If you've been following along with David's posts, you'll have noticed a structure to the topics: Part I: The Plan, Part II: The Execution and now we move into Part III: Security Operations. Things get a bit more exciting at this point as we discuss topics to detect, delay and mitigate active cyber threats. The planning and delivery of our security solutions are about to pay off!
For many enterprises, cloud resources are becoming the data center's core. As these resources grow, it can be difficult for IT staff to keep up with daily administrative tasks, let alone learn the skills to provide security protections. So, how does one protect a variety of workloads in the cloud without having to worry about security misconfigurations?
Introducing Cloud Workload Protection Platforms
A Cloud Workload Protection Platform, or CWPP, is a service that provides a set of protections for resource types, such as virtual machines, containers, or databases. CWPPs can make the administrator's job easier by providing them with an easy button for protecting cloud workloads.
Workload Protection Examples
Here are some CWPP examples and a brief description of what protections they provide:
Building a workload protection framework
A CWPP can often be used independently, but it’s usually operated within the framework of other services. Some common components in a workload protection framework include:
- CSPM – Cloud Security Posture Management
- CWPP – Cloud Workload Protection Platform
- DevSecOps – Security Operations as it relates to application development
- SIEM – Security Information and Event Management
Note: Microsoft refers to their CSPM + CWPP as a CNAPP – Cloud Native Application Protection Platform.
Image 1: A workload protection framework example. Courtesy Microsoft
Challenges with multi-cloud architectures and CWPP
Workload protection service offerings from vendors will vary greatly. Don’t depend on vendors to understand every unique workload requirement. Develop a CWPP framework that matches your organization’s needs. Here are a few common challenges to consider:
Integration Complexity
Each cloud provider may offer a unique set of APIs, services, and management tools. Integrating a CWPP across multiple cloud environments requires deep knowledge of each platform to ensure security controls are properly implemented and maintained.
Inconsistent Security Controls
Cloud vendors often have different security controls and capabilities. This inconsistency can lead to gaps in security posture when applying a uniform security strategy across multiple clouds.
Complex Threat Landscape
A multi-cloud environment expands the attack surface, introducing complex security threats that can vary from one cloud to another. Keeping up with evolving threats and adapting CWPP configurations accordingly across different clouds requires continuous effort and expertise.
Cost Management
Deploying and managing CWPPs across clouds can be costly. Organizations must carefully consider the costs associated with licensing, operations, and any additional services required to maintain security across different platforms.
Skill Gaps
There is often a shortage of skilled security professionals who are proficient in managing and securing workloads across one or multiple cloud platforms. This skill gap can lead to misconfigurations and potential security vulnerabilities.
Summary
Cloud administrators often know little about the applications being used. Workload protections, such as CWPP, can make security much less complicated. It’s important to graduate into the use of CWPP in a phased approach as needed for your organization.
References
Microsoft Defender for Cloud | Microsoft Security
About This Blog Series
Follow the full series here: Building Defenses with Modern Security Solutions
This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.
Labs
For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.
Compliance
All topics mentioned in this series have been mapped to several compliance controls here.
David Broggy, Trustwave’s Senior Solutions Architect, Implementation Services, was selected last year for Microsoft's Most Valuable Professional (MVP) Award.
