researchHQ’s Key Takeaways:
- Cloud workload protection is the practice of securing workloads running in an enterprise’s cloud environment.
- The versatility and short-lifespan of cloud resources have raised a new set of security challenges for organisations adopting the cloud.
- Under the shared responsibility model, the service user rather than the service provider is responsible for the security of their workloads in the cloud.
- A cloud workload protection platform monitors the infrastructure in real-time, helping organisations ensure that every application running is trusted and their control.
- Sophisticated cloud workload protection platforms use automated deployments to enable quick onboarding, increase visibility and control over applications and detect unauthorized or malicious code.
As organizations and individuals alike have transitioned to the cloud over the past 15 years, this has led to an incredible transformation across the global business landscape. At the same time, however, this has resulted in disruption. Cloud computing is no longer a myth or buzzword; it has become the cornerstone of technological innovation in our daily lives.
Even the more traditional, non-tech-oriented industries, such as banking and manufacturing are taking the plunge and migrating to the cloud in order to reap the numerous benefits it offers. In addition, the current COVID-19 pandemic has accelerated the adoption process across all industries.
As the cloud revolution continues at full speed, not only has the tooling changed; the long-established tech culture and the processes that go along with this have also shifted significantly. Security, for example, is one area that has changed dramatically since the global adoption of cloud.
The Security Paradigm Shift with Cloud
There are a number of key differences between the security of traditional IT systems, often deployed on-premises, and that of cloud workloads.
The rapid adoption of public cloud has created new security challenges. Cloud computing has changed the way we build and operate infrastructure and applications. On-premises servers (virtual or physical) are fairly static and run for long periods of time. In the cloud, however, a virtual machine is often ephemeral and may have a very short lifecycle, hence the well-known saying: “Treat your servers like cattle not pets.”
The fast-paced dynamic of cloud, both in terms of infrastructure as well as on the application and CI/CD level, yields an architecture that can scale elastically based on demand, and one that is built to tolerate failure. This enables organizations to move fast and adapt quickly to both business constraints and opportunities. However, from a technical perspective, such unpredictability and short-lived resources present a major security challenge.
With such versatile technology capabilities at the core levels (compute, network, and storage), such as Kubernetes, containers, VPCs, SDNs, and object storage, implementing the same security mechanisms and processes that were in place beforehand became quite difficult. The traditional security models were built based on a network-perimeter defense. All resources that were isolated from the outside and were within a private network were considered secure, and organizations were focused on protecting assets that were connected to the internet—typically Windows workstations. In the cloud era, however, the goal is to protect the assets inside our VPC, which are usually Linux based. This has required a shift in security strategy and a need for platforms and personnel with expertise in Linux operating systems.
As previously noted, the software development world has also undergone a major transformation. Traditionally, security was handled exclusively by dedicated information security specialists, meaning security was often only addressed at the end of the development cycle, just before releasing to production.
Yet today, DevOps engineers are empowered to build and operate infrastructure resources on their own. This new flexibility has also placed greater responsibility on engineers, forcing them to become more involved in security practices. In information security, this principle is referred to as “Shift Left,” meaning the security culture, processes, and tools need to exist and take place earlier in the software development cycle, not just at the end.
The “Shift Left” movement has also redefined the roles and responsibilities of security teams. It is now even more crucial that security teams be able to secure the runtime environment and detect and respond to attacks, while also providing guidelines and technology for developers and DevOps engineers. Regardless of the workload type (cloud-native applications with CI/CD pipelines, third-party software, or legacy systems), ensuring everything is secure is ultimately the responsibility of the security team.
Explaining Cloud Workload Protection
As cloud security is a broad topic, the challenges exist at multiple levels. First and foremost, it is important to understand the division of responsibilities between you, as an organization and public cloud customer, and the cloud provider (e.g., AWS, Google Cloud, or Microsoft Azure).
According to the shared responsibility model, the cloud provider is responsible for the security of the cloud, meaning the physical infrastructure (e.g., data centers, network, and server equipment) and for operating that infrastructure (e.g., physical security, power redundancy, connectivity between facilities, etc.). In turn, the customer is responsible for security in the cloud, meaning the workloads running on top of the virtual resources created in the cloud provider’s platform.
With a virtual machine (or instance), for example, the customer (organization) is responsible for various aspects of security, including securing the applications running, keeping the operating system up to date, and restricting inbound and outbound network connectivity as needed. In addition, in the case of a security incident, the customer is also responsible for detecting and responding to actual breaches.
Cloud Workload Protection (CWP) refers to the protection and overall security of workloads running in the cloud in any type of computing environment (e.g., physical servers, virtual instances, or containers). For cloud customers, this is a core responsibility and is thus one of the most critical aspects to consider in your security and compliance strategy.
While cloud providers offer many different features and managed services to help customers with security, Cloud Workload Protection Platforms are rarely offered by cloud providers (with MS Defender ATP in Azure being the only exception). Each cloud provider has its own security offerings, and though valuable, they focus on important yet non-CWP security aspects. Industry analysts highlight only CWPP products from third-party providers and note that organizations using traditional endpoint protection platforms (EPP) in the cloud are putting enterprise data and applications at risk. Further, most enterprises are now purposely using more than one public cloud IaaS. Bottom line, if your organization wants to protect and secure its cloud applications and infrastructure, it will need a dedicated Cloud Workload Protection solution from a third-party provider that focuses on that.