Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

AcademyCloud Workload Protection Platforms (CWPP) Explained

Cloud Workload Protection Platforms (CWPP) Explained

A Cloud Workload Protection Platform (CWPP) is a cybersecurity solution that protects any type of cloud workload no matter where it runs or the type of infrastructure.

Wiz Experts Team
5 min read

What is CWPP?

A cloud workload protection platform (CWPP) protects any type of cloud workload irrespective of where it runs or the type of infrastructure. CWPP protects cloud workloads running on virtualized private servers and public cloud infrastructure, on-premises data centers, and serverless platforms like AWS Lambda.

It’s this comprehensive protection that makes CWPP a cut above other cybersecurity solutions. As Gartner explains, CWPP takes on the role of a guardian for your workloads “regardless of location.”

How does CWPP work?

CWPP combines machine learning, behavioral analysis, and automated defenses, all working together to ensure your cloud workloads are secure no matter where they run. It carefully examines tiny patterns and variations, trying to understand what's normal for your system. With this understanding, it is able to spot anything unusual that may be a threat. It can instantly raise a red flag and activate response playbooks to stop a potential security threat before it causes any real damage.

CWPP must start with complete workload visibility, not just of the workloads themselves, but also their interconnections across the environment

The first step for a CWPP is to scan workloads and find any security vulnerabilities. It then suggests remedial action to deal with these vulnerabilities. Finally, once known threats are neutralized, CWPP also keeps an eye out for threats that may arise in production, or during runtime.

From an operational point of view, CWPP makes life easy for cybersecurity professionals, as it gives them a single centralized vantage point from which to view their entire technology estate—whether cloud, hybrid, or on-premises. Rather than switching context between multiple security tools, cybersecurity professionals gain added focus on the key issues that need to be addressed across the entire landscape of their software systems.

Pro tip

This Wiz Research team has found that 58% of cloud environments have at least one publicly exposed workload with a cleartext long-term cloud key stored in it. This greatly increases the risk of lateral movement in the VPC and between VPCs.

Learn more

Benefits: How CWPP fits into your cloud security stack

Let’s explore the key benefits through which CWPP empowers organizations to fend off potential vulnerabilities across your technology stack end-to-end:

Ruthless visibilityCWPP gives you enhanced visibility so your security teams get to scrutinize activities, identify abnormalities, and take preemptive actions against threats with surgical precision. This enables you to stay on top of potential security risks in real time and proactively safeguard sensitive data and critical applications.
Proactive threat detectionCWPP’s real-time threat detection recognizes and analyzes emerging threats, and ensures security breaches are nipped in the bud. It gives you the edge to respond to incidents as soon as they occur, reducing the potential damage the incident can cause.
Policy enforcementCWPP seamlessly integrates security policies throughout your cloud infrastructure and ensures compliance with regulatory mandates and internal security protocols.
Compliance auditing and reportingCWPP assures adherence to stringent regulatory frameworks, safeguarding sensitive data, and ensuring the sanctity of critical operations. This way, you can rest easy, knowing that your organization is shielded from the consequences of non compliance.

Example use cases for CWPP

Detecting fileless attacks targeting workloads

The Wiz research team recently discovered a fileless attack named PyLoose, which targets cloud workloads using a Python script that leverages the Linux fileless technique memfd. Fileless attacks, like PyLoose, are particularly elusive due to their reliance on memory-based execution and the Linux memfd feature, making them harder to detect, investigate, and attribute.

Fortunately, the Wiz runtime sensor was able to detect malicious behavior, such as payload delivery and execution, unfolding inside the workload. Below is an example detection from the CWPP:

Runtime Sensor alert for fileless execution (including PyLoose)

Check out the research team's blog below to get a step-by-step analysis of how the Pyloose attack unfolded, and how it was detected.

An overprivileged user restricted

Imagine you see service A accessing another high-priority service B, which it doesn’t usually access. You wonder if something is amiss. Your CWPP is able to give you insight into each service, its permissions, and how you can secure them. 

