Documente Academic
Documente Profesional
Documente Cultură
Platforms
Published: 22 March 2017 ID: G00302941
Server workloads in modern hybrid data centers use private and public
cloud computing and require a protection strategy different from end-user-
facing devices. Security and risk management leaders should use risk-
based models to prioritize evaluation criteria for cloud workload protection
platforms.
Key Findings
Enterprises are implementing hybrid data center architectures, with workloads running on-
premises and in multiple cloud infrastructure-as-a-service providers.
The increasing adoption of containers complicates workload protection strategies.
Elastic, cloud-native applications have unique security needs. Legacy on-premises security
agents are not designed to perform at cloud scale and may have licensing models that are
incompatible with elastic cloud workloads.
Cloud workload protection platform vendors are emerging to address these requirements,
including many smaller startups, which is confusing buyers.
Signature-based, anti-malware scanning provides little value for most server workloads.
Recommendations
Security and risk management leaders tasked with acquisition, strategizing and planning should:
Not assume end-user endpoint protection platforms are best-suited to private and public cloud
workloads, which have vastly different protection requirements.
Require vendors to support the visibility and control of workloads that span physical and virtual
machines, containers and multiple public cloud IaaS, all from a single policy management
framework and console.
Require vendors to support native integration with VMware, Amazon Web Services and
Microsoft Azure APIs and labeling for policy management.
Disable antivirus on most servers, and use application control and whitelisting as the primary
protection strategy, unless the server hosts a file-sharing repository.
Require vendors to API-enable security protection functions to be automated and integrated
into DevSecOps-style workflows for scanning prior to deployment.
By 2018, three of the top five cloud workload protection platform (CWPP) vendors will have added
explicit support for container visibility and policy enforcement on a per-container-basis.
Market Definition
The market for CWPPs is defined by workload-centric security protection solutions, which are
typically agent-based. They address the unique requirements of server workload protection in
modern hybrid data center architectures that span on-premises, physical and virtual machines
(VMs) and multiple public cloud infrastructure as a service (IaaS) environments. Ideally, they also
support container-based application architectures. Vendors competing in this market offer one or
more of the following capabilities for hybrid cloud workload protection.
Core Capabilities:
Extended Capabilities:
Market Direction
Modern data centers support workloads that run in physical machines, VMs, containers, private
cloud infrastructure and almost always include some workloads running in one or more public cloud
IaaS providers. Hybrid CWPP offerings provide information security leaders with visibility and
control across all of these environments with a "single pane of glass" a consistent way to
manage policy and monitor for issues.
Although traditional endpoint security vendors (see "Magic Quadrant for Endpoint Protection
Platforms") may tell potential customers to use the same product and set of controls to protect
server workloads as they do for protecting end-user desktops, this won't work (at least not well).
The protection and compliance requirements of private and public cloud workloads are different
enough that the market has bifurcated to address distinct market needs those that protect server
workloads and those that protect devices that directly support end users, such as desktops,
laptops and mobile devices. To directly address the unique requirements of cloud workload
protection, several of the traditional endpoint protection platform (EPP) vendors have developed
specific CWPP offerings, and new point solution vendors have emerged.
Several key trends are affecting the growth and development of the CWPP market.
There are other significant differences. Cloud-style applications tend to scale elastically, requiring
protection to scale up and down on demand with usage-based licensing models that reflect this.
Simply running agents designed for on-premises servers and hoping these will work in IaaS is not
sufficient.
Public cloud IaaS also changes the requirements. For example, encryption of data at rest should be
considered a mandatory best practice for public cloud-based servers (see "How to Make Cloud
IaaS Workloads More Secure Than Your Own Data Center"), although this is rarely a requirement in
There is a changing threat environment. Another trend is the increased focus on server workload
protection from advanced targeted threats that bypass traditional perimeter and signature-based
protection. Typically, these attacks are financially motivated and target server and application
workloads as a way to get to sensitive data or transactions. Advanced attacks have driven several
key changes in server workload protection:
Protection models that don't rely on signatures. The primary protection strategy for CWPP
(including container-based implementations) will be based on application control restricting
what applications can run to a predefined set based on policy so that all other code,
malicious or not, is blocked by policy.
