Virtualization Technology News and Information
The Pitfalls of Workload Protection

By TJ Gonen, Head of Cloud Strategy, Check Point Software Technologies

Over the past few decades, security has gotten massively more complicated. From the widespread use of cloud-based services to drastically speaking up and continuously updating application deployments. But if the cloud makes everything a hundred times faster and more complex, it also multiplies threats to those applications at the same pace. In fact, organizations have ballooned the size of their security teams in an effort just to keep up - but it doesn't have to be this way. This is often times the result of an ‘old world' approach to protecting application workloads in the cloud, and one which is often based on an essential misapprehension of what workload protection actually is.

The concept of workload security/protection was first popularised a few years ago by analysts such as Gartner at a time when it was becoming apparent that deploying applications via the cloud required new elements such as containers in order to function, and that applications could effectively become serverless, existing at any point across the cloud infrastructure depending on when they were needed. These elements, along with the app itself, became known as ‘workloads', and as a result, ‘workload protection' became specifically connected with solutions that addressed container and/or serverless security.

The problem is that many security teams have run with this definition, and continue to do so, believing that workload protection is just about having a good container/serverless security solution, while often disregarding the need to protect the application itself, or indeed any of the other elements that make up a cloud-deployed workload.

Yet what the business cares about above all else is the quality and functionality of the application, whether it's a customer-facing web service or backend software: it doesn't care about containers or how the app is distributed across the cloud's server infrastructure. But when their security team tells them that the workload is protected, more often than not, they're actually talking about something other than the app itself.

Even though a more accurate and holistic definition of workload protection is now available - for example, Gartner now uses the term ‘Cloud Native Application Protection' - the old definition continues to create dissonance and confusion within the market. This is also partly due to the security industry itself, and the way in which it compartmentalizes the products it promotes and sells to its customers, which in turn perpetuates an on-premises mindset stretching back 20-30 years.

When organizations first opened themselves up to the online world, they quickly faced a series of novel threats to their data and infrastructure. Accordingly, security companies sprang up to address these problems, first selling them firewalls, then anti-virus solutions, and eventually an entire armoury of discrete vulnerability management and threat prevention products. As the type of attacks multiplied, so too did the variety of defences. However, at some point, this proliferation of solutions became untenable to manage, and a process of consolidation began to take place, leading to a more holistic approach to security.

However, this point solution mentality has persisted in addressing cloud-based security threats, with each new element - container, serverless etc - treated as an individual attack vector to be protected, with individual teams assigned to each solution - and thus the bloat in the security department. Given the rapid development of the web services space, this is entirely understandable, but it risks repeating the mistakes previously made on-premises.

Even those organizations who understand that workload protection means more than just container and serverless security have ended up deploying point solutions to address additional elements such as configuration policy and posture management, and of course application security itself. But while this piecemeal approach is theoretically doable in the short-term, it's neither efficient nor scalable, no matter how big the security team grows. Just as in the on-premises world, consolidation is the only sensible way forward.

Ultimately, it's impossible to properly manage workload security in the cloud using point solutions because, as I've already noted, the cloud moves much too fast for that. It might take months to deploy and secure a data centre in the physical world, but it takes just a millisecond to launch one in the cloud - and if just a tiny part of the configuration is wrong, it doesn't take long for that potential vulnerability to spread far and wide. Trying to manually fix issues as they occur in this environment just doesn't work. The speed and complexity of the cloud requires a solution that is both holistic and automated.

Application development has been driven by automation for some time now, enabling DevOps teams to roll out code almost continuously into a cloud infrastructure that is also automated. For security to be truly effective in this environment, and to work as a holistic solution, it needs to be present in the development pipeline from the start, with configuration policies baked into the application as it is coded. The only way to achieve this is through automation that guides the developer to always produce secure and compliant code that recognizes what's normal and what's anomalous, and automatically reacts to changes and potential threats without human intervention.

In the cloud, a holistic workload protection solution is an automated solution - there is simply no other way of realistically doing it. If it can't be automated, it isn't a solution. And if security teams aren't to become completely swamped by the task of managing their organizations' web apps, they need to work alongside their DevOps teams to implement solutions that protect the entirety of the application workload, not just cloud-specific functionality.


To hear more about cloud native topics, join the Cloud Native Computing Foundation and cloud native community at KubeCon+CloudNativeCon North America 2021 - October 11-15, 2021     


Tsion (TJ) Gonen Head of Cloud Product Line, Check Point Software Technologies

Tsion Gonen 

Tsion (TJ) Gonen has more than 20 years of cyber security and executive experience, and is now the Head of Cloud Security at Check Point Security Software Technologies where he leads cloud innovation, as well as the go-to-market strategy. Prior to joining Check Point, TJ was co-founder and Chief Executive Officer of Protego Labs, the leading start-up for serverless security, which was acquired by Check Point in 2019.

TJ also served as Chief Strategy Officer for Gemalto's Identity and Data Protection Division, and held leadership roles at Aladdin Knowledge Systems.
Published Friday, October 01, 2021 7:33 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2021>