What is a cloud workload protection platform (CWPP)?

A cloud workload protection platform (CWPP) mitigates threats in cloud and on-premise workloads.

Learning Objectives

After reading this article you will be able to:

  • Define cloud workload protection platform (CWPP)
  • Explain the types of workloads CWPPs protect
  • List the key CWPP capabilities

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is a cloud workload protection platform (CWPP)?

A cloud workload protection platform (CWPP) is a security tool that detects and removes threats inside cloud software. A CWPP is like an automobile mechanic who identifies flaws and breakdowns inside a car's engine before they cause further damage — only it inspects the interior of cloud services, not cars. CWPPs automatically monitor a wide range of workloads, including physical on-premise servers, virtual machines, and serverless functions.

What is a cloud workload?

In computing, a workload is a program or application that uses some amount of memory and computing power. In cloud computing, a workload is exactly that, but hosted remotely by a cloud provider.

In the past, all workloads ran on physical machines. In the cloud computing era, however, workloads run at a number of different abstraction layers.

An "abstraction layer" is the point at which high-level functions interact with low-level functions, separated in such a way that someone or something interacting with the high-level functions is usually not aware of the low-level ones. For example, most users do not know how to program a computer, but they can still use a computer; this is because the programming languages involved are abstracted away through the use of graphical user interfaces and user-friendly applications.

Abstraction layers in cloud computing have made more efficient uses of cloud servers possible. For instance, virtual machines abstract away the underlying server hardware. Multiple virtual machines can run on one physical server, enabling multiple cloud customers to use the server at once.

But these complex abstraction layers also add complexity to cloud computing — particularly to securing the variety of cloud workloads in use.

Type: Service model: Abstracted at: Hosting location: Environment:
Server Self-hosted Physical hardware On-premise Its own hardware
Virtual machine IaaS, PaaS, SaaS Hypervisor Cloud or on-premise Its own virtual hardware
Container IaaS, PaaS Operating system kernel Cloud Its own operating system
Serverless function FaaS Depends on provider Cloud Depends on provider (Cloudflare uses Chrome V8)

These different places to run workloads vary greatly in terms of resources used, location, and environment. Securing them is like trying to secure an office, a private home, and a parking garage all at the same time. There is no one security approach that works for all three situations — the parking garage requires a gate, the office may need a security guard, and the home needs a burglar alarm, for example.

Similarly, these different types of cloud infrastructure all have slightly different security needs. As a simple example, a virtual machine functions just like a physical machine and can run any number of applications simultaneously. A malicious application can run alongside a legitimate application in a virtual machine. In contrast, containers only run one application, so identifying if that application has been compromised is more important than making sure no malicious applications are running.

But CWPPs detect and remove threats across all these types of infrastructure, especially malware, vulnerabilities, and unauthorized applications.

What are the main capabilities of CWPPs?

According to Gartner, a global research and advisory firm, these eight capabilities define CWPPs:

  1. Hardening, configuration, and vulnerability management: CWPPs help ensure no vulnerabilities are present in software, even before it is pushed to production.
  2. Network firewalling, visibility, and microsegmentation: A CWPP protects and microsegments a network. The latter term means dividing a network into smaller portions so that an attacker cannot compromise the whole network at once.
  3. System integrity assurance: A CWPP makes sure cloud systems are working as intended.
  4. Application control and allowlisting: A CWPP allows and blocks applications based on a list of permitted applications.
  5. Exploit prevention and memory protection: CWPPs prevent vulnerability exploits in actively running software.
  6. Server workload endpoint detection and response (EDR), behavioral monitoring, and threat detection and response: CWPPs respond to suspicious changes in server and application behavior, as well as active threats.
  7. Host-based intrusion prevention with vulnerability shielding: CWPPs prevent external incursions into servers.
  8. Anti-malware scanning: CWPPs detect malware embedded within cloud workloads.

CWPPs are able to apply these capabilities in any type of workload, including physical servers, virtual machines, containers, and serverless functions.

How do CWPPs protect multi-cloud and hybrid cloud deployments?

Because CWPPs can cover a range of workloads, they are ideal for protecting infrastructure that is spread out across multiple clouds. Multi-cloud deployments, which combine multiple public clouds, and hybrid cloud deployments, which combine public clouds with private clouds and on-premise infrastructure, contain a wide variety of types of workloads. A CWPP provides a "single pane of glass" — one place where an organization can easily view and analyze cloud security risks across these workloads.

What is the difference between a CWPP and cloud security posture management (CSPM)?

Cloud security posture management (CSPM) is another type of automated tool for securing a range of cloud deployments. The main difference is that CSPM is external, looking for cloud misconfigurations and compliance violations; CWPP is internal, looking for threats inside the software that runs in the cloud.

Learn more about CSPM.