The need for network traffic isolation, segmentation and visibility. Advanced attacks will
gain a foothold on one system and then spread laterally (east/west) within data centers. The
ability to more granularly segment data center traffic is another key requirement. To help
organizations understand application flows, visibility and visualization of these flows is also an
emerging use case for CWPP.
There is a need for deployment speed. In many cases, cloud server workload instantiation will be
driven by templates and scripts, requiring security protection vendors to open up their protection
capabilities via APIs for automated provisioning. DevOps operating models need to incorporate
security protection as well (see "DevSecOps: How to Seamlessly Integrate Security Into DevOps").
As a result, security requirements captured during development can be expressed in security
controls at runtime, without the need for expensive "human middleware" to program the security
infrastructure. This creates a need for security controls to become automatable and adaptive to
scale up and down, as workloads come and go. Enterprises can't slow down to rely on a human
being to go to a console and set policy. This drives a need for full programmability of the protection
infrastructure via APIs.
Application development is changing. Combined with the need for deployment speed, developers
have embraced containers as a way to slipstream the delivery of new services from development
into production quickly and with high fidelity. Securing container-based deployments also changes
the requirements for CWPPs to, at a minimum, provide visibility into containers (see "Security
Considerations and Best Practices for Securing Containers"). Ideally, CWPPs should protect
containers as just another abstraction and option for deployment at runtime. Containers should be
protected throughout this life cycle. As a best practice, they should be scanned for known
vulnerability and configuration issues before they are released into production. Some of the leading
CWPP vendors don't yet have container support. To fill this gap, several new vendors in the CWPP
market are designed solely for container-based development and deployments.
There is a shift toward immutable infrastructure. Ideally, as enterprises change their application
architectures to containers and phase out legacy applications, the enterprise should not directly
manage live workloads and systems at all. Live systems will be considered immutable an
operational model in which no configuration changes, patches or software updates are allowed on
The legal and regulatory environment is changing. Many server workload protection
requirements are influenced or are direct requirements to comply with legal and regulatory
frameworks. A good example is the requirements for the protection of Payment Card Industry (PCI)-
related workloads specifically, file integrity monitoring, HIDS, patch management, anti-malware
scanning or whitelisting (see Note 1), and network isolation. Likewise, the pending requirements for
the European Union's (EU's) General Data Protection Regulation (GDPR) has reignited concerns
around data residency, driving interest in data-at-rest encryption in public cloud IaaS, with
customer-managed keys architected so that the cloud provider has no access to the keys.
These trends are creating requirements that are significantly different from traditional end-user-
facing endpoints and traditional physical servers. To address this, several new vendors with
dedicated CWPP point solutions have emerged targeting the needs of hybrid cloud server workload
protection. Information security leaders and architects must understand that simply running an
agent-based solution designed for dedicated physical servers in newer hybrid cloud and container
architected server applications won't work.
Market Analysis
A large number of vendors offer CWPP solutions that vary widely in their capabilities. We
recommend that organizations apply a risk-based security strategy when developing their server
workload protection strategy. All workloads do not require equal levels of protection. Some
workloads will host less-sensitive data and require fewer controls. Others with extremely sensitive
data are likely to use more controls. Others may be protected behind network-based controls, such
as firewalling and intrusion protection systems (IPSs), and require less protection from within the
host. With this in mind, we have created a hierarchy of workload protection needs (see Figure 1) to
help enterprises prioritize their security investments and to help evaluate vendors with capabilities in
this market:
Figure 1 graphically illustrates our recommended prioritization of security controls for hybrid cloud
server workload protection. Capabilities toward the bottom of the pyramid are more critical
(foundational), whereas those toward the top are less important. However, depending on the
specific risk profile of the server and the legal/regulatory requirements of the workload and the
geography, enterprise may weight their evaluations differently. Some of the capabilities shown may
be supplied by the OS provider, cloud IaaS provider or another tool within IT operations (e.g.,
configuration and patch management). Finally, servers hosting virtual desktop infrastructure (VDI)
are a different use case, and would use a more-traditional end-user endpoint protection strategy
(see Note 2).
Start with solid operational hygiene. At the bottom of Figure 1 is a square box of foundational
operational capabilities. Solid server security starts with good operational hygiene. For many
organizations, the operational processes and technical solutions for delivering these capabilities are
already in place and should be extended to cloud-based workloads, including:
Restricted access to the server. Server workloads should have restricted access both
physically and virtually restricting who or what can reach the server.
