Best Cloud Workload Security Platforms

Cloud Workload Security (CWS) is a new discipline that applies security processes for cloud-based services and software.

The technology behind CWS is complicated and it is based on a new system called Extended Berkeley Packet Filter (eBPF). Think of eBPF as a cross between telemetry systems and containers. We won’t go deep into the methodology of eBPF because, in this guide, we are focusing on cloud workflow security.

Here is our list of the best cloud workload security platforms:

  1. Datadog Cloud Workload Security This cloud-based platform implements cloud workload protection as an advancement on the parallel distributed tracing system offered by the provider. This service also includes file integrity monitoring.
  2. Zscaler Cloud Protection This platform operates as a secure virtual network across the internet and includes the protection of data in motion between cloud workloads.
  3. Microsoft Defender for Cloud This is well-known and widely trusted Windows Defender ported to the Azure platform and aimed at protecting cloud-based systems.
  4. Illumio Core This platform implements “micro-segmentation,” which is a form of cloud containerization that enables the system to guard data exchanges between modules on the cloud.
  5. VMWare AppDefense This cloud security service implements behavioral analysis and anomaly tracking as its main protection strategy.
  6. Trend Micro Deep Security This service operates as a cloud vulnerability manager and it includes a virtual patching service to close off security weaknesses in cloud workloads.

This type of service starts with performance tracing because you can’t protect a system unless you know its components as well as its boundaries. As such, CWS is part of the emerging discipline of “observability,” which looks for alternative methods to track activity within cloud-based systems, such as microservices.

Once the CWS system has identified all components of a service, it examines the activities of those modules to spot anomalous behavior that could indicate malicious takeover. Several techniques can be used to perform this detection – both currently implemented by next-gen AV and SIEM systems.

Observability can extend its activities from tracking the performance of microservices to recording those observations and establishing a baseline of normal activity. If that behavior suddenly changes, you might have a security issue. The second method is the use of a signature database. This is almost identical to the Indicators of Compromise (IoCs) that SIEM systems use.

The fact that CWS is a sort of “telemetry plus” package means that the best providers in this field are those cloud platforms that have already perfected a distributed tracing service. Many of the components in Web applications are run by plain-text programming languages that are not compiled. Therefore, the distributed tracing system can acquire the code as it executes and scan it through code profiling.

What is cloud workload security?

A “cloud workload” is a service, an application, a platform, a framework, a function library, or a piece of software that you install on a cloud virtual server. Any software running on a cloud platform is a workload.

As cloud services become more prominent, the need to find new ways to monitor and secure those processes become more urgent.

Cloud workload security is also called a Cloud Workload Protection Platform (CWPP). Just as you need to protect your on-site resources from malware, intrusion, and data loss, you need to secure those resources that you use in cloud computing. Although Amazon and Azure offer secure platforms, there is no way of knowing whether a malicious actor is currently devising a way to hijack cloud-based database systems or Web servers.

Why do you need cloud workload security?

Many applications are now built with the support of third-party development frameworks, APIs, and function libraries. These services provide tested and reliable functions that cut down development time. However, those APIs, functions, and framework services are all calls to little bits of programs that are running elsewhere on servers that you don’t own and don’t have access to. Many of them rely on the support of other services. One API can front many layers of microservices that run on different servers all over the world.

A little tweak in the unknown process could extract all of your clients’ personally identifiable information as it is processed. This would be a severe security breach. A well-meaning provider might implement insufficient security in its service and if hackers spot that weakness, all of your data could be stolen.

You don’t need to be engaged in the development of applications to be vulnerable to cloud workload security vulnerabilities. Many business software packages have been converted into Software as a Service (SaaS) offerings. In this scenario, you get cloud processors and storage space, but you lose control over security.

CWS platforms restore your control over the cloud-based software that your business uses.

The best cloud workload security platforms

The way CWS platforms operate is complicated. However, you shouldn’t need to spend time working out what the security system does, you need to be able to use it in a similar way to the methods you currently use with a SIEM package for your on-premises assets.

You can read more about each of these services in the following sections.

What should you look for in a cloud workload security platform?

We examined the market for CWS platforms and analyzed the providers based on the following criteria:

  • A dashboard that interprets cloud asset discoveries clearly
  • A system that can map application dependencies
  • Tools that include security indicators and automate vulnerability identification
  • An alerting mechanism that draws attention to cloud workload security weaknesses
  • An automated service that enables rapid response to security problems
  • A free trial or a demo for a no-cost assessment opportunity
  • Value for money, represented by a competent tool at a reasonable price

With these criteria in mind, we identified the most impressive new CWS platforms that are currently coming onto the market.

1. Datadog Cloud Workload Security

Datadog Cloud Workload Security

Datadog Cloud Workload Security uses eBPF to examine the kernels of cloud platforms and containers. The system also examines files and data exchanges for attacks and it can provide full traces on data access activities.

Key Features:

  • Examines all cloud processes
  • Uses eBPF to examine kernels
  • