Workload protection is the aggregate of cloud security controls and protocols that secure workload communications between environments. Interrelated to cloud workload security, workload protection mitigates vulnerabilities caused by inherent security risks such as misconfigurations. It’s also a key element of cloud security posture management (CSPM).
Cloud applications have become fundamental to business operations, and employees would be hard-pressed to do their jobs without access to them. To increase departmental productivity, businesses are adopting cloud services like cloud infrastructure from vendors such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. Often, organizations will combine SaaS, PaaS, and IaaS services from a mixture of vendors, creating a multicloud environment.
As organizations worldwide have shifted their operations from on-premises to the cloud, cloud workload protection has become a top priority for security teams.
A Focus on Security
The aforementioned cloud service providers (especially larger ones) have strong, built-in cybersecurity, and often promote their secure infrastructures as a competitive advantage. However, these cloud providers use shared responsibility models, wherein the cloud providers are responsible for the security of the cloud infrastructure itself, while cloud customers retain responsibility for what’s residing in the cloud and what’s communicating—that is, the applications, workloads, and data.
To this end, a bevy of security solutions are now on the market to protect workloads traveling to and from the cloud. They've grown more and more popular as it's become clear that traditional security architectures can't keep up with modern threats. To understand just why that is, let's quickly briefly look at how workloads were secured in the past, and how their protection needs have changed over time.
How We Traditionally Secured Our Workloads
Legacy network-based technologies, such as firewalls or virtual machines, provided adequate workload protection back when business took place on-premises and IT teams had a far smaller volume of data to worry about. These methods stood up relatively well because cyberattacks weren’t nearly as advanced or intrusive as they are now, and furthermore, cloud application use was not yet ubiquitous.
It goes without saying that the world has transformed just a bit since the turn of the decade. Not only do employees now work from everywhere, but cloud and cloud native applications have become necessary for everyday productivity.
IT and security professionals have discovered that legacy technology doesn’t translate well into cloud environments. These environments are elastic, only loosely coupled to infrastructure, and lack a static perimeter at which to place security controls. Furthermore, most enterprises use a combination of cloud service providers and the data center to house applications and communicate workflows, complicating the task of gaining consistent visibility over them.
What this means is that applications and services need to be at the center, rather than the fringes, of security planning.
The Changing Dynamic
Instead of the network paths applications traverse, controls should be tied directly to the identity of the communicating applications and services. It’s no longer sufficient to define software by its address or traffic route—address-based controls are susceptible to change, especially in a cloud environment, forcing security teams to build more and more rules to compensate.
The ephemeral nature of the cloud presents multiple challenges to security teams. Legacy security technologies are based on a trust model that’s no longer valid in today’s threat landscape. Perimeters have all but disappeared, encryption makes traffic inspection difficult, and classifying distributed data is resource-intensive. At the same time, all these challenges make the cloud especially attractive to attackers.
Enterprises using endpoint protection platform (EPP) offerings designed solely for protecting end-user devices (e.g., desktops, laptops) for server workload protection are putting enterprise data and applications at risk.
As the cloud has grown, so has the number of the threats to its data. Today’s threat landscape sees a wide array of elusive, potent attacks that, without proper workload protection, can easily wreak havoc on an organization. Some of these threats include:
Cloud ransomware: Cloud environments are not immune to malware and ransomware attacks, which infiltrate such environments to hold sensitive data hostage in exchange for ransom payments.
Supply chain attacks: These attacks seek to gain access by implanting a backdoor into products, typically software, the target organizations use. This allows the attackers to deliver automated patches or “trojanized” software updates that open the door for malware and other attacks.
Data loss: Although not a “threat” by definition, this is one of the greatest risks of cloud computing. Data loss is most often caused by blind spots in protection—which can lead to such data being exposed, either by user error or malicious action.
In addition to preventing these and other cloud risks, workload protection offers other substantial benefits, which we’ll cover in the next section.
