Full Report
In the first installment of Tenable’s “Stronger Cloud Security in Five” blog series, we covered cloud security posture management (CSPM), which focuses on protecting your multi-cloud infrastructure by detecting misconfigurations. Today, we turn to securing cloud workloads, which are the applications and services — along with all the resources they need to function — that run within your multi-cloud infrastructure.Because cloud environments are dynamic, distributed and multi-layered, securing cloud workloads is challenging, as their security posture can quickly shift. The variety of workloads — virtual machines, container images, databases, serverless functions, and more — adds to the complexity.Also complicating matters: The deployment of cloud workloads on more than one cloud service provider (CSP), which requires that security teams protect workloads in multi-cloud environments.In fact, an Enterprise Strategy Group (ESG) survey last year found that most organizations need to secure applications across multi-cloud environments. The report also found that almost all organizations suffered serious cybersecurity incidents.As a result, 89% of organizations planned to invest more in cloud security platforms and DevSecOps, including in cloud workload protection platforms, ESG Cybersecurity Practice Director Melinda Marks explained.Clearly, cloud workload integrity is essential. As the Cloud Security Alliance tells us in its “Security Guidance: For Critical Areas of Focus in Cloud Computing”: “For businesses using the cloud, securing these workloads is not just about protecting data. It is also about ensuring that their operations can continue without interruption.” At Tenable, we believe that to secure your multi-cloud workloads, you need a cloud-native application protection platform (CNAPP) with a strong cloud workload protection solution that can help you prevent, detect and address exposures, including vulnerabilities, misconfigurations and insecure APIs.“Choosing a security provider that has conflicting priorities can introduce risk. The best cloud security program is built on independence, transparency and aligned priorities around your security needs.” -- Tenable Chief Product Officer Shai MoragHere are five key best practices for protecting your cloud workloads.1 - Continuous and contextualized vulnerability managementIt’s critical to automate the continuous scanning of your cloud workloads to detect vulnerabilities across operating systems, containers, virtual machines, and more — whenever they crop up.In addition, you need contextualized vulnerability analysis. Your CNAPP’s CWP tool must enrich the context of detected vulnerabilities with granular research information, including severity ratings and exploit details. This rich context will allow you to identify the riskiest vulnerabilities to your organization and prioritize remediation accordingly.For example, you’ll be able to detect cloud workloads afflicted with toxic combinations, such as those that are publicly exposed and have critical vulnerabilities and excessive permissions. How prevalent is this “toxic trilogy”? The “Tenable Cloud Risk Report 2024” found that almost 40% of organizations have at least one toxic trilogy — and 27% have at least five. 2 - Cloud scanningTo protect workloads in a cloud-native manner, you’ll need an effective method to scan. Agentless scanning is one effective way to do just that. By using the APIs provided by CSPs to gather security data, agentless scanning protects workload performance and delivers a holistic view of your security posture at scale. You get visibility into your cloud workload inventory, telemetry and risks, including vulnerabilities, data exposure, overprivileged identities, malware and misconfigurations across virtual machines, containers, serverless workloads and Kubernetes clusters. With this data in hand, you can establish sound priorities to guide your remediation efforts. 3 - Build-to-runtime container securityA critical component of cloud workload security is the protection of containers throughout their lifecycles — from build to deployment. This continuous, end-to-end container security also needs to be automated and baked into your DevOps workflows and CI/CD pipeline.Such an automated and comprehensive approach is critical given the large number of containers in a typical cloud environment, the speed with which they’re spun up and down, and their ephemeral duration.“For businesses using the cloud, securing these workloads is not just about protecting data. It is also about ensuring that their operations can continue without interruption.” -- Cloud Security AllianceIt all starts during the container build process. Your cloud workload protection platform (CWPP) must give your developers visibility into container risks, such as outdated operating system images and vulnerabilities. It should also empower developers to remediate the detected security flaws by giving them risk insights so they can prioritize remediation effectively.You also need automated security scanning of the containers you check into registries, such as DockerHub and Amazon ECR.Finally, containers should undergo automated security tests in production runtime environments because attackers will readily exploit buggy and misconfigured containers.4 - Automated compliance monitoringImproperly securing your cloud workloads can have serious implications if your organization runs afoul of the numerous and complex cybersecurity laws and rules that apply to cloud computing.Keeping your cloud workloads compliant with government regulations and industry standards requires a methodical, automated approach that can match your cloud environments’ quicksilver nature.A CWP system that automatically identifies compliance violations and provides out-of-the-box policies and templates can dramatically simplify the thorny cloud compliance process.5 - Centralized security visibility and managementYour CWP system should provide a unified, continuously updated and contextually rich view of your multi-cloud workload resources and their risks — and it should do this in an agnostic manner. As Tenable Chief Product Officer Shai Morag pointed out recently: “Choosing a security provider that has conflicting priorities can introduce risk. The best cloud security program is built on independence, transparency and aligned priorities around your security needs.”In ESG’s survey, respondents expressed a preference for consolidated solutions and platforms “to help provide better context, drive efficient actions, rapidly mitigate issues and save valuable time” instead of having to manually analyze results from separate solutions, ESG’s Marks said.At Tenable, we believe that a centralized CWP user interface with multi-cloud visibility, security management and reporting gives your teams a single source of truth for cloud workload risks, allowing them to collaborate and prioritize remediation. Learn how you can take action to boost your cloud security in just five minutes.
