山石岩读丨谁说CWPP只能是主机安全?
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了山石岩读丨谁说CWPP只能是主机安全?相关的知识,希望对你有一定的参考价值。
Gartner 2020年的CWPP市场报告发布了,又该有一波代表厂商要开始解读了,2016—2020,从连续5年CWPP的Market Guide中,我看到了IT技术演进对安全产品形态的巨大影响和客户价值导向这个永恒的原则。
Neil MacDonald写了5年CWPP的Market Guide,我也看了5年。2019年6月我还有幸在GartnerSecurity & Risk Management Summit上跟老爷子面对面交流了一次,尽管当时聊的不是CWPP,老爷子超强的技术理解力和敏捷的思路让我惊叹,因为当时我跟他介绍了我们在国内大规模使用的一种产品方案,他很快就能判断这是否属于Gartner定义的某一个品类。
纵观5年的CWPP报告,2019年是个分水岭。一直以来大部分网络安全厂商都没能很好的解决云内虚拟化网络带来的超高技术门槛,主机安全厂商由于其agent软件的环境无关性,反倒是越来越多被客户选择,2016—2018年的CWPP报告更加让主机安全厂商相信这就是大结局了,然而容器技术的广泛使用和不断成熟,让形势有了新的变化,之前在虚机实例里安装的agent软件显然继续在容器实例里安装不是个合理的方案,同时Gartner也重识intrusion prevention和anti-malware protection对cloud workload(虚机和容器)的重要价值,而这两项是大部分agent-based方法无法覆盖的。
大多数Gartner品类市场报告的读者最关注的是一定是Representative Vendors章节,当然这个章节确实重要,因为进入了的厂商要欢庆,没进入的厂商也要看看谁进去了,好默默的咬牙切齿。而真正能看出门道的其实是开篇的部分:引言、关键发现、产品选型建议、市场定义,以及一张被CWPP厂商们广泛传颂的Cloud Workload Protection Controls Hierarchy图。
一、引言的变化
2018年的如下,2017和2016年基本一致,只是说CWPP是一种混合云安全方案,并未明确Cloud Workload具体是什么。
Server workloads in hybrid data centers spanning private and public clouds require a protection strategy different from end-user-facing devices. Security and risk management leaders should evaluate and deploy offerings specifically designed for cloud workload protection.
2020年的如下,2019年基本一致,特意强调了混合云中的workload是虚机、容器和无服务。
Protection requirements for cloud-native applications are evolving and span virtual machines, containers and serverless workloads in public and private clouds. Security and risk management leaders must address the unique and dynamic security requirements of hybrid cloud workloads.
二、关键发现的变化
2018年的如下,2017和2016年基本一致,一直在强调传统安全方法(signature-based)的不适用,我们知道***防御和病毒防护都是signature-based。
■Left uncontrolled,cloud environments inevitably spin into unmanageable complexity and have unique security needs that legacy security protection solutions do not address.
■As enterprises implement hybrid data centers, with workloads running on-premises and in multiple infrastructure-as-a-service providers, consistent security becomes difficult.
■The increasing adoption of containers complicates workload protection strategies.
■Numerous cloud workload protection platform vendors are emerging to address these unique requirements, including many smallers tartups, which is confusing buyers.
■Signature-based approaches provide little or no value for server workload protection.
2020年的如下,2019年基本一致,仅是明确传统PC机防病毒软件不适合服务器,其实在物理机时代,服务器里也基本不装杀毒软件。
■Enterprises using endpoint protection platform(EPP) offerings designed solely for protecting end-user devices (e.g.,desktops, laptops) for server workload protection are putting enterprise data and applications at risk.
■Most enterprises are purposefully using more than one public cloud IaaS.
■The majority of enterprises are now piloting or using container-based applications and are experimenting with serverless platform as aservice (PaaS).
■With cloud-native applications,workload security must start proactively in development.
■Increasingly, container and serverless workloads are scanned for vulnerabilities and miscon?gurations in development, but are deployed with little or no runtime protection within the workload and instead rely on external network instrumentation and event monitoring to detect threats.
■There is more risk from cloud infrastructure miscon?guration than from workload compromise.
三、产品选型建议的变化
2018年的如下,2017和2016年基本一致,强调不是desktop solution,意为新型endpoint solution。
■ Use CWPP offerings —not desktop solutions— to protect the scale and dynamism of cloud workloads through native integration,programmability and orchestration.
■ Require vendors to protect workloads across physical and virtual machines, containers and multiple public cloud IaaS, all from a single management framework and console.
