Resources > Security Terms Glossary > What is Gartner CWPP

What is Gartner CWPP?

What is Gartner’s definition of CWPP?

According to Gartner, a cloud workload protection platform (CWPP) is defined as a workload-centric security offering intended to meet the unique protection requirements of workloads in today’s hybrid, multicloud, and data center environments. Additionally, Gartner states that CWPPs should deliver consistent control and visibility for physical machines, virtual machines, containers, and serverless workloads, regardless of location.

Moreover, Gartner insists that a true cloud workload protection platform should scan for known vulnerabilities upon deployment, while protecting workloads from attacks at runtime using a combination of system integrity protection, identity-based microsegmentation, application control, memory protection, behavioral monitoring, host-based intrusion prevention and optional anti-malware protection.


Why does Gartner recommend CWPP?

Generally speaking, legacy network-based technologies don’t translate well into cloud environments. Furthermore, most enterprises use a combination of multiple cloud service providers and the data center to house applications, complicating their ability to gain consistent visibility into workloads. They need to put applications and services, themselves, at the center of the security plan. 

More specifically, endpoint protection platforms (tools developed to protect laptops, desktops, and mobile devices) are not adequate for server workload protection, putting enterprise data at risk. Next, most organizations use more than one public cloud IaaS, with many piloting container-based applications and are experimenting with serverless PaaS.

Therefore, workload security needs to start proactively in deployment to scan container and serverless workloads for vulnerabilities and misconfigurations as misconfigurations often present a greater risk to organizations than workload compromise.

Enterprises using endpoint protection platform (EPP) offerings designed solely for protecting end-user devices (e.g., desktops, laptops) for server workload protection are putting enterprise data and applications at risk.

Gartner, Market Guide for Cloud Workload Protection Platforms

What to look for in a CWPP, according to Gartner

As enterprises evolve, the need for a cloud workload protection platform continues to increase. Therefore, Gartner recommends the following when comparing and contrasting different CWPP solutions:

  • The future of most enterprise data centers is a hybrid, multicloud architecture, therefore, CWPP offerings must also protect physical machines, VMs, containers, and serverless workloads, but this needs to be done from a single console and managed from a single set of APIs, regardless of location.
  • A complete CWPP offering should expose all of its functionality via APIs to facilitate automation in cloud environments.
  • Container protection MUST be a capability as you evaluate CWPP platforms
  • CWPP vendors should be able to share a roadmap and architecture design for serverless protection as this is expected to become mandatory within 12 months.

For Gartner’s full list of CWPP recommendations, please have a look at their 2020 Market Guide for Cloud Workload Protection Platforms (registration required). 


Top CWPP considerations for security leaders, according to Gartner

Product features aside, security professionals should consider both CWPP functionality and how to incorporate these features into developing a future-forward cloud workload protection platform. Gartner recommends the following:

  • Architect for consistent visibility and control of all workloads regardless of location, size, or architecture
  • Require cloud workload protection platform (CWPP) vendors to support containers with planned solutions for serverless
  • Extend workload scanning and compliance efforts into development (DevSecOps), especially with container-based and serverless function PaaS-based development and deployment
  • Require CWPP offerings to expose all functionality via APIs 
  • At runtime, replace antivirus-centric strategies with a “zero-trust execution”/default-deny approach to workload protection where possible, even if used only in detection mode
  • Architect for CWPP scenarios where runtime agents cannot be used or no longer make sense
  • Require CWPP vendors to offer integrated cloud security posture management (CSPM) capabilities to identify risky configurations

How does the Zscaler fit into Gartner’s definition of a CWPP?

A key component of the Zscaler platform is Zscaler Cloud Protection, which offers services critical to protecting workloads, including:


Cloud Security Posture Management

The misconfiguration of cloud apps is not only common but detrimental to the safety of enterprise data—one of the most common sources of cloud data loss. Cloud Security Posture Management (CSPM) quickly identifies and remediates application misconfigurations in IaaS, PaaS, and SaaS, e.g., Microsoft 365.


Zero Trust Access

Today, VPNs, or anything that exposes users and applications to the internet, increase the likelihood of your network being discovered, attacked, and exploited, as every internet-facing firewall or tool is a potential attack surface and a backdoor leading to increased risk. As part of the Zero Trust Exchange, Zscaler Private Access (ZPA) provides your workforce, B2B customers, and suppliers with secure access to cloud applications without placing them on the network and  without exposing your applications to the internet. 


Secure Any-to-Any Connectivity

Extending your “trusted” network to public clouds with site-to-site VPNs is costly, dangerous, and complicated. In contrast, Zscaler Cloud Connector provides zero trust app-to-app and app-to-internet connectivity across hybrid and multi-clouds. Essentially, Cloud Connector eliminates the complexity and cost of hubs, virtual firewalls, and VPNs, and static, network-based policies. 


Workload Segmentation

IP-based network segmentation is ill-equipped to handle dynamically changing cloud workloads, as most segments are configured to be more open than they should, raising your chances of exposure and lateral movement. Zscaler Workload Segmentation is a faster way to achieve microsegmentation of app workloads. It allows you to quickly identify risk, apply segmentation, and automatically update policies—without network changes and with 90 percent fewer microsegmentation policies.

Zscaler, through its Zscaler Cloud Protection services, including Zscaler Workload Segmentation, meets Gartner’s strict requirements for a comprehensive, future-ready cloud workload protection platform.


Additional Resources