Cloud Workload Protection Platform (CWPP)

What is it?
According to Gartner, CWPPs are workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multi-cloud data center architectures. In plain English, CWPPs help organizations protect their capabilities or workloads (applications, resources, etc.) running in a cloud instance.

CWPP capabilities vary across vendor platforms, but typically include functions like system hardening, vulnerability management, host-based segmentation, system integrity monitoring, and application allow lists. CWPPs enable visibility and security control management across multiple public cloud environments from a single console.

Gartner divides CWPP vendors into eight categories:

1. Broad, Multi-OS Capabilities.
2. Vulnerability Scanning, Configuration, and Compliance Capabilities.
3. Identity-Based Segmentation, Visibility, and Control Capabilities.
4. Application Control/Desired State Enforcement Capabilities.
5. Memory and Process Integrity/Protection Capabilities.
6. Server EDR, Workload Behavioral Monitoring, and Threat Detection/Response Capabilities.
7. Container and Kubernetes Protection Capabilities.
8. Serverless Protection Capabilities.

In the Market Guide for Cloud Workload Protection Platforms, Gartner states that workloads are becoming more granular — with shorter life spans — as organizations continue to adopt DevOps-style development patterns, with multiple iterations deployed per week or even per day.

The best way to secure these rapidly changing and short-lived workloads is to take a proactive approach. By incorporating security via DevSecOps through the use of Infrastructure as Code templates, pre-deployment vulnerability management and code scanning, workloads are protected from the very beginning.

In what context is it best used?
Gartner states that the best possible context for a CWPP is a single provider IaaS, particularly where there are requirements for additional security capabilities to protect workloads.

Benefits and limitations

Benefits

• Provide visibility into- and control over workloads.
• Provide comprehensive protection against workload risks deployed in IaaS. This is significant because workloads are difficult to protect, and as more organizations adopt container-based service deployments, the difficulty of protecting workloads will persist.
• Can alert and escalate issues; local policy scripting at the workload level permits posture changes, such as firewall changes and application whitelist changes.

Limitations

• Lack identity and access management functions.
• Cannot provide overall risk management services across all cloud deployments.
• Cannot perform event monitoring outside of workloads.