What is a cloud workload protection platform (CWPP)?

A cloud workload protection platform (CWPP) mitigates threats in cloud and on-premise workloads.

What is a cloud workload protection platform (CWPP)?

A cloud workload protection platform (CWPP) is a security tool that detects and removes threats inside cloud software. A CWPP is like an automobile mechanic who identifies flaws and breakdowns inside a car's engine before they cause further damage — only it inspects the interior of cloud services, not cars. CWPPs automatically monitor a wide range of workloads, including physical on-premise servers, virtual machines, and serverless functions.

What is a cloud workload?

In computing, a workload is a program or application that uses some amount of memory and computing power. In cloud computing, a workload is exactly that, but hosted remotely by a cloud provider.

In the past, all workloads ran on physical machines. In the cloud computing era, however, workloads run at a number of different abstraction layers.

An "abstraction layer" is the point at which high-level functions interact with low-level functions, separated in such a way that someone or something interacting with the high-level functions is usually not aware of the low-level ones. For example, most users do not know how to program a computer, but they can still use a computer; this is because the programming languages involved are abstracted away through the use of graphical user interfaces and user-friendly applications.

Abstraction layers in cloud computing have made more efficient uses of cloud servers possible. For instance, virtual machines abstract away the underlying server hardware. Multiple virtual machines can run on one physical server, enabling multiple cloud customers to use the server at once.

But these complex abstraction layers also add complexity to cloud computing — particularly to securing the variety of cloud workloads in use.

Type: Service model: Abstracted at: Hosting location: Environment:

Server Self-hosted Physical hardware On-premise Its own hardware

Virtual machine IaaS, PaaS, SaaS Hypervisor Cloud or on-premise Its own virtual hardware

[Container](/learning/serverless/serverless-vs-containers/)

IaaS, PaaS Operating system kernel Cloud Its own operating system

Serverless function FaaS Depends on provider Cloud Depends on provider (Cloudflare uses Chrome V8)

These different places to run workloads vary greatly in terms of resources used, location, and environment. Securing them is like trying to secure an office, a private home, and a parking garage all at the same time. There is no one security approach that works for all three situations — the parking garage requires a gate, the office may need a security guard, and the home needs a burglar alarm, for example.

Similarly, these different types of cloud infrastructure all have slightly different security needs. As a simple example, a virtual machine functions just like a physical machine and can run any number of applications simultaneously. A malicious application can run alongside a legitimate application in a virtual machine. In contrast, containers only run one application, so identifying if that application has been compromised is more important than making sure no malicious applications are running.

But CWPPs detect and remove threats across all these types of infrastructure, especially malware, vulnerabilities, and unauthorized applications.

What are the main capabilities of CWPPs?

According to Gartner, a global research and advisory firm, these eight capabilities define CWPPs:

  • Hardening, configuration, and vulnerability management: CWPPs help ensure no vulnerabilities are present in software, even before it is pushed to production.

  • Network firewalling, visibility, and microsegmentation: A CWPP protects and microsegments a network. The latter term means dividing a network into smaller portions so that an attacker cannot compromise the whole network at once.

  • System integrity assurance: A CWPP makes sure cloud systems are working as intended.

  • Application control and allowlisting: A CWPP allows and blocks applications based on a list of permitted applications.

  • Exploit prevention and memory protection: CWPPs prevent vulnerability exploits in actively running software.

  • Server workload endpoint detection and response (EDR), behavioral monitoring, and threat detection and response: CWPPs respond to suspicious changes in server and application behavior, as well as active threats.

  • Host-based intrusion prevention with vulnerability shielding: CWPPs prevent external incursions into servers.

  • Anti-malware scanning: CWPPs detect malware embedded within cloud workloads.

CWPPs are able to apply these capabilities in any type of workload, including physical servers, virtual machines, containers, and serverless functions.

How do CWPPs protect multi-cloud and hybrid cloud deployments?

Because CWPPs can cover a range of workloads, they are ideal for protecting infrastructure that is spread out across multiple clouds. Multi-cloud deployments, which combine multiple public clouds, and hybrid cloud deployments, which combine public clouds with private clouds and on-premise infrastructure, contain a wide variety of types of workloads. A CWPP provides a "single pane of glass" — one place where an organization can easily view and analyze cloud security risks across these workloads.

What is the difference between a CWPP and cloud security posture management (CSPM)?

Cloud security posture management (CSPM) is another type of automated tool for securing a range of cloud deployments. The main difference is that CSPM is external, looking for cloud misconfigurations and compliance violations; CWPP is internal, looking for threats inside the software that runs in the cloud.

Learn more about CSPM.

FAQs

What is a cloud workload protection platform (CWPP)?

A CWPP is a security tool designed to identify and eliminate threats within cloud-based software. They monitor the internal workings of cloud services to detect vulnerabilities and malware, inspecting physical servers, virtual machines, and serverless functions alike.

How is a workload defined in the context of cloud computing?

In cloud computing, a workload is an application or program that utilizes memory and computing power but is hosted remotely by a cloud provider. These workloads can exist at different abstraction layers, such as virtual machines, containers, or serverless functions.

Why do different types of cloud infrastructure require a specialized security approach?

Different environments have unique security requirements. For instance, a virtual machine can run many applications at once, meaning it must be screened for malicious apps running alongside legitimate ones. In contrast, a container typically runs just one application, so the priority is ensuring that specific application hasn't been compromised. A CWPP provides a unified way to secure these diverse environments.

What are the primary capabilities of a CWPP?

A CWPP offers several key security functions, including vulnerability management to find flaws before code goes live, microsegmentation to prevent attackers from moving through a network, and anti-malware scanning.

How does a CWPP help organizations with multi-cloud or hybrid cloud setups?

For organizations using multiple cloud providers or a mix of private and public infrastructure, a CWPP acts as a single pane of glass, a centralized view that allows security teams to analyze risks across all their different workloads and locations from one place.

What is the difference between a CWPP and cloud security posture management (CSPM)?

The main difference lies in where the tools look for threats. While CSPM is an external tool that checks for misconfigurations and compliance issues in the cloud environment, a CWPP is an internal tool that focuses on detecting threats inside the software and workloads themselves.

[Image comparing CWPP vs CSPM security focus areas]

What is microsegmentation, and why is it important for cloud security?

Microsegmentation is the process of dividing a network into smaller, isolated sections. By using a CWPP to implement microsegmentation, an organization can ensure that if one part of the network is breached, the attacker cannot easily access the entire system.