Cloud Security

Cloud Workload Protection Platform (CWPP)

What is it?
According to Gartner, CWPPs are workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multi-cloud data center architectures. In plain English, CWPPs help organizations protect their capabilities or workloads (applications, resources, etc.) running in a cloud instance.

CWPP capabilities vary across vendor platforms, but typically include functions like system hardening, vulnerability management, host-based segmentation, system integrity monitoring, and application allow lists. CWPPs enable visibility and security control management across multiple public cloud environments from a single console.

Gartner divides CWPP vendors into eight categories:

  1. Broad, Multi-OS Capabilities.
  2. Vulnerability Scanning, Configuration, and Compliance Capabilities.
  3. Identity-Based Segmentation, Visibility, and Control Capabilities.
  4. Application Control/Desired State Enforcement Capabilities.
  5. Memory and Process Integrity/Protection Capabilities.
  6. Server EDR, Workload Behavioral Monitoring, and Threat Detection/Response Capabilities.
  7. Container and Kubernetes Protection Capabilities.
  8. Serverless Protection Capabilities.

In the Market Guide for Cloud Workload Protection Platforms, Gartner states that workloads are becoming more granular — with shorter life spans — as organizations continue to adopt DevOps-style development patterns, with multiple iterations deployed per week or even per day.

The best way to secure these rapidly changing and short-lived workloads is to take a proactive approach. By incorporating security via DevSecOps through the use of Infrastructure as Code templates, pre-deployment vulnerability management and code scanning, workloads are protected from the very beginning.

In what context is it best used?
Gartner states that the best possible context for a CWPP is a single provider IaaS, particularly where there are requirements for additional security capabilities to protect workloads.

Benefits and limitations


  • Provide visibility into- and control over workloads.
  • Provide comprehensive protection against workload risks deployed in IaaS. This is significant because workloads are difficult to protect, and as more organizations adopt container-based service deployments, the difficulty of protecting workloads will persist.
  • Can alert and escalate issues; local policy scripting at the workload level permits posture changes, such as firewall changes and application whitelist changes.


  • Lack identity and access management functions.
  • Cannot provide overall risk management services across all cloud deployments.
  • Cannot perform event monitoring outside of workloads.

For more information about Cloud Security, call our security consultants at +31 (0) 345 506 105, send an email to or fill out our contact form via button below.