While cloud workload protection is an essential part of cloud security, traditional cloud workload protection platforms (CWPP) have become a clunky, incomplete and outdated means to accomplish this.

With the emergence of the new Gartner category ‘cloud-native application protection platforms (CNAPP),’ companies should be looking at replacing their cloud workload protection solution with a single CNAPP solution that detects risks at the workload and cloud configuration level, reducing complexity and providing full visibility with contextual insight. Why not simply augment your CWPP by deploying a CSPM with cloud configuration coverage? Let me put it this way: adding two wheels together does not make a bicycle.

What is a Cloud Workload Protection Platform (CWPP)?

A CWPP, or cloud workload protection platform, is a cloud security solution that protects workloads (applications or services) that run on physical servers, virtual machines (VMs), containers, and serverless. While the cloud service provider is responsible for the security of their services (i.e. physical access and infrastructure), the customer is responsible for securing the applications, services and data they run and store on their cloud instances. This is where a CWPP comes in.

When companies started to move to the cloud, security vendors repackaged their on-premises security solutions and applied them to the cloud. However, what works in on-premises environments does not necessarily work in the cloud. CWPPs have an especially cumbersome deployment model: they require an agent to be installed for every workload.

Forgot to install an agent? No problem; you now just have zero visibility and risk detection for that workload. Given the highly dynamic, distributed, and ephemeral nature of the cloud, it’s virtually impossible to install an agent on every workload (not to mention that there are just too many OSes that not all of them can be supported by agents), resulting in significant blind spots. Also, this tedious process directly contradicts the whole point of moving to the cloud: speed, agility and lower costs.

“Design for CWPP scenarios where runtime agents cannot be used or no longer make sense. Require CWPP and CSPM vendors to support agentless deployment options.”
Gartner Inc., ‘Market Guide for Cloud Workload Protection Platforms’, By Neil MacDonald and Tom Croll

July 12, 2021

What are the disadvantages of Cloud Workload Protection Platforms?

So why will CWPPs soon be a thing of the past? Here are five significant disadvantages of using a CWPP:

  1. Cumbersome deployment: CWPPs require an individual agent to be installed and maintained for every asset to be secured, leading to slow deployment times, high maintenance costs, organizational friction, and significant impact on asset performance.
  2. No insight into the control plane: CWPPs only cover workloads, they do not offer any insight into the control plane. For that, you would need to deploy a CSPM or CNAPP solution.
  3. Ineffective alert prioritization: Without visibility into the cloud infrastructure, CWPPs can’t see the cloud estate in its entirety, and are unable to prioritize alerts based on environmental context.
  4. Partial coverage: Since it is virtually impossible to deploy agents everywhere and agents do not support every operating system, CWPPs will inevitably have blind spots. On average, we found that less than 50% of assets are covered by cloud workload protection solutions. In addition, agent-based CWPPs have no visibility into machines that are stopped, paused, or idle.
  5. No lateral movement risk detection: Attackers often try to get an initial foothold in the cloud environment and then move towards their actual target. Due to their lack of insight into cloud configurations, CWPPs can only find keys in workloads, not in the cloud infrastructure layer (e.g. storage buckets), potentially leaving important attack vectors exposed.

Why not just use a CWPP and a CSPM?

If CWPPs only provide workload visibility, why not just augment your cloud security with a CSPM to cover cloud configurations as well? Cloud security done, right? Wrong. A CNAPP is not just a patchwork of two solutions, it is a whole new approach to cloud security.

A CNAPP platform, such as Orca Security, combines cloud workload and configuration intelligence in a unified data model and a single pane of glass, allowing the holistic insight that you just can’t get with separate solutions. By seeing the bigger picture, Orca is able to pinpoint exactly which issues are critical and which ones are not.

For example, does malware found in a powered-off VM warrant your urgent attention? No, but the malware-infected, internet-facing workload housing a secret key that unlocks sensitive data in an adjacent workload should be addressed immediately. Only a true CNAPP like Orca can make these distinctions and see how a combination of seemingly unrelated issues can be leveraged to create an attack path straight to your most valuable assets. Besides, by adding CSPM to your CWPP, you are still left with all the other drawbacks of a CWPP.

And why license two products when you can get it all in one product? Or is your CWPP vendor now also offering a CSPM solution in a ‘single’ platform? For the same reasons stated above, this is not the same as having a CNAPP platform. Gartner even specifically cautions companies against these strategies:

Gartner advises organizations to: “Maximize the use of one third-party vendor across cloud security capability areas to reduce tool complexity. However, be cautious: many third-party vendor “suites” consist of independent acquisitions and may not actually provide coherent control from one single administration point. Set expectations accordingly and assess the reality of integration claims.”
Gartner, Inc., How to Protect Your Clouds with CSPM, CWPP, CNAPP, and CASB, 2021, Richard Bartley

May 6, 2021

How Orca Security solves your CWPP problems

Below are 8 reasons why you should consider replacing your CWPP with Orca’s CNAPP platform:

    1. Agentless: By reading your cloud configuration and workloads’ runtime block storage out-of-band, Orca offers a comprehensive, easy to deploy, low maintenance cloud security platform without the performance impact, coverage gaps and operational costs of agent-based solutions.
    2. Workload and control plane visibility: Orca has full visibility into the workloads (OS/apps/data) just like a CWPP, but it also has cloud control plane visibility that a CWPP completely misses.
    3. Single platform: Orca replaces multiple tools by providing a single SaaS-based cloud security platform for workload and data protection (CWPP) and cloud security posture management (CSPM), including vulnerability management and compliance solutions.
    4. 100% Coverage: Orca covers 100% of your cloud assets and automatically detects new assets as they are added. This includes VMs, containers, and serverless, as well as cloud infrastructure resources like storage buckets, VPCs, KMS keys, and much more. Orca even discovers and monitors idle, paused, and stopped workloads, orphaned systems, and devices that can’t support agents.
    5. Effective Alert Prioritization: Unlike solutions that simply report on the severity of each siloed security issue, Orca’s multi-dimensional approach effectively prioritizes risks by considering three crucial factors:
      • Severity: How severe is the underlying security issue? For example, what type of threat is it, how likely is it to be exploited, and what is the CVSS score?
      • Accessibility: How easy is it for an attacker to access the asset that contains this issue? For example, is the asset public facing, or is there lateral movement risk?
      • Business impact: How would the business be impacted if this asset was exploited? For example, is this asset critical to the company’s business, does it contain sensitive PII, or is it adjacent to one that does?
    6. Lateral movement risk detection: Orca effectively identifies unprotected keys, passwords, and other information that an attacker could use to move laterally in your environment.
    7. Detect attack paths missed by other solutions: Unlike CWPPs, Orca leverages context-aware intelligence to recognize when seemingly unrelated issues can be combined to create dangerous attack paths.
    8. Deploy once – secure forever: Orca automatically detects and monitors new cloud assets as you add them, without requiring any manual updates.

About Orca Security

Orca’s CNAPP platform offers agentless cloud security and compliance for AWS, Azure, and Google Cloud in a fraction of the time and operational costs of other solutions. Orca is trusted by global innovators, including Databricks, Autodesk, Lemonade, Gannett, and Robinhood. Connect your first cloud account in minutes. Learn more.