In recent years, Cloud Workload Protection Platforms (CWPPs) have become an integral part of many organizations’ cloud security strategies. CWPPs provide visibility and control over the behavior of cloud workloads, helping to protect against malware and other threats. The challenge, however, is that CWPP technology has primarily relied on the use of agents installed on cloud workloads. For many cloud-native services, agents are not only disliked by developers, but in many cases cannot be installed at all. Capabilities provided by CWPP are increasingly shifting in two directions to overcome this challenge - to the left, with tighter integration into development and DevOps pipelines, and downwards, into the network.
Challenges with CWPP agents
In the early days of an organization’s cloud journey, where cloud projects often consist of lift-and-shift of traditional applications, CWPP agents can be deployed on the corresponding VMs and provide protection. As organizations mature in their cloud journeys, they increasingly adopt cloud-native services, many of which are offered as serverless. Think managed container services like AWS Fargate, or Function-as-a-Service (FaaS) offerings like Azure Functions or AWS Lambda. With these services, the customer has no access to the underlying host, and therefore no ability to install an agent. Several attempts have been made to recreate CWPP functionality on these types of services, but none can be universally applied to all services, leading to a quagmire with many point products and different policy models for each.
Key characteristics of cloud-native workloads
Fortunately, there are several key characteristics of cloud-native workloads that have opened the ability to change the game in CWPP. First, with cloud often comes changes to process, with security getting involved in application development to help mutually identify and remediate risk early, with an objective of instantiating workloads that are already secure. Second, the footprint of the application code running in microservices is significantly smaller and single purpose, making behavior more predictable and deviations easier to detect. Finally, many such workloads have a very short lifespan, making it difficult for an attacker to gain persistence before the workload is decommissioned and a new one deployed.
What does all of this mean for CWPP? It means you can stop struggling to force fit agent-based technologies and start shifting left and shifting down.
Shifting left in the public cloud
The objective of shifting left is to ensure that all cloud workloads are born secure. Here, you’ll move security into IDEs and into the CI/CD pipeline to integrate security into the application development process, minimizing the likelihood of vulnerabilities and other security weaknesses from being introduced to your production cloud environments. Applications that are built securely are far less likely to be compromised. This approach also has the tremendous benefit of being far more time- and resource-efficient by minimizing costly rework and delays associated with finding security issues in deployed workloads. This functionality is typically offered via a combination of CSPM and CIEM technologies that are increasingly being integrated into Cloud Native Application Protection Platforms (CNAPP). Step one, complete.
Shifting down in the public cloud
With your workloads built and deployed securely, the next step is to shift down. Even with vulnerabilities eliminated and a workload deployed into a securely configured environment, there is still a need to monitor behavior and guard against threats. But, as mentioned previously, traditional agent-based approaches won’t apply to many cloud services. Shifting down means moving many of the capabilities traditionally provided by a CWPP agent into the network. Runtime enforcement capabilities provided by solutions like Zscaler’s Zero Trust for Workloads allow for behavioral monitoring and control, threat prevention, and data loss prevention across all services, with no agents.
Together, these two approaches can help you eliminate the complexity of protecting cloud workloads, while simultaneously improving the speed and efficiency with which your development organization can build and deploy secure cloud workloads.