Above this foundational operational hygiene level of controls, the following controls should be
considered mandatory for the protection of server workloads:
Configuration and vulnerability management, ideally scanning before release into production
Network firewalling, segmentation and traffic visibility
System integrity monitoring/management
Application control (whitelisting)
Exploit prevention and memory protection
Beyond the capabilities listed above, there are other ways that server workloads may be further
protected. The need for additional protection will be based on multiple factors, including
compliance requirements; the sensitivity of the workload protected; the presence of other mitigating
controls, such as a network firewall or network IPS; and whether or not the server can be patched in
a timely manner; and the risk tolerance of the enterprise.
Workload segmentation, traffic visibility and optional network traffic encryption. A foundation
of solid workload security is isolation and segmentation of its ability to communicate with external
resources. Some of the workload protection solutions provide their own firewalling capabilities,
whereas others manage the built-in firewalls of Windows and Linux. The solution should support the
emerging requirement for "microsegmentation" (more-granular segmentation) of east/west traffic in
data centers. In addition, several of the solutions provide visibility and monitoring of the
communication flows. Visualization tools enable operations and security administrators to
understand flow patterns, set policies and monitor for deviations. Finally, several vendors offer
optional encryption of the network traffic (typically, point-to-point IPsec transport mode security
associations) among workloads for the protection of data in motion, and provide cryptographic
network isolation among workloads.
The ability to measure the BIOS, hypervisor, VM and container system images before they are
loaded this is typically achieved using trust measurements rooted in hardware for physical
systems. In the public cloud, this will be limited to measuring the integrity of the system images
and containers before mount.
The real-time monitoring of the integrity of critical system files after the workloads are booted.
More-advanced solutions also monitor the integrity of the Windows registry, startup folders, drivers
and bootloader. File integrity monitoring (FIM) is a requirement of multiple regulations, including PCI,
and is a precursor to more-advanced endpoint detection and response (EDR), similar to the
capabilities discussed below. Like antivirus, the value of FIM alone is questionable; however, it may
be required by auditors.
Application control (whitelisting). Most workloads in on-premises VMs and in public cloud IaaS
run a single application. This is almost always the case with containers hosting microservices-based
applications. The use of whitelisting to control what executables are run on a server provides an
extremely powerful security protection strategy. All malware that manifests itself as a file to be
executed is blocked by default. Many CWPP solutions provide built-in application control
capabilities, or dedicated point solutions offer them. Alternatively, the built-in application control
capabilities of the OS might be used, such as software restriction policies, AppLocker and Device
Guard with Windows, or SELinux, or AppArmor with Linux. Some of the application control vendors
can further constrain the runtime behavior of whitelisted applications, using more-granular policy
enforcement.
Exploit prevention and memory protection. Application control solutions are fallible and should be
combined with exploit prevention and memory protection capabilities, either from the OS for
IaaS data-at-rest protection. Encryption of data at rest should be a standard best practice for
workloads running in public cloud IaaS (see "How to Make Cloud IaaS Workloads More Secure
Than Your Own Data Center"). With the use of Intel's AES-NI for cryptographic operation
acceleration, the impact on performance is minimal. In addition, many enterprises are making this a
standard requirement in their on-premises data centers. We have not made this a core requirement
for CWPP selection, because many OSs now provide full drive encryption for free and support a
"headless" mode specifically for server protection scenarios. In addition, Amazon also provides free
full-volume encryption in AWS (see "Amazon EBS Encryption"), as well as free solutions for RDS
and S3. Microsoft provides a similar capability with Azure Disk Encryption (see "Cloud Security
Controls Series: Encrypting Data at Rest"). With any encryption, there is a need for the secure
storage and management of encryption keys, and the need to support customer-managed keys.
More-advanced solutions support features such as key management, cross-cloud encryption and
automatic key rotation.
