After years of steady increases, cloud computing adoption surged dramatically during the pandemic. Companies suddenly needed to build out the infrastructure for a wholesale pivot to remote work. Spending on cloud services reached a record high of $408 billion in 2021, and it’s on track to climb to $474 billion by the end of 2022. With 90 percent of cloud servers and 70 percent of web servers relying on Linux, it’s fair to say the cloud runs on Linux. It’s also the most popular operating system in Microsoft’s Azure ecosystem, so Linux cyber security is a much bigger target than it used to be. (Pro tip: Don’t Secure Linux Servers With Windows Solutions.)
Hackers have been highly attuned to this shift. Cloud security breaches recently surpassed on-premise attacks for the first time. This is alarming since according to Gartner, 95 percent of all digital workloads will happen on cloud-native platforms by 2025. Likewise, 90 percent of all incident response engagements now involve Linux somewhere in the attack chain, and there’s projected to be more new Linux malware than Windows malware by 2023.
So there is an increasing risk posed by cloud workloads—most of which run on Linux. Research firm Gartner® has published a useful Market Guide for Cloud Workload Protection Platforms, and Morphisec is spotlighting some of the key takeaways.
(Download your complimentary copy of the Market Guide exclusively from Morphisec here).
This is an emerging segment of security solutions quickly becoming as critical as the cloud itself. Gartner’s guidance deserves close examination if you care about cloud security and where Linux sits.
Defining Cloud Workload Protection Platforms
Gartner defines CWPPs as “workload-centric security products that protect server workloads in hybrid, multi-cloud data center environments.” CWPPs provide consistent visibility and control for physical machines, virtual machines (VMs), containers and serverless workloads, regardless of location. CWPP offerings protect workloads using a combination of system integrity protection, application control, behavioral monitoring, intrusion prevention and optional anti-malware protection at runtime.”
Regardless of the specific tools and techniques a CWPP utilizes, it should reduce your attack surface. According to Gartner,” CWPP offerings should start by scanning for known vulnerabilities and risks in development. At runtime, they should protect workloads from attack, typically using a combination of system integrity protection, application control, behavioral monitoring, host-based intrusion prevention and optional anti-malware protection.”
The combination of attack surface reduction and runtime protection makes CWPPs much more difficult to exploit than other solutions. It takes the pressure off NGAV, EDR, EPP, and data security tools designed to reduce known attacks. It’s also an important step for securing Linux servers, which are often left vulnerable by legacy (and even many modern) security solutions, including the aforementioned. CWPPs address security gaps that get wider as cloud and Linux usage grows and attacks become more evasive and advanced.
The Evolution of Cloud Workloads
The rapid evolution of cloud workloads has increased attacks on Linux servers and heightened the need for CWPP solutions. DevOps and the rapid iterations it enables has propelled the evolution in cloud workloads, according to Gartner. “The reality is that most enterprises will have workloads distributed across a combination of on-premises, colocation and multiple public cloud IaaS platforms. We refer to this combination as a hybrid, multicloud architecture. CWPPs must protect this architecture. At the same time, the granularity of workloads, their life span and the ways they are created are changing. Linux containers are widely adopted and there is increasing adoption of serverless function PaaS. A CWPP strategy should be adopted to provide consistent visibility and control of workloads, regardless of their granularity and level of abstraction.”
To that point, Gartner singles out endpoint protection platforms (EPPs) as insufficient for cloud workload protection. “Occasionally, we still find enterprises using end-user-focused EPP offerings designed for desktops, laptops and tablets on server workloads,” writes Gartner. “These are ill-suited to the requirements of dynamic hybrid, multicloud workload protection. The risk profile and threat exposure of a server workload is markedly different from that of an end-user-facing system.”
“Enterprises that use an EPP offering designed for end-user-supporting devices are putting enterprise data and applications at risk,” warns Gartner.
Unlike attacks on endpoints, which typically use a wide net and are opportunistic, attacks on Linux servers running cloud workloads tend to be targeted and surgical. Evasive by design, these attacks fly under the radar of detection-centric security solutions and leverage techniques like supply-chain attacks to bypass other security controls. The evolution of cloud workloads and Linux servers into something ubiquitous yet increasingly vulnerable is driving the maturation of the CWPP market.
Market Direction for CWPPs
Gartner estimates the CWPP market grew by 18.1 percent to $1.699 billion in 2021. That growth is propelled by a number of trends:
- More workloads are shifting to public-cloud Infrastructure as a Service (IaaS) and there are more IaaS workloads overall
- Requests from enterprises for workload threat detection and response capabilities. Enforcing security policy is easier and more scalable with CWPPs than with traditional in-line network-based security controls
- SSL/TLS decryption and inspection requirements are better addressed where the host workload terminates instead of by decrypting traffic in line
- Adapting to container-based architectures, microservice-based applications, and serverless functions such as Platform as a Service (PaaS) requires specialized solutions during development and at runtime
- Greater ease of adoption, more vendors/products, and managed service offers makes CWPP more accessible than before
- Windows and Linux cyber security features like built-in firewalls reduce the need to include or program firewalls in CWPP
- The short life of cloud workloads necessitates runtime solutions that are faster yet not invasive
The list goes on, but Morphisec's key takeaway is that CWPP is becoming more accessible and capable at the same time as cloud workloads and Linux servers are subject to greater risk. Therefore, this market will likely continue to grow.
Key Features of CWPPs
Gartner emphasizes that cloud workload protection is rooted in things like solid operational hygiene, change and log management, and configuration best practices. Different CWPP solutions offer different controls, just as different users require different controls, including those listed below from most to least important:
- Hardening, configuration, and vulnerability management
- Identity-based segmentation and network visibility
- System integrity assurance
- Application control/whitelisting
- Exploit prevention/memory protection
- Server workload EDR behavioral monitoring, threat detection and response
- Host Intrusion Prevention System (HIPS) with vulnerability shielding
- Anti-malware scanning
Gartner mentions the first five on this list as “core workload protection strategies.”
CWPP Selection Considerations
A CWPP solution should handle the controls listed above most relevant to your enterprise. It should have support for Windows, Linux, and Linux containers—plus Kubernetes if you’re running that, plus runtime protection and serverless function scanning. Finally, a CWPP solution should be accessible, flexible, interoperable, and portable to keep pace with the continuing evolution of cloud workloads.
Gartner highlights various evaluation best practices, beginning with developing a comprehensive cloud workload protection strategy, and breaking free of EPP dependence. Choose solutions that protect physical and virtual machines from the same location, and make container protection capabilities a priority.
CWPP and Linux Cyber Security
With Linux the backbone of cloud servers and web servers, no conversation about cloud workload protection is complete without understanding Linux cyber security. Because they are open source, Linux servers have historically been treated as inherently secure. But traditional options for safeguarding Linux servers are increasingly ineffective as more and more threat actors now use advanced attacks. To learn more, download your free copy of Morphisec’s white paper on Linux Servers: How to Defend the New Cyberattack Frontier.
Gartner, Market Guide for Cloud Workload Protection Platforms, 12 July 2021, Neil MacDonald, Tom Croll.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.