■ Require vendors to natively integrate with VMware, Amazon Web Services and Microsoft Azure,and Google Cloud Platform APIs, as well as tags for policy management.
■ Use application control and whitelisting as the primary CWPP protection strategies and use traditional antivirus scanning only when the server hosts file-sharing repository.
■ Require vendors to API-enable security protection functions to be automated and integrated into DevSecOps-style workflows for scanning prior to deployment.
2020年的如下,2019年基本一致,完全不再提endpoint solution,而且特别强调了一定要考虑agent软件无法使用和不再有意义的情况,其实指的就是容器和无服务场景。
■Architect for consistent visibility and control of all workloads regardless of location, size or architecture.
■Require cloud workload protection platform (CWPP) vendors to support containers with planned solutions for serverless. Be open to point solutions if your legacy vendor doesn’t meet your container requirements.
■Extend workload scanning and compliance efforts into development(DevSecOps), especially with container-based and serverless function PaaS-based development and deployment.
■Require CWPP offerings to expose all functionality via APIs.
■At runtime, replace antivirus-centric strategies with a “zero-trustexecution”/default deny approach to workload protection where possible, even if used only in detection mode.
■Architect for CWPP scenarios where runtime agents cannot be used or no longer make sense.
■Require CWPP vendors to offer integrated cloud security posture management (CSPM) capabilities to identify risky con?gurations.
四、市场定义的变化
2018年的如下,2017和2016年基本一致,一直在强调用agent-based方法。
The market for cloud workload protection platforms (CWPPs) is defined by offerings specifically designed for server workload-centric security protection and are typically agent-based for deep workload visibility and attack prevention capabilities.
2020年的如下,2019年基本一致,完全不再提agent-based方法,并重识intrusion prevention和anti-malware protection对cloud workload(虚机和容器)的重要价值,而这两项是大部分agent-based方法无法覆盖的。
The market for CWPPs is de?ned by workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multicloud data center architectures.
CWPPs should provide consistent visibility and control for physical machines, virtual machines (VMs), containers and serverless workloads, regardless of location.
CWPP offerings should start by scanning for known vulnerabilities in development.
At runtime, CWPP offerings should protect the workload from attacks, typically using a combination of system integrity protection, application control,memory protection, behavioral monitoring, host-based intrusion prevention and optional anti-malware protection.
五、Cloud Workload Protection Controls Hierarchy图的变化
Cloud Workload Protection Controls Hierarchy图的变化更能说明问题,这次我拿2018和2019的做对比,因为2020的图跟2019的信息一致,但我个人认为不如2019年画的好看。最明显的变化就是2019年的图里明确指出intrusion prevention和anti-malware也是important,并且金字塔里不再有CWPP之外的能力,而是换成了在workload外面来做的说法,其实就是指基于流量的安全能力,也对cloud workload(虚机和容器)具有重要价值。
图注:2018年
Cloud Workload Protection Controls Hierarchy图
图注:2019年
Cloud Workload Protection Controls Hierarchy图
最后,全文观点总结如下——
1、强调CWPP仅是主机安全不再有意义
2、保护Cloud Workload,网络安全同样具有价值
3、IT技术演进对安全产品形态有着巨大影响
4、客户价值导向是永恒原则
尤其是对于容器的业务环境,主机安全像网络安全一样也要工作在workload(容器实例)的外部,前者仍旧是看进程、文件,后者仍旧是看流量,互相之间不冲突也不矛盾,事实上共同配合才能把容器安全保护的更好。这也应了我开篇的首句,IT技术演进对安全产品形态一直产生着巨大的影响,同时客户价值导向是永恒的原则。
Gartner从2019年开始就对CWPP代表厂商进行了详细的分类,2020年的分类包括:
Broad, Multi-OS Capabilities
Vulnerability Scanning, Configuration and Compliance Capabilities
Identity-Based Segmentation, Visibility and Control Capabilities
Application Control/Desired State Enforcement Capabilities
Server EDR, Workload Behavioral Monitoring and Threat Detection/Response Capabilities
Container and Kubernetes Protection Capabilities
Serverless Protection Capabilities
相信这个分类以后会更加细分下去,并且在CWPP这个品类里,会出现百家齐放,百家争鸣的局面,每个厂商产品擅长的技术不同,但目的却是相同的,那就是为cloud workload(虚机和容器)提供真正有价值的安全服务。
注:本文部分内容引用自Gartner《2020年云工作负载安全防护平台市场指南(Market Guide for Cloud Workload Protection Platforms)》
以上是关于山石岩读丨谁说CWPP只能是主机安全?的主要内容,如果未能解决你的问题,请参考以下文章