What is a Cloud Workload Protection Platform (CWPP)? And Why Do You Need It?

Written by Intezer

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    The cloud has completely transformed the IT landscape over the last few years. And it’s now entering a new era of hybrid-cloud and multi-cloud adoption.

    This has seen a gradual shift away from the static infrastructure used by on-premises workloads towards complex and dynamic cloud-based deployments with lots of moving parts.

    The modern enterprise now hosts applications across a diverse mix of VM-based, containerized, serverless and traditional on-premises environments, allowing them to make the best use of both their existing data centers and the public cloud.

    However, this transition to hybrid cloud and multi-cloud presents new security challenges, requiring a switch in focus from endpoint protection and intrusion prevention at the outer perimeter towards configuration management and individual workload protection.

    Cloud Workload Protection Platforms (CWPPs) play an essential role in meeting these challenges. But what exactly is a CWPP?

    This post takes you through the basics of CWPPs and the part they play in protecting your applications.

    CWPP in a Nutshell

    CWPP is a relatively new term, coined by Gartner, to describe a new generation of security management tools that help keep workloads secure across different types of computing environments. They typically protect not only the application itself but also the processes and resources that support the workload, such as the network and databases used by the application.

    By contrast with traditional security solutions, which are designed for server protection in an on-premises setting, CWPPs are more granular and protect individual workloads in complex hybrid cloud and multi-cloud architectures.

    These capabilities mean most CWPPs are provided by third-party vendors rather than by public cloud platforms as in-house offerings.

    CWPPs also play a key role in the security of software-as-a-service (SaaS) applications, which are increasingly taking the place of conventional desktop software. This is because of the difference in the way SaaS vendors deliver their services.

    Previously they just needed to worry about the security of their code—as it was down to each customer to implement security measures on their own individual workstations. But now their users access their applications from a centralized cloud environment, which also must be protected to ensure the security of their services.

    Protection Strategies

    CWPPs use a variety of different approaches to protect cloud-based workloads. But they generally use one or more of the following:

    • Antivirus: The long-established method of scanning files for a static fingerprint of known malware. Although Antivirus software still plays a useful role in workload protection, it can only detect known threats and a limited number of previously unseen malicious files or actions. It also cannot prevent in-memory and fileless attacks, which exploit trusted applications and leave practically no trace of any installed component.
    • Microsegmentation: A security approach that limits lateral traffic between nodes based on predefined network policies. Microsegmentation acts like a granular firewall, preventing the spread of an attack between individual workload environments across your cloud infrastructure.
    • Runtime application self-protection (RASP): Protection of individual workloads by monitoring the inputs, outputs and internal state of each application for abuse of known exploits of specific software technologies. More sophisticated RASP tools can also monitor activity for potentially new forms of code-targeted attacks.
    • Anomaly-based threat detection: A form of security monitoring designed to detect a much broader range of potentially malicious behavior, such as a sudden influx of network connection requests and user logins outside normal working hours. Anomaly-based threat detection tends to yield a lot of false positives. It also generates alerts that are often inconclusive, requiring additional investigation.
    • Allow list: A zero-trust defense mechanism that allows users to run only approved applications or processes. Allow lists distinguish between permitted and prohibited executables using a combination of information such the application’s file path and file size, and the software publisher’s digital signature. As applications are continually being patched and updated, this information also continually changes, making allow lists notoriously laborious and difficult to manage.
    • Container image scanning: A container-specific technique that scans the layers that make up your container images for known vulnerabilities. It ensures container image hygiene by examining the packages and dependencies that are used in the image build process. However, container image scanning doesn’t detect breaches that occur during container runtime.

    Common Characteristics of a CWPP

    The following are the most common characteristics you’d expect to find in a fully featured CWPP:

    • Out-of-the-box integration: Quick and easy deployment in the cloud with minimal configuration.
    • Cloud agnostic: Workload protection in any runtime environment, including physical machines and VM-based, containerized and serverless infrastructure, with support for on-premises systems and different public cloud platforms.
    • Consolidated workload monitoring: Visibility across all your different workloads from a single pane of glass.
    • Workload configuration: Resource configuration capabilities so you can manage workloads for optimal security risk.
    • Scalability: Designed for elastic infrastructure that scales up and down in response to fluctuating demand.

    The Answer to Cloud Complexity

    Leading public cloud platforms, such as AWS, Microsoft Azure and Google Cloud Platform, have gone to great lengths to provide a secure environment to host your applications, but they cannot protect aspects of security that are outside their control.

    It’s your responsibility to secure each of your individual workloads. However, the cloud has shifted the goalposts and you can no longer rely on traditional methods of protection.

    CWPPs have evolved in response to the dynamic and complex nature of cloud-based infrastructure and the new and more sophisticated types of threat. What’s more, they have adapted to the trend towards hybrid-cloud and multi-cloud strategies.

    By leveraging these capabilities, you can maintain secure control over all your cloud and on-premises deployments—through a standardized approach to workload security and visibility through a single pane of glass.

    In an upcoming post, we’ll be taking a more detailed look at the various features you can expect to find in different CWPP offerings, exploring the pros and cons you’ll need to consider.

    Try Intezer Protect for Free

    Intezer Protect is a CWPP that provides runtime visibility and protection for your cloud. It can secure all types of compute resources in runtime against malicious code, so you can detect and respond to attacks on your cloud-native stack.

    Sign up to use Intezer Protect for your containers and virtual machines. Secure up to 10 hosts for free.


    Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work.

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt