Cloud Workload Protection Platforms (CWPPs) are a new generation of modern, scalable security solutions designed to protect applications in today’s landscape of hybrid cloud and multi-cloud infrastructure.
They address the challenges of securing workloads hosted across a diverse mix of VM-based, containerized, serverless, and traditional on-premises environments, leveraging technologies adapted to the dynamic, elastic and on-demand model of the public cloud.
In our previous post about CWPPs, we discussed the fundamentals of the workload-centric protection solution, such as what it does and the capabilities you can typically expect.
However, CWPPs come in different shapes and sizes. So, once you’ve concluded you need a CWPP, your next step is to explore the different vendor offerings available on the market.
This post can help by taking you through the different factors you need to consider when choosing a CWPP. That way, you’ll be able to make an informed decision about which solution is right for you.
1. Protection Strategies
One of the key differences you’ll find between each of the different vendor offerings is the protection strategies they use. These typically include one or more of the following:
- Antivirus: Traditional signature-based malware detection
- Microsegmentation: Granular protection of network traffic at individual workload level
- Runtime application self-protection (RASP): Detection of suspicious behavior by monitoring the inputs, outputs, and internal state of each application
- Anomaly-based threat detection: A benchmarking technique that detects unusual activity, which could be the sign of a potential attack
- Allow list: Threat mitigation by means of a list of approved applications or processes
- Container image scanning: A pre-runtime process that scans container images for compromises and unpatched vulnerabilities
Some CWPP providers focus on only one specific strategy whereas others offer a broad set of security capabilities. But, given the rapid growth in the number of ransomware attacks and other highly sophisticated types of threat, runtime protection is likely to be among your highest priorities.
Runtime security tools prevent code-targeted attacks while your applications are running. A more mature solution will also protect against other forms of stealth attack, such fileless attacks and, in particular, Living-off-the-Land attacks. These evade traditional threat detection methods by concealing themselves in system memory.
2. Monitoring Mechanism
Many CWPP solutions are agent based, which means they’re installed directly on the systems you want to protect.
As a result, they’re able to collect a wide range of information, which can prove particularly useful where your security teams need deeper insights into potential threat activity within your systems.
However, you need to install an agent on each of your target environments. You’ll also need to keep tabs on the health of your agents and patch them from time to time. In other words, setup and maintenance can sometimes be more time-consuming than agentless alternatives.
Agentless solutions, on the other hand, access your resources over a network—usually via API. This generally makes them more lightweight and less intrusive than agent-based tools, being much less resource intensive and providing better performance.
However, the agentless model requires more network bandwidth. What’s more, some agent-based tools now come with virtually no resource overhead and provide similar levels of performance to agentless solutions.
A CWPP will play an important role in your DevOps workflows by providing protection against poor security practices at an earlier stage in the development lifecycle. This should work seamlessly with little or no impact on day-to-day development work. So bear in mind how easy a solution is to integrate into your CI/CD pipelines.
It should offer deployment flexibility by supporting a range of open-source tools and components, such as Chef, Puppet, and Ansible. In addition, a CWPP should support container-based environments using components such as Kubernetes DaemonSets or container sidecars.
4. Threat Response
A CWPP shouldn’t just detect threats but also help you deal with them as quickly and efficiently as possible.
The threat response features you’ll need will vary between CWPPs depending on the protection strategies they use. For example, if the main focus of the platform is on runtime threats then it should be able to detect and terminate ransomware and other destructive attacks both automatically and at the touch of a button.
However, CWPPs also share a number of threat response features in common. The most important to look for include:
- Contextual alerts, providing useful information to help you identify the source of compromise and quickly fix the issue
- Native integration with security aggregation tools such as Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR)
- Seamless integration with collaboration tools, such as Slack, and issue management systems, such as Jira
5. Running Costs
CWPPs are fully managed services, which are generally charged on a subscription basis. However, pricing models vary. For example, some subscriptions follow the PAYG usage-based billing model, whereas some solution providers charge per host. So you may not be able to compare charges on a like-for-like basis.
But these aren’t the only costs you need to consider.
You’ll need to think about the resource overhead of each solution. And also indirect costs, such as maintenance, ease of use, and the level of automation. For example, some CWPPs are policy oriented. You’ll need to keep these policies up to date. This can involve a significant amount of manual work and a resulting cost to your business.
Another important factor to consider is the number and quality of alerts a solution generates, as a lot of unnecessary notifications and false positives will ramp up the workload and could divert attention away from potentially more serious signs of an attack.
6. Customer Support
You want to be sure you’ll get the best out of your CWPP. So it’s important you consider the quality of the customer support on offer.
Furthermore, the public cloud is strongly geared towards Linux. So look for a CWPP vendor with strong expertise in Linux and open-source technologies.
7. Protection for All Workloads
A CWPP should, at the bare minimum, support all three leading public cloud services—Amazon Web Services, Microsoft Azure, and Google Platform.
It may also need to support the latest application deployment technologies, such as containers and serverless. And, ideally, fully managed alternatives, such as AWS Fargate, Azure Container Instances (ACI), and Google Cloud Run.
In addition, you’ll need protection for your on-premises systems. So you may need a CWPP with support for legacy workloads hosted on outdated infrastructure. This should provide compensating controls if your systems no longer receive software updates and security patches.
Finally, your CWPP should offer unified protection across all your environments, as standard, providing centralized management from a single point of control.
About Intezer Protect
Intezer Protect is a CWPP that provides runtime visibility and protection for your cloud. It can secure all types of compute resources in runtime against malicious code, so you can detect and respond to attacks on your cloud-native stack.
You can sign up to use Intezer Protect for your containers and virtual machines and secure up to 10 hosts for free.