Cloud native development relies on workloads spread across any number of compute options – virtual machines (VMs), containers, serverless and many points in between. These components which make up cloud native applications can be created and spun down in a matter of hours or even minutes – they are surprisingly ephemeral.
Moreover, protecting these workloads can be difficult. Discovering when they have been created, determining who or what is accessing them and figuring out whether they are configured correctly is a monumental task not suited for manual security work. That's why the market has seen an influx of platforms specially designed to protect them. These so-called cloud workload protection platforms (CWPP) are evolving almost as quickly as the workloads themselves, and understanding key functionality can be overwhelming.
Gartner recently released its 2020 Market Guide for Cloud Workload Protection Platforms, which has annually examined the latest developments in cloud native infrastructure security and offered recommendations on how enterprises should protect these components and the continuum of compute options, including VMs, containers and serverless workloads.
Palo Alto Networks was listed as a Representative Vendor for CWPP, including the following areas for Prisma Cloud:
- Container and Kubernetes protection capabilities.
- Serverless protection.
- Identity-based segmentation, visibility and control.
- Cloud Security Posture Management (CSPM).
From our view, Prisma Cloud brings together these capabilities with a single Cloud Native Security Platform to provide today’s enterprises with a comprehensive solution for securing cloud workloads across clouds and architectures. Below, we’ll explore cloud workload protection basics, and what we believe are several key takeaways from this year's report.
What Is a Cloud Workload?
First, it may be helpful to understand what these platforms can actually protect. A workload can be broadly defined as the resources and processes needed to run an application. A cloud workload typically includes an application, but it also involves things like data served to and generated by the application, as well as network resources required to connect users to the application or to connect different parts of the application together.
Most organizations' workloads now typically span multiple cloud service providers (CSPs) and compute options, and a majority of organizations intentionally choose multiple types of infrastructure offerings based on business needs. According to Gartner, “Protection requirements for cloud-native applications are evolving and span virtual machines, containers and serverless workloads in public and private clouds. Security and risk management leaders must address the unique and dynamic security requirements of hybrid cloud workloads.”
In the diagram below, Gartner highlights the Evolution of Workload Abstractions as it relates to cloud-native application architectures:
We've talked for a while now about how each infrastructure offering comes with individual configurations and security requirements, which we highlight in our whitepaper titled the Continuum of Cloud Native Topologies.
We've seen that the diffusion of DevOps methodologies has led to the increasing granularity of workloads. DevOps intentionally uses small, frequent iterations, where deployments happen multiple times a week or even multiple times a day.
In order to protect these increasingly ephemeral workloads, security and risk management leaders need to understand what workloads are running where, and Cloud Workload Protection Platforms help them do that.
What Is a Cloud Workload Protection Platform?
Gartner defines cloud workload protection platforms (CWPP) as "workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multi-cloud data center architectures." Or as we simply say, these platforms help enterprises protect workloads. They also offer greater visibility and control over them, regardless of their location.
These platforms need to help security leaders continuously assess risk across cloud native architectures and identify vulnerabilities and misconfigurations before deployment to runtime to minimize runtime problems. These platforms span CSPs to provide greater assurance with less manual effort.
Emerging Trends in Cloud Security Solutions
As the security needs for enterprises evolve, there is an increasing need to combine CWPP functionality with that of cloud security posture management (CSPM) platforms, which focus on assessing security and compliance for cloud services. This new category is called cloud native application protection platforms (CNAPPs).
On this convergence, Gartner states, “There is synergy in combining CWPP and CSPM capabilities, and multiple vendors are pursuing this strategy. The combination will create a new category of CNAPPs (see ‘Top Security and Risk Management Trends’) that scan workloads and configurations in development and protect workloads and configurations at runtime.”
We believe that Prisma Cloud aligns directly with this future vision from Gartner.
Recommendations for Security and Risk Management Professionals
The report highlights key recommendations organizations should consider for securing their cloud infrastructure. Palo Alto Networks has chosen to emphasize the following for a full lifecycle, full stack security approach:
- Require cloud workload protection platform (CWPP) vendors to support containers and serverless today.
- Extend workload scanning and compliance efforts into development (DevSecOps), especially with container-based and serverless function PaaS-based development and deployment.
- Require CWPP vendors to offer integrated cloud security posture management (CSPM) capabilities to identify risky configurations.
To read the report in full, including further in-depth exploration of these recommendations, download your copy of “Market Guide for Cloud Workload Protection Platforms.”