Security Benefits of Workload Protection
By adding controls around specific applications, instead of around every device or user, workload protection helps you answer questions, such as:
Which applications are communicating?
Which ones should be communicating?
Are the right systems talking to one another without allowing malicious traffic to persist?
With insight into these questions, you can allow only verified workloads to communicate in your public, private, or hybrid cloud environment, mitigating risk, and offering the highest level of data breach protection. Here are some of the ways effective workload protection gives your team a security advantage:
Tracking assets and policy inventories is difficult, and data flow mapping in a cloud is complex because services can change location, increasing the number of data points that must be monitored and managed. Workload protection simplifies tracking and protection and anticipates the impact of change by focusing on applications rather than the environment in which they’re communicating.
Consistent Protection, Independent of Location
Traditional security tools that use IP addresses, ports, and protocols as the control plane aren’t fit for cloud environments. The dynamic nature of the cloud makes these static security controls unreliable because they can change at any time, multiple times throughout any given day. To counter this problem, workload protection platforms designate protection based on the properties of the software itself.
Continual Risk Assessment
Security practitioners know their corporate networks are vulnerable to compromise, but most can’t quantify the level of risk these networks pose to the organization, particularly related to application exposure. The right workload protection solution can measure your visible network attack surface in real time to understand how many possible application communication pathways are in use.
In all cases, the solution should support the growing requirement for identity-based “microsegmentation” (more granular, software-defined segmentation also referred to as zero-trust network segmentation).
With Zscaler Workload Segmentation’s topology mapping, I have an accurate representation of our ever-changing environment and can eliminate potential attack paths that place client data at risk.
John Arsneault, CIO, Goulston & Storrs
Best Practices for Workload Protection
Protecting workloads starts with selecting the right platform. Here are a few tips to help steer you toward potent workload protection software:
Integrate DevSecOps practices: A DevSecOps strategy integrates security throughout the software development life cycle (SDLC). This will ensure DevOps teams need not worry about potential vulnerabilities when building and deploying applications.
Use segmentation with zero trust: Segmentation is already a proven strategy to help curb cyberthreat infiltration and movement, and segmenting with zero trust policies in place will serve to eliminate such movement based on least-privilege principles and context-aware authentication.
Adopt a cloud workload protection platform (CWPP): An effective CWPP can deliver consistent control and visibility for physical machines, virtual machines, containers such as Kubernetes, and serverless workloads, wherever they are.
The Role of a Cloud Workload Protection Platform (CWPP)
Workload segmentation is a core protection strategy for workloads, because it eliminates the excessive access allowed by flat networks. Such networks allow attackers to move laterally and compromise workloads in cloud and data center environments. By segmenting, or isolating, applications and eliminating unnecessary pathways, any potential compromises will be contained to the affected asset, essentially reducing the “blast radius.”
Segmenting applications and workloads—also known as microsegmentation—allows you to create intelligent groups of workloads based on characteristics of the workloads communicating with each other. As such, microsegmentation is not reliant on dynamically changing networks or the business or technical requirements placed on them, which means that it is both stronger and more reliable security.
How Zscaler Can Help
Zscaler Workload Segmentation (ZWS) is a new, far simpler, way to segment application workloads with one click. ZWS applies identity-based protection to your workloads—without any changes to the network. Zscaler Workload Segmentation provides:
Prevents lateral movement of malware and ransomware across servers, cloud workloads, and desktops, and stops threats with zero trust security
Uniquely simple microsegmentation, driven by machine learning, that automates policy creation and ongoing management
Unified visibility into communicating applications on-premises and in public clouds
It also quantifies risk exposure based on the criticality of communicating software and uses machine learning to recommend the fewest number of zero trust security policies, which dramatically reduces your probability of a data breach while remaining easy to manage.
Request a demo of Zscaler Workload Segmentation and see how a cloud-ready CWPP can make the difference.