Server EDR for behavioral monitoring. Beyond the core system integrity monitoring discussed
above, this type of monitoring looks at behaviors such as network communications, processes
launched, files opened and log entries for behavior patterns that indicate malicious activity,
including within containers. Another technique is to establish patterns of expected behaviors from
whitelisted applications and look for deviations in behavior. In addition, several of the EDR vendors
specifically target server workload protection use cases (see "Market Guide for Endpoint Detection
and Response Solutions"). These capabilities are focused on detection and response, rather than
prevention of attacks. Monitoring server workloads for anomalous behavior should be considered a
best practice, although some organizations will achieve this with network-based monitoring, rather
than host-based agents. Thus, we haven't made this a core requirement of CWPP. Another common
use case will be to quickly scan all systems for the presence of a specific file by name or hash in the
event of an outbreak. This is a legacy vestige of signature-based antivirus scanning, but is used in
detection/response scenarios.
Host IPS including vulnerability-facing HIPS. Here, in addition to traditional network IPS
protection against known attacks, the CWPP vendor deeply inspects the incoming network traffic
stream for attacks against known vulnerabilities and prevents them. This layer may be redundant
with network IPSs protecting the data center; however, those may not protect from inter-VM or inter-
container-based attacks. HIPS becomes a valuable defense in depth control to shield from attacks
on a zero-day vulnerability until the patch can be applied or the VM/container is rebuilt and is used
by some organization to reduce the frequency of server patching. This type of protection may also
Deception. This emerging security protection capability creates fake vulnerabilities, systems,
shares, cookies, etc. If an attacker tries to attack these fake resources, it is a strong indicator that
an attack is in progress, as a legitimate user should not see or try to access these resources.
Deception technologies for network, application, endpoint and data are discussed in "Emerging
Technology Analysis: Deception Techniques and Technologies Create Security Technology Business
Opportunities." Some of these solutions are agent-based on the server workload and thus fall under
the scope of this research.
The above CWPP capabilities are what we expect to be running within a workload. However, as
information security architects develop a complete protection strategy for server workloads, Cloud
Workload Security Services (CWSS) external to the workload that surround the workload at the data
plane layer should also be considered (see Figure 2), which are outside the scope of this research.
These optional capabilities provide application-specific protection, such as web application
firewalling (WAF), database activity monitoring, load balancing, and network-based firewalling and
IPS.
Finally, in private and public cloud-based environments, there is a set of surrounding control plane
infrastructure services that are used to provision/deprovision, configure and manage the workload.
For example, identity and access management (IAM) services, network connectivity, network
configuration and storage configuration (see Figure 2). Several of the CWPP vendors in this Market
Guide have begun offering CISPA capabilities. In addition, an emerging set of vendors outside the
scope of this research provide cloud infrastructure security posture assessment (CISPA) capabilities
(e.g., Evident.io and CloudCheckr).
Support for hybrid cloud environments. One of the most critical considerations is that the
solution work in hybrid cloud environments that span on-premises workloads, VMs, containers
and deployments in public cloud IaaS from multiple cloud providers. For enterprises that still
have physical servers, support for these may be a requirement.
Server OSs supported. Most vendors support Windows and Linux. If Linux is supported, look
for specific support of your enterprise distributions and both 32- and 64-bit support, and
whether the product is at feature parity with Windows. If Windows is supported, then clarify
which versions and whether both 32- and 64-bit versions are supported. Few vendors support
HP-UX, IBM AIX or Oracle Solaris. Some vendors also specialize in supporting out-of-support
server OSs, such as Windows 2000 Server and Windows Server 2003.
Container support. Host-based agents need to be able to distinguish and apply policies based
on individual Linux containers, including network segmentation. This is an emerging critical
requirement for organizations using containers to support microservices-style architectures and
Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.
The following vendors offer solutions designed to satisfy at least some of the requirements noted in
the previous section. The capabilities that each vendor focuses on are summarized in Table 1.
