In today’s fast-moving cloud workload security environments, decision-makers are grappling with misconfigurations and vulnerabilities in the cloud. Good vulnerability management in the cloud requires a different approach than traditional solutions meant for on-prem. As defined by Gartner, vulnerability management is the process of identifying, categorizing, and managing vulnerabilities. Traditional scanning approaches, while powerful, require a resource-intensive agent installation on each host. Prioritization is often limited to vulnerability data (e.g. CVSS score, exploit info) and lacks host-specific risks revealed by identity and data analytics.
The cloud deploys applications and services to execute day-to-day business operations. Most organizations rely on cloud workloads to operate at a greater scale. AWS defines a “workload as a collection of resources and code that delivers business value.” A workload might consist of a subset of resources in a single account or be a collection of multiple resources spanning multiple accounts. A small business might have only a few workloads, while a large enterprise may have thousands. Utilizing workloads comes with the increased risk for vulnerabilities on them. Exploiting a vulnerability is an extremely traditional way for attackers to gain entry into your environment, but attacking the cloud happens in a non-traditional way. The public cloud requires a whole new security strategy, demanding the paradigm of vulnerability management to evolve to meet this new world.
Good vulnerability management focuses on strong workload security with identity and data at the heart of its strategy. To further understand, let’s dive into what workload security is and how to execute on it. Simply put, workload security is the process and intention of protecting cloud workloads as they move through cloud environments. Below we’ll review the top solutions for a vulnerability management program in the cloud and workload security in the market.
What is Cloud Workload Protection Platform (CWPP)?
Managing vulnerabilities in the cloud relies on solutions, like CWPP. According to Gartner, CWPP, Cloud Workload Protection Platform, is a “workload-centric security solution that targets the unique protection requirements” of the workloads operating in today’s cloud. At its core it’s vulnerability scanning and management for the cloud. Any workload performing a service, be it an AWS EC2, an Azure VM, or Google containers, offers an opportunity for attack, no matter how briefly the workload is spun up.
As cloud native applications continue to expand across cloud resources, unique security needs arise for each individual workload. The shift to microservices has led to an explosion of entities to protect.
Environments are evolving quickly today. Often DevOps teams are deploying on a daily or weekly basis, meaning your cloud environment is changing frequently, making visibility into the identities, data, configurations, and workloads difficult for security teams.
How Can CWPP Help Vulnerability Management?
CWPP is designed to provide comprehensive and targeted protection for workloads in the cloud. Organizations are moving to Cloud Workload Protection Platform (CWPP) for a few reasons:
- Organizations have legacy infrastructure and applications—these legacy infrastructures make it difficult to move all functionality to the cloud.
- Organizations use multiple cloud providers—many organizations are using several cloud vendors and working in a multi-cloud, hybrid environment. This approach makes it hard for security personnel to see, know, and control where applications and data are within this irregular environment.
- Tradeoff of development velocity for security—rapid development of applications in a CI/CD pipeline often means that security is no longer a stringent gate for applications and workloads. Security experts can’t initiate controls at application run time like they could in the past.
Cloud data is at risk because of the lack of visibility and control, the changing nature of workloads, and the prevalence of the DevOps environment. CWPP can address these challenges because it is built for a multi-cloud environment and is able to assess and secure workloads at runtime.
What are the Security Benefits of a Vulnerability Management Tool, like CWPP?
Here are key advantages of a CWPP to a modern organization running workloads in the cloud.
- Securing Virtualized, Container, and Serverless Environments. Legacy security tools run on a physical server or managed endpoints. These tools were not designed with containers, virtualization, serverless functions, or cloud development in mind. Modern workload protection must span virtual machines, containers, serverless workloads, and other pieces of compute in public clouds.
- Consistency Across Cloud Environments. Reduced visibility of cloud workloads is a challenge — the microservices architecture creates a larger number of smaller workloads. DevOps has caused a decrease in the lifespan of each workload, as workloads are destroyed and replaced with newer versions to keep up with the pace of development. CWPPs offer organizations consistent visibility into the security of their workloads, even if they work with numerous workloads in multiple locations, across a multi-cloud environment.
- Secure Portability of Workloads. CWPP makes it possible to move workloads between environments without compromising security. With CWPP, it is still the same workload secured continuously before and after migration.
- Uncover the True Impact & Severity of Vulnerabilities. As we’ve established, the cloud is ephemeral and periodic scanning will leave you with false negatives. Common Vulnerability Scoring System (CVSS) scores are a start, but they may not be enough. CVSS scores provide a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes, but the scale of the cloud means more workloads and more vulnerabilities. Your team needs more context than just a CVSS score.
