin scoring them so they can be prioritised. The platforms will then return back all the findings, usually with the recommended fix, in a priority driven way.

Why do we have so many different buzz words for cloud protection? The simple reason is that the cloud grew in complexity and sophistication, and so the tools needed to change in order to meet that. Just as laptop protection went from anti-virus to anti-malware, so the cloud had its evolution. Let’s go through in order of year of arrival.

2010 – CWPP (Cloud Workload Protection Platform):
Focuses on securing cloud workloads (VMs, containers, serverless functions) with features like visibility, vulnerability scanning, threat detection, and runtime protection. Essentially a bit like traditional endpoint protection software, but adapted for the cloud and containers.

2014 – CSPM (Cloud Security Posture Management):
Continuously monitors and manages cloud configurations to ensure compliance, assess risks, and provide remediation guidance for overall cloud security posture. This you can really think of as your ‘best practice’ configuration guide. It alerts you to all the silly things you might have done without realising it.

2018 – CIEM (Cloud Infrastructure Entitlement Management):
Manages cloud identities and permissions to enforce least privilege, detect anomalous access, and automate remediation. CIEM came about as attackers became more intelligent and the identity (i.e. the person) became the best entry point for hackers. Having software specifically designed to look at users permissions and behaviours became essential.

2020 – CNAPP (Cloud-Native Application Protection Platform):
Provides comprehensive security for cloud-native applications across their entire lifecycle. This is really just a combination of CWPP + CSPM + CIEM. Really nothing new in terms of features, but as vendors consolidated more into their products an overarching term was needed to describe what they did.