Page 14 of 25
Illumio
Apcera
Dome9
Vendor
HyTrust
Bracket
Security
Inspector
Kaspersky
Computing
GuardiCore
CloudAware
Cloud Raxak
Protection
Carbon Black
Aqua Security
CloudPassage
x
x
x
x
x
x
x
x
Hardening, configuration and vulnerability scanning
x
x
x
x
x
x
x
x
Network firewalling, segmentation and visibility
x
x
x
x
x
x
x
x
x
System integrity measurement and monitoring
x
x
x
x
x
x
Application control
x
x
Memory protection
x
x
x
x
x
Server EDR; HIDS; behavioral monitoring
x
x
IaaS data-at-rest encryption
x
Deception
x
x
Anti-malware scanning
x
x
x
x
Privileged account management
x
x
Table 1. CWPP Vendor Capability Focus Areas. "X" Indicates an Area of Focus
Change management
x
x
Log management and monitoring
x
x
x
x
x
x
x
x
x
x
x
Windows
x
x
x
x
x
x
x
x
x
x
x
x
Linux
x
x
x
x
x
x
x
x
Legacy Unix
x
x
x
x
x
x
x
x
VMware
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Azure
Cloud
(virtual
Insight
Vendor
McAfee
Sophos
Tripwire
Layered
vArmour
Services
Qingteng
Twistlock
Microsoft
Symantec
appliance)
Trend Micro
Threat Stack
x
x
x
x
x
x
x
System integrity measurement and monitoring
x
x
x
x
x
x
Application control
x
x
x
x
Memory protection
x
x
x
x
x
x
x
Server EDR; HIDS; behavioral monitoring
x
IaaS data-at-rest encryption
x
x
x
HIPS with vulnerability shielding
x
x
Deception
x
x
x
x
x
Anti-malware scanning
Change management
x
x
Log management and monitoring
x
x
x
x
x
x
x
x
x
Windows
x
x
x
x
x
x
x
x
x
x
Linux
x
x
x
x
x
x
x
x
x
x
x
x
x
Legacy Unix
x
x
x
x
x
VMware
x
x
x
x
x
x
x
Page 15 of 25
AWS
x
x
x
x
Azure
Amazon
In 2016, AWS released an agent-based solution to scan Linux and Windows server workloads for
the presence of vulnerabilities and incorrect configuration. The agent is designed so that the scans
are implemented before workloads are placed into production in AWS, as well as scanning on-
demand, once they are in production. The agent integrates with many AWS APIs such as AWS IAM
for role-based authorization for managing assessments, the Amazon EC2 tagging API for grouping
systems and assessments, AWS CloudTrail for auditing, and Amazon SNS for workflow and
notifications related to assessments. Outside and independent of Amazon Inspector, agentless
data-at-rest encryption is available at no cost for Windows and Linux workloads via Amazon EBS
Volume Encryption. In addition, AWS Config, AWS Config Rules, Amazon CloudWatch and AWS
Multi-Factor Authentication provide additional, non-agent-based workload protection capabilities.
Apcera
Apcera provides a container management and orchestration platform for container-based
workloads, where the security is baked into its architecture. As such, it is not a traditional add-on
CWPP security solution. The use of Apcera requires the adoption of its enterprise container
management model a decision typically driven by DevOps teams and application architectures,
not security. As a key stakeholder, the security capabilities of the Apcera platform provide built-in
policy enforcement for container configuration, container lockdown, container-level network
isolation and segmentation ("nanosegmentation"), as well as full visibility, auditing, logging and
alerting of its container environment.
Aqua Security
Aqua Security is a pure-play startup focusing on the security requirements of container-based
workloads. It provides container life cycle management and protection, from development into
operations, including container management services running in AWS and Azure. In development,
Aqua integrates into the CI/CD pipeline and scans container repositories against known common
vulnerabilities and exposures (CVE), configuration and other risks. For runtime protection, rather
than use an agent in the host OS, Aqua uses an architecture in which a privileged container is run as
a peer to the other provisioned containers on the host OS. Its runtime protection includes locking
down the container runtime environment to enforce controls on namespaces, privileged access to
root, container network segmentation (nanosegmentation) and container activities based on app
control (which it refers to as behavioral whitelisting) The model is created by observing containers
during runtime and using machine learning to whitelist legitimate behavior. Significant policy
violations can be blocked, while other deviations of behavior are monitored and reported delivering
EDR for containers.
