What exactly is a workload in the cloud?

Today's computing workloads in the cloud are extremely diverse. A long time ago, most of the workloads on the cloud were virtual machines such as AWS EC2, but with the rise and generalization of new technologies (containers, serverless, etc.), A variety of workloads are becoming available. We are also talking with many customers, especially those in departments close to service development, and we can see that a wide variety of workloads are being used according to business needs.

Workloads on the cloud are organized in an easy-to-understand white paper by Palo Alto Networks, so I would like to introduce them a little.

"The Continuum of Cloud Native Topologies"

https://www.paloaltonetworks.com/resources/whitepapers/continuum-cloud-native-topologies

As shown in the figure above, this white paper is organized into seven workload classifications, but the most commonly used representative workloads are the following five.

• VMs (virtual machines)
  Perhaps the most common and the most numerous of workloads are VMs (virtual machines), which operate without OS/application/data isolation. Typical services include Amazon EC2 and Google Compute Engine instances.
• Containers
  Unlike a virtual machine, a virtual space is created by isolating resources such as CPU and memory by sharing the kernel of the host OS. It spread rapidly with the advent of Docker.
  The difference from CaaS described later is that the user must be responsible for the deployment and operation of all the underlying infrastructure. (An image where users configure and use Docker on Amazon EC2 by themselves)
• CaaS (Container as a Service)
  As the use of containers has increased and the scale has grown, the complexity of deploying and operating container orchestrators such as Kubernetes has become an issue. Therefore, major public cloud providers provide a means to use the container deployment and management functions of orchestrators as a service. Typical services include Google Kubernetes Engine and Amazon Elastic Container Service. The difference with On-demand containers, discussed below, is that users can (and should) directly manage the underlying VM and host OS.
• On-demand containers
  In the CaaS described above, users can directly manage the underlying VM and host OS, but for developers, containers can be easily run without requiring knowledge or configuration of the underlying host OS or VM. I have a case to ask. This on-demand container platform is a service designed to take advantage of containers without the need for infrastructure considerations. Typical services include AWS Fargate and Azure Container Instances. The difference with Serverless, which we will discuss later, is that it runs regular container images that can run on other container platforms.
• Serverless
  Serverless technology allows developers to provide just their app's code to a service, and the service automatically instantiates the rest of the stack underneath. With serverless, developers simply upload their app packages without having to prepare container images or OS components. Typical services include Amazon Lambda and Azure Functions.

Definition of CWPP

Gartner defines CWPP as follows in the 2021 Gartner Market Guide for CWPP.

"workload-centric security products that protect server workloads in hybrid, multicloud data center environments."

It is a workload-centric security product that protects server workloads in various cloud environments. I believe that CWPP's role is to be able to consistently visualize and control various workloads in the environment. The cloud environment itself is also becoming hybrid cloud and multi-cloud, so being able to seamlessly support these is also an important point.

In addition, in a cloud-native application environment, it is also important to be able to scan for risks (vulnerabilities, compliance violations, etc.) that may be included in the workload in advance in the development pipeline. In particular, I think that many companies feel that this point is significantly different from conventional server security products.

Functions provided by CWPP

As I touched upon above, there are two main points of view regarding the functions that CWPP should provide, and each of these is achieved by using multiple functions.

It can be said that CWPP is expected to be able to consistently provide these for various cloud environments and various workloads.

• Development Scanning

• Runtime Protection

When should CWPP be considered?

When should we consider introducing the CWPP explained so far? I think that there are two major points of view in communicating with many customers so far.

• When new workloads are put into production
  I think that physical machines and virtual machines still occupy a large proportion of workloads in many companies, but from business requirements, new workloads (especially CaaS, On-demand containers, and Serverless mentioned above) are being introduced in earnest. If you decide to use it, I think it would be a good idea to consider CWPP as a new security measure that adapts to changes, as it allows for consistent visualization and control of diverse workloads. Also, there may be cases where security products for servers that have been used for a long time cannot technically support new workloads (e.g. agents cannot be installed when using AWS Fargate). In addition, the use of container technology blurs the line between development and operation, requiring a more DevOps-like development style. The CWPP function that can be done is a necessary requirement.
• When considering how to audit public cloud service settings
  While using the public cloud, management of many accounts that have been created in the company and the risk of incidents due to improper settings in each user department have become issues, and public cloud service setting audits are being considered. There are many companies. Especially in the case of so-called multi-cloud, where multiple clouds such as AWS and Azure are used for different purposes, centralized auditing is difficult only with native services on each public cloud side, so public cloud services called CSPM (Cloud Security Posture Management) It is necessary to introduce a mechanism that automatically audits the above settings and detects risks. Details of CSPM will not be covered in this article, but as a recent trend, CWPP and CSPM, which are the themes of this article, are being integrated due to their characteristics, and there are products that can use both functions within the same product/license. coming out. (Palo Alto Network's Prisma Cloud, which we sell, is exactly like that.)
  Therefore, considering CSPM as a configuration audit tool for public clouds, and moving the protection of the workloads that operate there to CWPP provided on the same platform will lead to future return on investment and risk. It is very meaningful from the viewpoint of unified response of

Summary

CWPP is a security product that appeared in line with the diversification of workloads and the diversification of cloud environments in which workloads operate. There is also a movement to actively utilize digital technology through digital transformation, and it is expected that this trend will continue to accelerate in the future, so it is becoming increasingly important for companies to consider security measures such as CWPP. It becomes a matter.

Through the introduction of Prisma Cloud, we have been supporting many of the most advanced CWPP implementation projects in Japan. If you would like to know more, please feel free to contact us.