- Prioritize Risk. Reduce Alert Fatigue. A strong CWPP offers context into how vulnerabilities relate to other parts of your cloud. This context enables better prioritization of risks. With context into identity, data, and platform configurations, a workload with a 6.5 CVSS score can quickly become a critical risk if that workload is exposed to the internet and has a grossly over permissioned identity on it with access to customer data. This gradation of severity helps teams pick their battles in a world of alert fatigue. On the contrary of alert prioritization, consider a workload that is four layers deep in your cloud, is at least privilege, and has no access to any data. This insight actually allows alert attenuation, downgrading priority to be handled another day.
What Should My Cloud Vulnerability Management Tool Do?
Forrester that your workload security provider has the proper integrations, CSPM capabilities, and actionable reporting.
Your vulnerability management tool should allow for integration of third-party sources. Most vendors provide their own risk source integration to allow customers to discover misconfigurations, vulnerabilities, and suspicious activities in their cloud workloads.
Your tool should have equal CSPM capabilities for cloud service providers. Having equally functional and deep detection and remediation capabilities based on vendor and admin-created rules (relying on compliance and vulnerability checklists) is instrumental in detecting and remediating cloud platform storage, instance, network, and identity management misconfigurations. CWPP solutions should also allow for detecting security drifts and insecure configurations in infrastructure and container build scripts. Assessment of activities (not just configurations) in this domain also helps prevent data breach disasters.
Lastly, your vulnerability management tool should offer actionable and easy-to-configure reporting of suspicious activities. Being able to configure reports and dashboards that show threats in an easy-to-comprehend and easy-to-act-upon aggregated format across all functional areas is critical in an alert-fatigued cloud security world. Creating ad hoc reports and running behavioral analytics on activities are key differentiators that allow for significant labor cost savings when it comes to securing cloud workloads.
Is Standalone CWPP Enough?
In the 2021 Market Guide for Cloud Workload Protection Platforms (CWPP), Gartner states, “Workload protection must span virtual machines, containers and serverless workloads in public and private clouds. Security and risk management leaders should understand the need for protection that spans development and runtime and includes cloud security posture management.”
Similarly, a Forrester report states, “Cloud security should not be a hodgepodge of disparate tools.” Instead of disparate tools, suite providers offer cloud workload protection (CWP), runtime and pre-runtime container security, and cloud security posture management (CSPM).
Two major analysts recommending a solution that combines CSPM, CWPP, and DLP into an integrated tool points to the conclusion that CWPP as a standalone solution is not enough.
How Does Sonrai Help Workload Security?
We firmly believe in building a strategy around the four pillars of cloud security – identity, data, platform, and workload. Yes, CWPP solutions are meant to address the workload pillar, but workloads do not function in isolation in the cloud, and nor do security threats. In fact, they are in constant contact with identities and data. This is why we’ve built our workload security to take into account identity and data context.
Dig offers agentless scanning, but also integrates seamlessly with external cloud-based vulnerability scanners, just enriching them further with our context capabilities. So where does the context come from? And why?
Let’s propose a scenario that actually happened to a major bank not long ago:
There is a vulnerability on a workload, a virtual machine, and a malicious attacker exploits it and gains access. There is a role on this workload that is grossly over permissioned and has access to a bunch of data stores containing some very sensitive information. Once an attacker has exploited the vulnerability, now they have access to this role. It gets worse. With the identity in hand, the attacker now enumerates the data stores looking for sensitive data. Bingo, they’ve found the data they’re looking for, and again, with the compromised non-person identity, and therefore all the permissions of that role, they can exfiltrate the sensitive data.
To put salt in an open wound, because secondary audit is not enabled on the data stores involved, the affected company is entirely unaware of any of this. In fact, they know nothing of it until a 3rd party informs them that their data is for sale on the internet.
As you can see, it takes a perfect storm involving all the cloud pillars to orchestrate a cloud breach. This is why our workload security solution leverages our deep identity graphing and analytics to reveal all permissions between identity and data so you have a full understanding of the blast radius of every vulnerability. A workload with privileged identities on it will cause more business damage and create a larger blast radius. Dig offers ‘risk amplifiers’ – these are the notes that prioritize or deprioritize different risks and ultimately influence the unique severity scores we grade for each risk.
Ready to take on total cloud security? Explore our solution integrating visibility and insights into identity, data, platform and workloads in your cloud.