What is Workload Protection?
In the security world, everyone is familiar with the concepts of cyberthreat protection and data protection. Whether these protections are delivered from a cloud security platform or they’re handled by appliances in a data center or regional gateway, they essentially prevent bad things from coming into the network and stop sensitive data from leaking out. Workload protection is a different sort of security control that has to do with securing the communications that occur between applications, such as ERP software in one cloud that communicates with a database in another, a line-of-business app that communicates with financial software and collaboration tools, a project management application that exchanges data with CAD software—the possibilities are endless.
Cloud applications have become fundamental to business operations, and employees would be hard-pressed to do their jobs without access to them. As the balance quickly shifts from primarily on-premises to cloud-native, cloud workload protection is becoming a top priority for security teams.
Cloud service providers (especially larger ones) have strong, built-in security and often promote their secure infrastructures as a competitive advantage. But, while cloud providers are responsible for the security of the cloud, cloud customers—under the Shared Responsibility Model—retain responsibility for what’s residing in the cloud and what’s communicating—that is, your applications, workloads, and data.
Why traditional controls don’t work for cloud applications
Legacy network-based technologies don’t translate well into cloud environments, which are elastic, only loosely coupled to infrastructure, and lack a static perimeter at which to place security controls. Furthermore, most enterprises use a combination of multiple cloud service providers and the data center to house applications, complicating their ability to gain consistent visibility into workloads. They need to put applications and services, themselves, at the center of the security plan.
Instead of the network paths that applications traverse, controls should be tied directly to the identity of the communicating applications and services. It’s no longer sufficient to define software by its address or traffic route. That’s because address-based controls are susceptible to change, especially in a cloud environment, which means that security teams are required to build growing numbers of rules to compensate for continual change.
The ephemeral nature of the cloud presents multiple challenges to security teams. Legacy security technologies are based on a trust model that is no longer valid in today’s threat landscape. Perimeters have all but disappeared, encryption makes traffic inspection difficult, and classifying distributed data is resource-intensive. All of these challenges make the cloud especially attractive to attackers.
Enterprises using endpoint protection platform (EPP) offerings designed solely for protecting end-user devices (e.g., desktops, laptops) for server workload protection are putting enterprise data and applications at risk.
Protection at the application level offers multiple benefits
By adding controls around the specific applications, instead of around every device or user, workload protection helps you answer questions, such as Which applications are communicating? Which ones should be communicating? Are the right systems talking to one another without allowing malicious traffic to persist?
With insight into these questions, you can allow only verified workloads to communicate in your public, private, or hybrid cloud environment, mitigating risk, and offering the highest level of data breach protection.
Tracking assets and policy inventories is difficult, and dependencies are affected every time a cloud instance changes, which can lead to management and availability issues. Additionally, data flow mapping in a cloud is complex because services can change location, which increases the number of data points that must be monitored and managed.
In contrast, workload protection simplifies tracking and protection and anticipates the impact of change by focusing on applications rather than the environment in which they are communicating.
Consistent protection independent of location
Traditional security tools that use IP addresses, ports, and protocols as the control plane are not fit for cloud environments. The dynamic nature of the cloud makes these static security controls unreliable because they can change at any time, multiple times throughout any given day. To counter the problem of address-based controls, workload protection cryptographically fingerprints software based on immutable properties that attackers can’t exploit.
Using Zscaler zero trust, identity-centric policies, you can provide consistent workload protection without any cumbersome architectural changes. You can also apply recommended application segmentation policies in one click, and all of your cloud-based workloads are protected uniformly and independent of network location.
Continual risk assessment
Most security practitioners know that their corporate networks are vulnerable to compromise, but most can’t quantify the level of risk these networks pose to the organization, particularly related to application exposure. Zscaler automatically measures your visible network attack surface to understand how many possible application communication pathways are in use. It also quantifies risk exposure based on the criticality of communicating software, and uses machine learning to recommend the fewest number of zero trust security policies, which dramatically reduces your probability of a data breach while remaining easy to manage.
In all cases, the solution should support the growing requirement for identity-based “microsegmentation” (more granular, software-defined segmentation also referred to as zero-trust network segmentation).
With Zscaler Workload Segmentation’s topology mapping, I have an accurate representation of our ever-changing environment and can eliminate potential attack paths that place client data at risk.
The role of segmentation in workload protection
Workload segmentation is a core protection strategy for workloads, because it eliminates the excessive access allowed by flat networks. Such networks allow attackers to move laterally and compromise workloads in cloud and data center environments. By segmenting, or isolating, applications and eliminating unnecessary pathways, any potential compromises will be contained to the affected asset, essentially reducing the “blast radius.”
Segmenting applications and workloads—also known as microsegmentation—allows you to create intelligent groups of workloads based on characteristics of the workloads communicating with each other. As such, microsegmentation is not reliant on dynamically changing networks or the business or technical requirements placed on them, which means that it is both stronger and more reliable security.
Zscaler Workload Segmentation (ZWS) is a new, far simpler, way to segment application workloads with one click. ZWS applies identity-based protection to your workloads—without any changes to the network. Zscaler Workload Segmentation provides:
- Prevents lateral movement of malware and ransomware across servers, cloud workloads, and desktops, and stops threats with zero trust security
- Uniquely simple microsegmentation, driven by machine learning, that automates policy creation and ongoing management
- Unified visibility into communicating applications on-premises and in public clouds