Oct 14, 2021
7 Minutes
While cloud workload protection is an essential part of cloud security, traditional cloud workload protection platforms (CWPP) have become a clunky, incomplete and outdated means to accomplish this.
With the emergence of the new Gartner category ‘cloud-native application protection platforms (CNAPP),’ companies should be looking at replacing their cloud workload protection solution with a single CNAPP solution that detects risks at the workload and cloud configuration level, reducing complexity and providing full visibility with contextual insight. Why not simply augment your CWPP by deploying a CSPM with cloud configuration coverage? Let me put it this way: adding two wheels together does not make a bicycle.
A CWPP, or cloud workload protection platform, is a cloud security solution that protects workloads (applications or services) that run on physical servers, virtual machines (VMs), containers, and serverless. While the cloud service provider is responsible for the security of their services (i.e. physical access and infrastructure), the customer is responsible for securing the applications, services and data they run and store on their cloud instances. This is where a CWPP comes in.
When companies started to move to the cloud, security vendors repackaged their on-premises security solutions and applied them to the cloud. However, what works in on-premises environments does not necessarily work in the cloud. CWPPs have an especially cumbersome deployment model: they require an agent to be installed for every workload.
Forgot to install an agent? No problem; you now just have zero visibility and risk detection for that workload. Given the highly dynamic, distributed, and ephemeral nature of the cloud, it’s virtually impossible to install an agent on every workload (not to mention that there are just too many OSes that not all of them can be supported by agents), resulting in significant blind spots. Also, this tedious process directly contradicts the whole point of moving to the cloud: speed, agility and lower costs.
“Design for CWPP scenarios where runtime agents cannot be used or no longer make sense. Require CWPP and CSPM vendors to support agentless deployment options.”
Gartner Inc., ‘Market Guide for Cloud Workload Protection Platforms’, By Neil MacDonald and Tom Croll
July 12, 2021
So why will CWPPs soon be a thing of the past? Here are five significant disadvantages of using a CWPP:
If CWPPs only provide workload visibility, why not just augment your cloud security with a CSPM to cover cloud configurations as well? Cloud security done, right? Wrong. A CNAPP is not just a patchwork of two solutions, it is a whole new approach to cloud security.
A CNAPP platform, such as Orca Security, combines cloud workload and configuration intelligence in a unified data model and a single pane of glass, allowing the holistic insight that you just can’t get with separate solutions. By seeing the bigger picture, Orca is able to pinpoint exactly which issues are critical and which ones are not.
For example, does malware found in a powered-off VM warrant your urgent attention? No, but the malware-infected, internet-facing workload housing a secret key that unlocks sensitive data in an adjacent workload should be addressed immediately. Only a true CNAPP like Orca can make these distinctions and see how a combination of seemingly unrelated issues can be leveraged to create an attack path straight to your most valuable assets. Besides, by adding CSPM to your CWPP, you are still left with all the other drawbacks of a CWPP.
And why license two products when you can get it all in one product? Or is your CWPP vendor now also offering a CSPM solution in a ‘single’ platform? For the same reasons stated above, this is not the same as having a CNAPP platform. Gartner even specifically cautions companies against these strategies:
Gartner advises organizations to: “Maximize the use of one third-party vendor across cloud security capability areas to reduce tool complexity. However, be cautious: many third-party vendor “suites” consist of independent acquisitions and may not actually provide coherent control from one single administration point. Set expectations accordingly and assess the reality of integration claims.”
Gartner, Inc., How to Protect Your Clouds with CSPM, CWPP, CNAPP, and CASB, 2021, Richard Bartley
May 6, 2021
Below are 8 reasons why you should consider replacing your CWPP with Orca’s CNAPP platform:
Orca’s CNAPP platform offers agentless cloud security and compliance for AWS, Azure, and Google Cloud in a fraction of the time and operational costs of other solutions. Orca is trusted by global innovators, including Databricks, Autodesk, Lemonade, Gannett, and Robinhood. Connect your first cloud account in minutes. Learn more.