A cloud workload protection platform (CWPP) mitigates threats in cloud and on-premise workloads.
After reading this article you will be able to:
Related Content
SaaS management platform (SMP)
Cloud security posture management (CSPM)
SaaS security posture management (SSPM)
Cloud security
Virtual machine
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
A cloud workload protection platform (CWPP) is a security tool that detects and removes threats inside cloud software. A CWPP is like an automobile mechanic who identifies flaws and breakdowns inside a car's engine before they cause further damage — only it inspects the interior of cloud services, not cars. CWPPs automatically monitor a wide range of workloads, including physical on-premise servers, virtual machines, and serverless functions.
In computing, a workload is a program or application that uses some amount of memory and computing power. In cloud computing, a workload is exactly that, but hosted remotely by a cloud provider.
In the past, all workloads ran on physical machines. In the cloud computing era, however, workloads run at a number of different abstraction layers.
An "abstraction layer" is the point at which high-level functions interact with low-level functions, separated in such a way that someone or something interacting with the high-level functions is usually not aware of the low-level ones. For example, most users do not know how to program a computer, but they can still use a computer; this is because the programming languages involved are abstracted away through the use of graphical user interfaces and user-friendly applications.
Abstraction layers in cloud computing have made more efficient uses of cloud servers possible. For instance, virtual machines abstract away the underlying server hardware. Multiple virtual machines can run on one physical server, enabling multiple cloud customers to use the server at once.
But these complex abstraction layers also add complexity to cloud computing — particularly to securing the variety of cloud workloads in use.
Type: | Service model: | Abstracted at: | Hosting location: | Environment: |
---|---|---|---|---|
Server | Self-hosted | Physical hardware | On-premise | Its own hardware |
Virtual machine | IaaS, PaaS, SaaS | Hypervisor | Cloud or on-premise | Its own virtual hardware |
Container | IaaS, PaaS | Operating system kernel | Cloud | Its own operating system |
Serverless function | FaaS | Depends on provider | Cloud | Depends on provider (Cloudflare uses Chrome V8) |
These different places to run workloads vary greatly in terms of resources used, location, and environment. Securing them is like trying to secure an office, a private home, and a parking garage all at the same time. There is no one security approach that works for all three situations — the parking garage requires a gate, the office may need a security guard, and the home needs a burglar alarm, for example.
Similarly, these different types of cloud infrastructure all have slightly different security needs. As a simple example, a virtual machine functions just like a physical machine and can run any number of applications simultaneously. A malicious application can run alongside a legitimate application in a virtual machine. In contrast, containers only run one application, so identifying if that application has been compromised is more important than making sure no malicious applications are running.
But CWPPs detect and remove threats across all these types of infrastructure, especially malware, vulnerabilities, and unauthorized applications.
According to Gartner, a global research and advisory firm, these eight capabilities define CWPPs:
CWPPs are able to apply these capabilities in any type of workload, including physical servers, virtual machines, containers, and serverless functions.
Because CWPPs can cover a range of workloads, they are ideal for protecting infrastructure that is spread out across multiple clouds. Multi-cloud deployments, which combine multiple public clouds, and hybrid cloud deployments, which combine public clouds with private clouds and on-premise infrastructure, contain a wide variety of types of workloads. A CWPP provides a "single pane of glass" — one place where an organization can easily view and analyze cloud security risks across these workloads.
Cloud security posture management (CSPM) is another type of automated tool for securing a range of cloud deployments. The main difference is that CSPM is external, looking for cloud misconfigurations and compliance violations; CWPP is internal, looking for threats inside the software that runs in the cloud.