Skip to main content

What is Cloud Workload Security?

SecludIT, now part of Outpost24
Common beliefs that IaaS providers are responsible for the security of customer workloads, are wrong. The shared responsibility model for Infrastructure as a Service (IaaS) means that enterprises have to adapt traditional security to secure cloud based workloads. A cloud workload is a discrete capability or amount of work you’d like to run on a Cloud instance. It can be a web server, a container or an hadoop node for example.
Gartner CWPP

New security requirements for Cloud Workload, what changes and why is it different?

The Cloud Security Alliance (CSA) has done the most comprehensive studies on the new requirements brought by cloud computing and the CSA has established the 11 top threats:

1. Data Breaches 
2. Misconfiguration and inadequate change control
3. Lack of cloud security architecture and strategy
4. Insufficient identity, credential, access and key management 
5. Account hijacking 
6. Insider threat 
7 Insecure interfaces and APIs 
8. Weak control plane 
9. Metastructure and applistructure failures
10. Limited cloud usage visibility 
11. Abuse and nefarious use of cloud services


Enterprises need to protect workloads, it is a must have

For a start, you can’t protect what you can’t see. So, increasing visibility in order to be able to control is a foundational step. To address these new requirements, you need new solutions and approaches.

On the other hand, the scale and concentration of workloads brings greater attraction to hackers. Developers are reusing code and templates and are not aware of security best practices with new cloud services as shown by our study on AWS in 2011.

Why traditional solutions do not work?

Infrastructure as Code brings elastic perimeters and accelerated changes, APIs bring new attack surface and possibilities of misconfigurations. Imagine deleting a data center with a few lines of code (or a bug).

Furthermore, the configuration of the cloud services bring new attack surface that must be monitored. On the other hand, while it is possible to deploy agents in the Virtual Instances, the agents will not evaluate the configuration of cloud services and are an additional hassle to manage and support.

Enterprises need specific security solutions to Cloud Workload

Gartner definition: “CWPP is defined by host-centric solutions that target the unique requirements of server workload protection in modern hybrid data center architectures”

Security Engineers are dealing with the following use cases:
– compliance with international or company specific standards
– vulnerability management
– IaaS usage control
– incident Detection and Management
– risk management

However, the new requirements brought by IaaS bring new challenges to address these use cases. Or as Gartner puts it “Simply running agents designed for on–premises servers and hoping these will work in IaaS is not sufficient”. (CWPP)

Compliance and manual security audits are great snapshots of the company security posture but they cannot keep up with the pace of today’s business. Although automated vulnerability management cannot replace a comprehensive audit by experts, it can highly reduce the risk exposure to large scale and automated attacks.

Furthermore, the DevOps way of “deploying often and fully automated” brings a new opportunity for applying patches and thus increasing security in a timely manner. DevOps do not patch live systems. Instead they patch the templates from which the workloads are generated and then bring them to production.


How to implement a plan for Cloud Workload Security?

You had enough with problem statement and requirements. Now that your company is already putting workloads on IaaS, how do you start?

Establishing priorities and a roadmap is a good way to start. Gartner has done an hierarchy of protection strategies that will help you.

A good plan might be a bottom-up approach. There are plenty of good tools that may help you during the ride!

Cloudsec Inspect provides the bottom 3 layers of protection for every IaaS cloud, such as AWS, Microsoft Azure, Openstack, vCloud and many others.

Discover Cloudsec Inspect features including:

  • configuration and vulnerability management
  • network segmentation analysis
  • integrity monitoring
  • multi-cloud, and hybrid deployments
  • CIS benchmark coverage


Test My Cloud Security

Looking for anything in particular?

Type your search word here