Bracket Computing
Bracket uses an agentless wrappering approach enabled by what it calls a "metavisor" to intercept,
secure and control all network and disk communications for Linux-based VMs running in AWS. In
2016, it extended this model to Google IaaS, Microsoft Azure and VMware. Protection starts at
provisioning with preboot image authentication and integrity checking. Then, the workload wrapping
technology provides network microsegmentation and data segmentation combined with
Carbon Black
Carbon Black's Cb Protection is best-known for its agent-based application control capabilities with
integrated memory protection, file integrity monitoring, device control and basic behavioral
monitoring for Windows and Linux workloads. It can also monitor workloads for configuration drift
from a defined gold image and stop file-based and fileless attacks by allowing only approved
software to run. In addition, it has a separately available (at additional cost) full EDR offering called
Cb Response. This is installed as a separate agent, providing more-detailed behavioral monitoring,
detection and response capabilities for advanced threats on Windows and Linux server workloads.
No specific API integration for cloud environments is provided.
CloudAware
CloudAware combines a large set of operational and security capabilities targeted at enterprises
with hybrid cloud environments spanning on-premises VMware environments and public clouds,
including AWS, Azure and Google. Its integrated offering includes inventory, cost management,
change management, configuration management, backup and replication services, as well as
integrated security capabilities. Its security capabilities can be deployed agentless or agent-based
for more control. Security agent capabilities include integrated file integrity monitoring based on
OSSEC with HIDS extensions, an integrated Nessus agent for configuration against CIS with
vulnerability assessment and an integrated Clam antivirus agent for anti-malware protection.
CloudAware also includes optional firewall management, a Breeze agent for orchestration and YARA
agent for all workloads at no additional charge. All management and security logs are consolidated
into its embedded ELK stack for single-pane-of-glass-based monitoring, management and
compliance reporting.
CloudPassage
CloudPassage has an agent-based solution with a cloud-based console for Windows and Linux,
providing vulnerability and configuration scanning, network segmentation (by managing the built-in
firewalls of the OS), system integrity monitoring, application control, and log monitoring capabilities
across any combination of public cloud, private cloud and on-premises data centers. In 2016, it
added support for container-based visibility and segmentation. It also provides basic intrusion
detection system (IDS) capabilities from its log monitoring and built-in multifactor authentication for
securing administrative access.
Cloud Raxak
Cloud Raxak has an agentless solution for Windows and Linux workloads (including support for
OpenStack and containers) that focuses primarily on secure boot and configuration management. It
Dome9 Security
Dome9 has expanded its strategy to focus on agentless network security visibility and management
for AWS and Azure, which leverages the IaaS platforms' built-in security controls and corresponding
networking and security APIs. Using the AWS and Azure APIs, Dome9 can provide full network
connectivity management and visualization, IAM security visibility and management, as well as
compliance and governance management for IaaS. It also has an optional agent that provides file
integrity monitoring, networking segmentation and protection for on-premises workloads. As such,
Dome9 will increasingly compete with other CWSS and CISPA providers. Dome9 is phasing out its
agent-based solution for Windows and Linux workloads that manages the built-in firewalls of these
OSs for network segmentation.
GuardiCore
GuardiCore focuses on network visibility and segmentation, combined with process-level visibility,
reputation and deception technologies, for the detection of and response to advanced attacks in
hybrid cloud data centers, including physical servers. It can be deployed by integrating with the
underlying virtualization layer and supports deception for server workloads running on VMware
vSphere, NSX and KVM and Xen Project. Alternatively, it can be deployed in-line as a virtual
appliance. For process-based visibility, its solution requires that an agent be installed, with agents
available for Linux, Windows, AWS and Azure images and agentless using network-level integration
with VMware NSX.
HyTrust
HyTrust's core focus is providing strong separation and monitoring of administrative duties for
administrative access in virtualized environments, including controls around virtual network
(including NSX), storage, and hyperconverged, virtualized systems, such as VCE, Nutanix, VxRail,
SimpliVity, Pivot3, Cisco and OpenStack environments. Its capabilities overlap with the PAM market;
however, it offers additional CWPP capabilities, such as system integrity measurements at boot time
and granular policy controls for VMware environments. HyTrust also provides agent-based data at
rest encryption and key management for VM-based environments, such as IBM, Amazon, VMware,
Microsoft and others.