You use your CWPP solution to dig in and find that service A has read and write access to service B, and it requires read-only access. You have all the information you need to reduce the privileges of service A, and give it a dynamic secret with read-only access to service B the next time. CWPP gives you this crucial context and enables you to make great decisions.

Revealing misconfiguration and detecting drift

The effective management of host configurations in today's intricate and sprawling application infrastructures is a complex challenge that can lead to vulnerabilities and misconfigurations. CWPP helps tackle this challenge with custom host configuration rules.

Custom host config rules are like a magnifying glass for the black boxes that often are virtual machines. These rules identify misconfigurations and allow you to zoom in on configuration without having to scope into a specific resource.

Example of a custom rule editor that allows for a variety of criteria to be included, from file content testing to permission tests

Custom host config rules empower users to create tailored logic that is executed during automated, agentless workload scans. This means that manual commands on virtual machines or application files are no longer required, ensuring comprehensive coverage across the entire cloud estate.

Custom rules can also be automatically applied to any new workload and determine if the OS or application is misconfigured. So if over time configuration changes due to user intervention or malicious intent, a CWPP will audit the changes and alert you if there is configuration drift.

Key features to look for in a CWPP

With the number of cybersecurity solutions available, you need a handy list of essential features to look for in a capable CWPP solution. You'll have to carefully scrutinize each option and consider compatibility and scalability before making your pick. 

Here are the top must-haves for your CWPP platform:

Runtime protection: The heart and soul of your CWPP lies in its ability to provide unwavering real-time protection. This means that threats attempting to infiltrate your cloud workloads are swiftly detected and neutralized without any delay. With runtime protection in your CWPP toolkit, you can rest assured that potential damage is mitigated and your operations continue smoothly without any disruptions.

Malware detection and prevention: CWPP is able to spot malware, which are malicious applications built with the intent to infiltrate and steal or cause damage to a system. Malware can get into systems if any part of the system is accidentally left open to the web or an insider with bad intentions. CWPP can identify these threats in real-time and quarantine them.

Get real-time alerts to harden your security posture against a variety of malware

Agentless scanning: If your CWPP solutions support this, you can say goodbye to the hassle of agent deployment and enjoy the benefits of agentless scanning across your entire cloud stack. Agentless scanning simplifies cloud security management, as it’s a lot easier to get started with. Plus, it's resource-friendly, making sure your cloud environment remains optimized at scale.

An agentless solution should offer full coverage across PaaS resources, virtual machines, containers, serverless functions or sensitive data stored

CI/CD integration: For fortified cloud security at every stage of your software development life cycle (SDLC), seamless integration of your CWPP into the continuous integration and continuous deployment (CI/CD) pipeline is a must. By weaving security measures into every step of your developmental process, you create applications that stand strong against potential vulnerabilities.

Pre-built integrations allow security teams to create automated workflows to quickly route issues to the right teams for remediation

Compliance Assessments: A complete CWPP solution should also continuously assess your workloads across all compliance frameworks. The results should be compiled into a compliance heatmap to allow security teams to quickly determine areas of focus.

Example of a compliance heatmap

CWPP is just one part of the equation

In the ever-evolving cloud landscape, you can't underestimate the importance of CWPPs. With CWPP on your side, you gain extensive visibility and proactive threat detection into your workloads – but cloud security doesn't stop there.

A holistic cloud security strategy involves a combination of cloud solutions including:

  • CWPP to protect workloads end-to-end

  • Cloud infrastructure entitlement management (CIEM) to manage permissions at scale

  • Cloud security posture management (CSPM) for secure management of configuration and resources

Together, this combination of solutions is referred to as a cloud-native application protection platform (CNAPP). Embracing a modern CNAPP solution can help you keep pace with the fast-changing cloud landscape and the complexity of a fragmented technology landscape.

To see for yourself how a CNAPP solution consolidates the benefits of point products into one platform, schedule a demo with our Wiz product experts.

Secure your workloads, from build-time to run-time

Learn why CISOs at the fastest growing companies secure their cloud with Wiz.