Key Requirements for CWPP (Cloud Workload Protection Platforms)
Cloud Workload Protection Platforms (CWPPs), now part of the emerging category of Cloud Native Application Protection Platforms (CNAPPs), are designed to secure different types of cloud workloads — such as VMs, containers, and serverless functions — deployed in public, hybrid, or multi-cloud environments. In this blog, we review the core capabilities and architectural considerations that buyers must evaluate when protecting cloud workloads, as defined by Gartner.
Among the recommendations, Gartner suggests that security and risk professionals should:
- Secure workloads earlier by extending workload scanning and compliance efforts into development (DevSecOps), especially for container-based and serverless function platform as a service (PaaS)-based development and deployment.
- Require CWPP offerings to protect physical machines, VMs, containers and serverless workloads — all managed from a single console, regardless of location. Hybrid, multi-cloud architecture represents the future of most enterprise data centers.
- Make container protection capabilities a requirement in your CWPP evaluation. If you are using Kubernetes and considering a managed Kubernetes service, make explicit support of this environment a requirement as well.
- Require CWPP vendors to provide CSPM/KSPM capabilities.
- With immutable infrastructure, CWPP protection strategies will shift to a zero-trust mindset and focus on application control and container lockdown (default deny/zero trust) at runtime, with a stronger emphasis on scanning for vulnerabilities before deployment.
Let’s elaborate on these cloud security needs and how Aqua addresses them.
Shifting Left into CI/CD
Containers and microservices deliver incredible speed and flexibility, with Continuous Integration and Continuous Delivery (CI/CD) becoming the standard for IT teams. This increased velocity of new code being pushed out requires better control over the attack surface and incorporating security earlier into the development phase to enable security issues to be detected early and fixed quickly, before applications are deployed.
Aqua provides this capability for all cloud native workloads: scanning container images, VM images, and functions for known vulnerabilities, embedded secrets, malware, configuration issues, and over-provisioned permissions, integrating directly to the CI pipeline, as well as into registries or function stores. Additionally, Aqua DTA (Dynamic Threat Analysis) detects and prevents images with hidden malware that evade static scanning from being deployed in production environments, and “shifts left” incident response.
Native Controls for Containers and Serverless Functions
Cloud native presents a fundamental shift in architecture. Older security solutions use installed host-based agents and network-based controls that lack the application context and appropriate control points within the new stack. Without these capabilities, it is impossible to adequately detect threats and respond to them.
Aqua was natively architected for containers and serverless, providing full visibility and automated control over workload activity across the entire lifecycle, while remaining transparent and unobtrusive to DevOps. With dedicated instrumentation for each type of workload (the Aqua Enforcer family), Aqua provides security controls that follow the workload wherever it runs, whether it’s a container or a function. This makes it possible to provide granular security that doesn’t disrupt application continuity and is optimized for performance.
Providing Visibility Across All Workloads
These days, almost every cloud native enterprise deployment uses multiple types of workloads, often across multiple or hybrid clouds, and sometimes using more than one management platform (e.g., Red Hat OpenShift but also Tanzu Application Service).
At Aqua we’ve been zealous about supporting all popular platforms and types of workloads, providing a unified view of vulnerabilities, policies, and events across all your environments. We also recognize that many teams and stakeholders are involved, and developed our Aqua RBAC model so that organizations can define access and permissions for all elements within their cloud native environment, while maintaining separation between teams and roles.
Combining CWPP and CSPM
While CWPP secures the cloud native applications (workloads) that you run, CSPM helps you secure the infrastructure on which you run it. This provides protection of your cloud infrastructure and verifies that your cloud services are configured securely. More than just complementing each other, these combined services are essential to provide security and visibility both across and up and down your cloud stack.
With Aqua CSPM, you can continually monitor for security configuration issues, automate controls, and get remediation advice and automation. It supports all major public clouds including AWS, Azure, GCP, and Oracle. It examines user roles and privileges, certificates & MFA, specific service configurations, data encryption, networking, auditing features, usage trends, and conducts anomaly detection. As it monitors your environment, it provides alerts for remediation and reports on regulatory compliance and the CIS benchmarks.
Kubernetes Security Posture Management (KSPM)
Having recognized the need not only to protect container workloads running in Kubernetes but also manage the secure configuration of the many parameters of Kubernetes as an orchestration platform, Aqua pioneered Kubernetes security posture management and coined the term KSPM.
KSPM is a natural extension of CSPM for cloud environments that run Kubernetes. As a result, Gartner is now recommending requiring CWPP vendors to also offer KSPM capabilities.
Using Zero Trust in Runtime Protection
Zero trust security allows organizations to deterministically ensure that their applications are running in the most secure way possible. This helps organizations to reduce the attack surface and makes the reactive controls that complement it (detection and response) more effective, since it reduces the number of events they need to address. Zero trust can be applied to configurations, workload deployment, workload runtime protection, and networking - Aqua provides controls for all these aspects:
Aqua Image Assurance policies define the level of tolerance of what is or is not acceptable in your environment and prevent unapproved images, VMs, and functions from being deployed, preempting operational errors, image sprawl, and rogue deployments.
Aqua’s Workloads Firewall implements micro-segmentation in workloads by automatically suggesting dynamic firewall rules, based on orchestrator concepts (pod name, namespaces), IP/CIDR addresses, and DNS, ensuring that only connections deemed legitimate are allowed, and alerting on or blocking network traversal attempts.
Enforce container and function immutability and detect unapproved changes to running workloads with Drift Prevention. Identify and block malware and zero-day exploits, least-privilege allow-lists detect and prevent anomalous behavior, privilege escalation, or code injection.
Aqua can automatically profile the runtime behavior of a container and use this information to build an Image Profile and apply container restriction and creating an allow-list for specific containers and blocking them from executing certain runtime activities. For example, Aqua can profile the system calls used in runtime by a container and only allow them, blocking the rest to prevent container escape attempts.
Runtime enforcement of the zero-trust model is an essential layer in any cloud native security strategy, and the gap between perception and reality was also exposed in Aqua’s cloud native runtime security survey, showing how security professional overestimate the ability of containers to act as a security boundary, and other issues.
Bringing it All Together
As enterprise requirements continue to evolve around cloud native security, the need to fully exploit the cloud’s capabilities without compromising on security is also growing. Software vendors are expected to deliver a powerful and unified solution that addresses security concerns up and down the stack, throughout the SDLC, and across multiple platforms — and we have risen to the challenge with the unified Aqua Cloud Native Security Platform.
* Gartner, Innovation Insight for Cloud-Native Application Protection Platforms, Neil MacDonald, Charlie Winckless, 25 August 2021
DevSecOps, Cloud Security CSPM, Cloud Workload Protection Platform CWPP