Illumio
Illumio has a centrally managed agent-based solution for Windows and Linux, designed primarily for
workload and application visibility and segmentation by building an application-centric network
topology map with awareness of third-party network controls, such as load balancers, network
switches, firewalls and cloud security groups. The application map is built using flow information
gathered at the host that is then used to provide network flow visibility and manage the built-in
Kaspersky Lab
Kaspersky Lab offers a server protection solution for virtualized environments protecting Windows
and Linux workloads. In VMware environments, it offers agentless anti-malware scanning for
Windows, along with a network attack blocker that provides protection from port scanning, denial of
service attacks, buffer-overrun attacks and other network-based attacks. In addition, for VMware,
Hyper-V, Citrix XenServer and KVM environments, it offers a hybrid lightweight or full server agent
deployment for Windows and Linux, with additional protection, such as vulnerability monitoring,
patch management and exploit prevention. For physical and public cloud Windows and Linux
servers, its full server agent must be used. It offers no native integration into AWS or Azure IaaS
environments, and it has not yet added explicit support for container-based environments.
Layered Insight
Layered Insight is a pure-play startup focusing on the security requirements of container-based
workloads released into general availability in early 2017. It instruments its monitoring code into the
container image to add another security layer providing fine-grained visibility into what the container
is doing (e.g., network, input/output and application behaviors), as well as policy-based application
control around those actions. To build its enforcement models, it combines observed behavior with
machine learning to create custom security policies for each containerized application. Unlike other
container security solutions, it works entirely within the container image. No host kernel agent or
privileged container is required, enabling the protection to be more portable. Organizations can
interact with Layered Insight's services via web interface or JSON API, but no specific API
integration for cloud environments is provided.
McAfee
McAfee (previously Intel Security) has two differently branded offerings for cloud workload
protection. For hybrid clouds, its foundational server security suite offering brings together anti-
malware, firewalling and HIPS capabilities for Amazon, Azure, OpenStack and VMware in
multiplatform and agentless deployments. Its advanced offering also includes dynamic whitelisting
through application control, FIM through change control and volume encryption for attached cloud
storage. Both offerings are available with a perpetual licensing model; however, the advanced
offering is also available in the AWS Marketplace with usage-based pricing. Both offerings are
licensed and managed via McAfee ePolicy Orchestrator. It has not yet added visibility or security
controls for container-based environments.
Qingteng
Qinteng is a China-based startup with an agent-based CWPP offering for Windows and Linux
servers focused in two areas. The first capability focuses on vulnerability and configuration
assessment of the server workload to reduce the surface area for attack. This can be done
preproduction via APIs or in production using its agent. The second capability delivers EDR and
deception capabilities for the server workloads, monitoring decoy system elements, system
behaviors and network communication patterns, which are sent to its cloud-based analytics
platform (an on-premises option is available) for analysis of indications of compromise and
correlation with its own threat intelligence. Optionally, Qingteng will monitor this as a service for its
customers at an additional charge, delivering a managed detection and response service. It does
not yet deliver security blocking or prevention capabilities, such as application control, nor does it
offer native integration with VMware, AWS or Azure. Its console and offering are focused on the
CWPP market in China, and it does not yet target organizations outside China.
Sophos
Sophos offers a number of server protection offerings, with a choice of on-premises or cloud-based
management. Sophos supports Windows, Linux and Unix with anti-malware scanning, HIPS and
Sophos Live Protection. On Windows servers, Sophos also provides server lockdown via
whitelisting, application control, device control and ransomware protection. For VMware
environments and Microsoft Hyper-V, Sophos provides an off-box, anti-malware solution for
Windows desktop and server workloads. For public cloud IaaS protection, Windows and Linux
server workloads are supported with agents, as well as native integration into AWS IaaS
environments to manage autoscaling instances. In addition, Sophos offers a network-based unified
threat management (UTM) for protecting IaaS workloads that includes firewalling, IPS and WAF
capabilities.
Threat Stack
Threat Stack provides a Linux-based (and in 2016, Windows) EDR agent with a cloud-based
console for on-premises and cloud-based workloads with native integration when workloads are
running on AWS. It provides baselining and monitoring of the server workload, including file integrity
monitoring, HIDS, vulnerability management, network flow monitoring and visualization, user
behavior monitoring for privileged accounts (especially related to DevOps), and analysis of the data
for indications of threats, using its own analytics, as well as ingestion of third-party threat
intelligence. In 2016, it added support for Docker containers and is able to build and monitor per-
container behavioral profiles built by scanning Docker repositories to build a library of predefined
behavioral models for common container-based applications. In late 2016, Threat Stack added
configuration auditing for baselining configuration policy to meet AWS and CIS benchmarks for
AWS, delivering CISPA capabilities.
