RSAC insights: Introducing ‘CWPP’ and ‘CSPM,’ new frameworks to secure cloud infrastructure

By Byron V. Acohido

A greater good has come from Capital One’s public pillaging over losing credit application records for 100 million bank customers.

Related: How credential stuffing fuels account takeovers

In pulling off that milestone hack, Paige Thompson took advantage of CapOne’s lack of focus on cloud security as the banking giant rushed headlong into leveraging Amazon Web Services. Luckily, Thompson left an easy trail for the FBI to follow and affect her arrest in August 2019.

The lone wolf hacker’s lasting legacy may be that she gave the cybersecurity industry an impetus to double down on its efforts to help enterprises get a grip on cloud security.

A slew of new cloud-security frameworks have gained traction since the Capital One hack. I recently had the chance to sit down with Kevin Simzer, chief operating officer of Trend Micro, to discuss two of them: Cloud Workload Protection Platform (CWPP) and Cloud Security Posture Management (CSPM.) For a full drill down on our conversation please give the accompanying podcast a listen. Here are the key takeaways:

Cloud migration risks

The summer of 2019 was a heady time for the financial services industry. Capital One’s valuation hit record highs at a time when its senior executives bragged on Wall Street about how the bank’s aggressive adoption of AWS-supplied infrastructure would boost both profits and security. In reality, the bank wasn’t paying close enough attention to its shared responsibility for keeping its cloud-stored assets secure.

To defend its web applications, the bank chose to go with an open-source Web Application Firewall (WAF), called ModSecurity, along with an open-source Apache web server. What’s more, it over-privileged the WAF’s admin accounts, unnecessarily creating fresh paths to access its AWS S3 data storage buckets.

In short, the bank provided a wide-open lane for Thompson to successfully carry out a  “Server Side Request Forgery” (SSRF) attack; she was thus able to trick CapOne’s WAF into running commands that a firewall really has no business running. Her hack served as a wake-up call about the prevalence of fresh risks spinning out of cloud migration.

“Any time there’s a big infrastructure change there are opportunities for companies to innovate, but it also creates opportunities for the bad guys,” Simzer observes. “What we’re seeing today is an acceleration of cloud migration projects and an acceleration of cloud adoption. And when people take on these projects, they now have to think about how they’re going to protect those applications in the cloud.”

Protecting workloads

All organizations today face a common challenge: how to preserve the integrity of their IT systems as cloud infrastructure and agile software development take center stage. Twenty years ago it was deemed sufficient to erect a robust firewall and keep antivirus software updated.

Today an elaborate layering of software-driven “workloads” unfolds on-premises and in the public cloud. These workloads drive the processing, data storage and network-to-network connections of modern business systems.

Digital agility means new apps get created by far-flung team members who piece together modular “microservices” packaged in software containers. During this process of on-the-fly software creation — as well as when the software gets deployed into service — the apps come to life by interconnecting physical servers, virtual machines, laptops, smartphones and IoT devices.

So how can modern digital commerce be secured — without stifling digital agility? It’s going to take a paradigm shift, Simzer says. Hundreds of billions of dollars worth of legacy security systems designed to protect on-premises datacenters must ultimately get redirected to this new challenge.

One prominent new framework pushing in this direction is referred to as Cloud Workload Protection Platform, or CWPP. Tech consultancy Gartner defines CWPP as any “security solution that targets the unique protection requirements” of the workloads that have come to drive enterprise networks.

Trend Micro, for its part, has been proactively focusing on cloud security for the past several years and in 2019 launched its Cloud One security platform, a suite of services with a CWPP solution as the centerpiece. Essentially, CWPP solutions can help organizations gain greater visibility of the innumerable sensitive workloads — and then defend them more effectively, Simzer told me.

“This is often referred to as virtual patching,” he says. “Even if your application is not patched, we are actually blocking the threats, and giving the security practitioners time to actually apply the necessary patches to their system.”

Hunting vulnerabilities

Thanks to the FBI’s criminal complaint against Thompson, the CapOne hack publicly illustrated in great detail just how cloud vulnerabilities present themselves at the ground floor level — and just how badly companies engaged in cloud migration, or starting out as cloud native, are in need of new, more agile security frameworks.

Meanwhile, the urgency to fully transition to a cloud-centric security mindset has only intensified given a never-ending parade of high-profile breaches. The Solarwinds hack highlighted supply chain risks; the Microsoft Exchange breach demonstrated how collaboration tools are being targeted; and, most recently, the Experian API hack, showed how authentication isn’t being guarded as rigorously as it needs to be.

Cloud Security Posture Management, or CSPM, is another new security framework that has come along and is meant to work in parallel with CWPP. While CWPP technologies are designed to detect and prevent intrusions, CSPM systems carry out the daily grunt work, if you will, of systematically identifying and remediating workload vulnerabilities lurking within modern hybrid networks.


“Our CSPM service uses automation to log into a user account in the public cloud, let’s say it’s in AWS or in Azure, and then it scans the environment and looks for vulnerabilities,” Simzer told me. “We have hundreds of rules that we check for, and then at the end of the day we provide a report to the security operations team and give them visibility about any security issues they might have in their environment.”

CSPM technologies should take notice of things like S3 data storage buckets that are weakly configured. “Posture management provides a baseline,” Simzer says. “Some of our customers have thousands of user accounts comprised of lots of different software developers and cloud builders; so it’s very possible for somebody to make a mistake and a misconfiguration to happen.”

We are in the early stages of repurposing legacy security systems, and, ultimately replacing them, with security defenses that are every bit as agile as legit digital commerce has become. It’s encouraging that smarter security frameworks like CWPP and CSPM are coalescing; they signal the direction we need to keep heading in. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone