Zscaler Data Protection reconnu comme produit de l’année 2023 par CRN

Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

Produits et solutions

Shift Left and Shift Down with CWPP

RICH CAMPAGNA - SVP, Cloud Protection
mars 10, 2022 - 3 Min de lecture

In recent years, Cloud Workload Protection Platforms (CWPPs) have become an integral part of many organizations’ cloud security strategies. CWPPs provide visibility and control over the behavior of cloud workloads, helping to protect against malware and other threats. The challenge, however, is that CWPP technology has primarily relied on the use of agents installed on cloud workloads. For many cloud-native services, agents are not only disliked by developers, but in many cases cannot be installed at all. Capabilities provided by CWPP are increasingly shifting in two directions to overcome this challenge - to the left, with tighter integration into development and DevOps pipelines, and downwards, into the network. 


Challenges with CWPP agents

In the early days of an organization’s cloud journey, where cloud projects often consist of lift-and-shift of traditional applications, CWPP agents can be deployed on the corresponding VMs and provide protection. As organizations mature in their cloud journeys, they increasingly adopt cloud-native services, many of which are offered as serverless. Think managed container services like AWS Fargate, or Function-as-a-Service (FaaS) offerings like Azure Functions or AWS Lambda. With these services, the customer has no access to the underlying host, and therefore no ability to install an agent. Several attempts have been made to recreate CWPP functionality on these types of services, but none can be universally applied to all services, leading to a quagmire with many point products and different policy models for each. 


Key characteristics of cloud-native workloads

Fortunately, there are several key characteristics of cloud-native workloads that have opened the ability to change the game in CWPP. First, with cloud often comes changes to process, with security getting involved in application development to help mutually identify and remediate risk early, with an objective of instantiating workloads that are already secure. Second, the footprint of the application code running in microservices is significantly smaller and single purpose, making behavior more predictable and deviations easier to detect. Finally, many such workloads have a very short lifespan, making it difficult for an attacker to gain persistence before the workload is decommissioned and a new one deployed. 

What does all of this mean for CWPP? It means you can stop struggling to force fit agent-based technologies and start shifting left and shifting down. 



Shifting left in the public cloud

The objective of shifting left is to ensure that all cloud workloads are born secure. Here, you’ll move security into IDEs and into the CI/CD pipeline to integrate security into the application development process, minimizing the likelihood of vulnerabilities and other security weaknesses from being introduced to your production cloud environments. Applications that are built securely are far less likely to be compromised. This approach also has the tremendous benefit of being far more time- and resource-efficient by minimizing costly rework and delays associated with finding security issues in deployed workloads. This functionality is typically offered via a combination of CSPM and CIEM technologies that are increasingly being integrated into Cloud Native Application Protection Platforms (CNAPP). Step one, complete. 


Shifting down in the public cloud

With your workloads built and deployed securely, the next step is to shift down. Even with vulnerabilities eliminated and a workload deployed into a securely configured environment, there is still a need to monitor behavior and guard against threats. But, as mentioned previously, traditional agent-based approaches won’t apply to many cloud services. Shifting down means moving many of the capabilities traditionally provided by a CWPP agent into the network. Runtime enforcement capabilities provided by solutions like Zscaler’s Zero Trust for Workloads allow for behavioral monitoring and control, threat prevention, and data loss prevention across all services, with no agents. 

Together, these two approaches can help you eliminate the complexity of protecting cloud workloads, while simultaneously improving the speed and efficiency with which your development organization can build and deploy secure cloud workloads. 

form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

Découvrez d'autres blogs Zscaler

Une expérience client exceptionnelle commence à domicile
Une expérience client exceptionnelle commence à domicile
Lire le blog
The Power of Zscaler Intelligence: Generative AI and Holistic View of Risk
The Power of Zscaler Intelligence: Generative AI and Holistic View of Risk
Lire le blog
Take Cloud Native Security to the Next Level with Integrated DLP and Threat Intel
Take Cloud Native Security to the Next Level with Integrated DLP and Threat Intel
Lire le blog
Cloud Compliance
The Impact of Public Cloud Across Your Organization
Lire le blog
01 / 02
dots pattern

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.