Trend Micro
Trend Micro is well-known for its comprehensive server workload protection capabilities and offers
an agent-based solution offering a choice of system configuration and hardening recommendations,
network segmentation, file and system integrity monitoring, vulnerability-facing HIDS/HIPS using
deep packet inspection, log analysis, and anti-malware scanning. Although it includes its own
firewalling capability, it does not directly address the needs of microsegmentation projects. It
supports a broad number of OSs, including Windows, Linux and variants of legacy Unix. In VMware
environments, these capabilities can be delivered agentless. Its policy management integrates with
the native tagging of VMware, AWS and Azure. Its latest release in early 2017 provided native
application control capabilities, as well as visibility and protection for containers, but not yet per-
container policies.
Twistlock
Twistlock is a pure-play startup focused on the security requirements of container-based workloads,
using a life cycle approach to container protection from development into operations. Rather than
use an agent in the host OS, Twistlock uses an architecture in which a privileged container is run as
a peer to the other provisioned containers on the systems. The core of its container runtime
protection is anchored in an application control model tightly controlling what can run in the
container, the resources it can access (effectively delivering file integrity monitoring) and how it
communicates using the network delivering nanosegmentation. Behaviors are controlled using
models of standard behavior created by monitoring behaviors at runtime and applying this across
fleets of similar containers. It also provides a library of behavioral patterns for common
containerized applications, as well as an internally developed anti-malware scanning engine. No
specific API integration for cloud environments is provided.
vArmour
vArmour offers an alternative to agent-based protection solutions. vArmour's distributed system of
virtual appliances provides application-aware segmentation, visibility, deception and network-based
threat detection of on-premises and public cloud-based workloads. Its core capability combines
application visibility with stateful enforcement to create, model and measure workload
segmentation. The vArmour solution can be placed in-line with network traffic for segmentation, or
in tap mode, if only visibility and threat detection are desired. Support for container-based
environments was announced in early 2017.
Market Recommendations
The rapid adoption of private and public cloud computing models, containers and DevSecOps are
fundamentally reshaping the security requirements for protecting private and public server
workloads. The time has come for enterprises to start protecting cloud-based workloads, using a
protection strategy that is different from end-user-facing desktops and laptops. Cloud server
workload protection strategies must be based on a foundation of solid operational hygiene,
including proper administrative control, patching discipline and configuration management. With the
widespread adoption of VMs and containers, server workloads tend to be allocated to a specific
application or service. This leads to the recommendation to adopt a core workload protection
For servers where sensitive information is handled or stored, other types of protection beyond the
core set of capabilities (such as EDR-type monitoring) add defense in depth (see "Market Guide for
Endpoint Detection and Response Solutions"). Furthermore, if the server OS is out of support and
can't be patched (for example, Windows Server 2003), then vulnerability-facing IPS (network or
host-based) should be a key part of the protection strategy, in addition to the core application
control strategy.
Signature-based, anti-malware scanning should be deactivated (and in many cases, removed) from
all servers that don't serve as general-purpose, file-sharing repositories in favor of a whitelisting-
centric approach using application control. If regulatory requirements specify antivirus scanning and
are not negotiable, use less-frequent, file-based scanning without the performance overhead of
memory-based scanning. Alternatively, keep the agent installed, but only activated on-demand if a
scan is needed.
"How to Make Cloud IaaS Workloads More Secure Than Your Own Data Center"
Evidence
"Introduction to Device Guard: Virtualization-based security and code integrity policies"
"Cb Defense Meets PCI DSS. Certified to Replace AV." Carbon Black
Note 2 VDI
VDI is a special use case in which end-user-facing endpoint sessions are hosted on a server. These
should be secured using a more-traditional endpoint security approach, in which these sessions are
kept strongly isolated from the rest of the data center network. Signature-based anti-malware
scanning should be considered mandatory. However, because these VDI sessions are hosted on
servers using virtualization platforms, agentless, anti-malware scanning solutions are often favored
to reduce resource contention.
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM
2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartners prior written permission. If you are authorized to access
this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained
in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This
publication consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,
Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,
and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see Guiding Principles on Independence and Objectivity.