Analysis Summary
# Best Practices: Protecting Cloud Workloads
## Overview
These practices focus on implementing a robust, automated, and centralized security posture for protecting cloud workloads, addressing the complexity of multi-cloud environments, compliance requirements, and the need for unified visibility.
## Key Recommendations
### Immediate Actions
1. **Establish Centralized Visibility:** Implement a Cloud Workload Protection Platform (CWPP) or a Cloud Security Posture Management (CSPM) tool that provides a single, continuously updated, and contextually rich view of all multi-cloud workload resources and associated risks.
2. **Ensure Multi-Cloud Agnostic View:** Select security solutions that are cloud-agnostic to avoid conflicts of interest and provide transparent, unified security management across different cloud providers.
### Short-term Improvements (1-3 months)
1. **Automate Compliance Monitoring:** Deploy a Cloud Workload Protection (CWP) system capable of automatically identifying compliance violations against regulations and industry standards.
2. **Utilize Out-of-the-Box Policies:** Configure the CWP system to immediately use its provided out-of-the-box compliance policies and templates to baseline current cloud environments.
3. **Consolidate Security Tooling:** Begin the process of consolidating security solutions where manual analysis is currently required to drive efficient actions and rapid issue mitigation through a unified platform.
### Long-term Strategy (3+ months)
1. **Methodical, Automated Compliance Management:** Integrate compliance checks directly into the workload lifecycle using automation to keep pace with the rapid changes inherent in cloud environments.
2. **Establish Single Source of Truth (SSoT):** Solidify the centralized CWP user interface as the SSoT for all cloud workload risks, mandating its use for collaboration and remediation prioritization across security teams.
3. **Streamline Risk Communication:** Leverage centralized reporting features to accurately communicate cyber risk to business stakeholders.
## Implementation Guidance
### For Small Organizations
- **Prioritize Foundational Visibility:** Focus initial efforts on deploying a single, unified security solution that can cover the primary security needs (e.g., vulnerability management and basic configuration posture) across your main cloud provider(s).
- **Leverage Automated Templates:** Heavily rely on out-of-the-box compliance templates provided by CWP tools to minimize the need for expert staff to create custom policies manually.
### For Medium Organizations
- **Adopt Consolidated Platforms:** Actively seek consolidated platforms (like Exposure Management solutions) that integrate visibility across multiple domains (e.g., Cloud Exposure, Vulnerability Exposure) to improve context and reduce swivel-chair security analysis.
- **Define SSoT Workflow:** Formally establish the centralized dashboard as the mandatory starting point for all workload security investigations and remediation planning.
### For Large Enterprises
- **Mandate Multi-Cloud Agnostic Tools:** Ensure the selection of security vendors demonstrates independence and transparent priorities, especially when managing diverse, multi-cloud estates.
- **Integrate Compliance into CI/CD:** Build security reviews and compliance validation into the continuous integration/continuous deployment (CI/CD) pipeline to match the "quicksilver nature" of cloud infrastructure provisioning.
- **Focus on Contextual Risk Prioritization:** Implement tools that offer attack path analysis and richly contextualized data to move beyond simple vulnerability counts toward effective business risk reduction.
## Configuration Examples
*Note: Specific technical configuration examples were not provided in the source text; however, the guidelines imply the following configuration focus:*
- **CWP/CSPM Configuration:** Configure the selected platform to automatically scan and report against mandated industry and regulatory benchmarks (e.g., CIS Benchmarks for specific cloud providers).
- **Policy Enforcement:** Ensure the platform's configuration has policies set to trigger alerts or remediation workflows when high-risk configuration drifts or compliance violations are detected.
## Compliance Alignment
The practices described directly align with the need to manage complex cloud cybersecurity laws and rules, suggesting alignment with:
- **NIST CSF:** Focus on the Identify (Asset Management, Risk Assessment) and Protect (Data Security, Security Configuration Management) functions.
- **ISO 27001/27017:** Focus on controls related to the management of information security for cloud services.
- **CIS Benchmarks:** Utilizing out-of-the-box policies implies direct mapping to CIS community standards for cloud security posture.
## Common Pitfalls to Avoid
- **Conflicting Security Priorities:** Choosing a security provider whose priorities conflict with your organization’s security needs, potentially introducing blind spots or operational risk.
- **Fragmented Toolsets:** Relying on manually correlating results from separate, disparate security solutions, leading to inefficient actions and delayed mitigation.
- **Static Compliance Checks:** Failing to automate compliance checks, resulting in a security posture that quickly falls out of compliance due to the rapid pace of cloud environment changes.
## Resources
- **Cloud Workload Protection Platform (CWPP):** Solutions focusing on securing workloads wherever they run.
- **Cloud Security Posture Management (CSPM):** Tools for visibility security configuration across cloud infrastructure.
- **Unified Exposure Management Platforms:** Consolidated solutions integrating Cloud Exposure, Vulnerability Exposure, and Attack Path Analysis.
- **Tenable One Exposure Management Platform** (As referenced in the source context for achieving unified visibility and risk communication.)