What Is a Cloud Workload Protection Platform (CWPP)?

Part 1 in a series on cloud security solutions: Choosing the right solution for securing your cloud and hybrid environments can be complicated. The market is an alphabet soup of acronyms, and it's hard to tell what you'll get from one product to the next or from one vendor to another. That complexity can lead to gaps, confusion, tool sprawl, and weakened defenses.

To help you make sense of the current tooling landscape, we're going to dig into individual product categories, explaining what they are, what they do, and their strengths and weaknesses. We'll also compare cloud-native network detection and response (NDR) to those products and show you where NDR provides similar or complementary capabilities.

What is a Cloud Workload Protection Platform (CWPP)?

The answer to that question is right there in the tool's name: CWPPs were designed to protect cloud workloads from attacks. CWPPs check for vulnerabilities in static code, perform system hardening, and identify workload misconfiguration, all of which can help to reduce security risk. Use cases can include system file integrity monitoring, application whitelisting, host-based firewalling, patching and configuration management, anti-malware scanning, and endpoint threat detection and response.

How do CWPPs Work?

Typically, CWPPs are agent-based tools that typically use a combination of tactics to secure cloud workloads, including network segmentation, system integrity protection, host-based intrusion prevention and detection, and anti-malware capabilities. Although they provide security at a workload level, CWPPs do not offer coverage at the data or application layer. When defending containers, CWPP tools exclude runtime security, a crucial component of advanced threat detection and response.

How Does NDR Compare to CWPP?

Network detection and response (NDR) tools take a network-based approach to securing cloud workloads, including containers. Every workload uses the network to communicate, making network data the ultimate source of truth for cloud-focused security analysts, incident responders, and forensic investigators. Although network-based tools have been used for on-premises security for years, in the past it was often difficult to gather network data in cloud environments. With the introduction of network taps from major cloud service providers (CSPs) as well as third-party packet brokers, much of the friction and complexity previously associated with NDR in the cloud has been removed. And, unlike log- and agent-based data, network data can't be turned off or modified.

While NDR and CWPP share some capabilities, there are also major differences. CWPPs do a good job of securing compute instances and monitoring risk, and many support multiple IaaS providers and other cloud environments, but they are not built to monitor and analyze all network traffic flowing within your cloud environment. Additionally, NDR solutions offer decryption and runtime security, things most CWPP tools lack. Finally, NDR platforms can provide security at the data and application layers, a major differentiator between them and CWPP tools.

NDR and CWPP: Better Together

Although NDR and CWPP can be viewed as competing security categories, they can also play well together. NDR products excel at visibility and threat detection inside the perimeter, which allows security teams to investigate and respond to advanced threats that make it past CWPP tools. NDR tools can also detect and alert on lateral movement and supply chain attacks that evade CWPP tools. This defense-in-depth strategy only makes cloud environments more secure. And with best-in-class NDR solutions, it's possible to combine on-premises and multicloud security together in the same user interface, enhancing advanced threat defense in hybrid environments.