The cloud security solutions market is growing rapidly and there are many types of solutions to support your specific business needs. But figuring out the right tool, let alone the right type of tool, can be difficult. Gartner has 5 security archetypes that fall under the broader cloud security management platform umbrella.  This article gives a quick look into the CWPP archetype:

What Is It?
According to Gartner, CWPPs are workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multi-cloud data center architectures. In plain english, CWPPs help organizations protect their capabilities or workloads (applications, resources, etc.) running in a cloud instance. CWPP capabilities vary across vendor platforms, but typically include functions like system hardening, vulnerability management, host-based segmentation, system integrity monitoring, and application allow lists. CWPPs enable visibility and security control management across multiple public cloud environments from a single console.

Gartner divides CWPP vendors into eight categories:

  • Broad, Multi-OS Capabilities
  • Vulnerability Scanning, Configuration, and Compliance Capabilities
  • Identity-Based Segmentation, Visibility, and Control Capabilities
  • Application Control/Desired State Enforcement Capabilities
  • Memory and Process Integrity/Protection Capabilities
  • Server EDR, Workload Behavioral Monitoring, and Threat Detection/Response Capabilities
  • Container and Kubernetes Protection Capabilities
  • Serverless Protection Capabilities

In its 2020 Market Guide for Cloud Workload Protection Platforms, Gartner states that workloads are becoming more granular — with shorter life spans — as organizations continue to adopt DevOps-style development patterns, with multiple iterations deployed per week or even per day. The best way to secure these rapidly changing and short-lived workloads is to take a proactive approach. By incorporating security via DevSecOps through the use of Infrastructure as Code templates, pre-deployment vulnerability management and code scanning, workloads are protected from the very beginning.

In What Context Is It Best Used?
Gartner states that the best possible context for a CWPP is a single provider IaaS, particularly where there are requirements for additional security capabilities to protect workloads.

Benefits and Limitations


  • Provide visibility into and control over workloads.
  • Provide comprehensive protection against workload risks deployed in IaaS. This is significant because workloads are difficult to protect, and as more organizations adopt container-based service deployments, the difficulty of protecting workloads will persist.
  • Can alert and escalate issues; local policy scripting at the workload level permits posture changes, such as firewall changes and application whitelist changes.


  • Lack identity and access management functions.
  • Cannot provide overall risk management services across all cloud deployments.
  • Cannot perform event monitoring outside of workloads.

For a deeper dive into Gartner’s cloud security archetypes, read: A Practical Guide to Gartner’s Cloud Security Archetypes.

Similar resources that you may also enjoy


Feature Release 21.1

With the first few weeks of January underway, we… 

View all Blog Posts

Hundreds of Thousands Immigration and COVID Records Exposed in Jamaica

Jamaica just experienced a massive data breach that exposed… 

View all Blog Posts

2021 Cloud Security Executive Summit Preview

Coming to our Executive Summit on March 9th? Here’s… 

View all Blog Posts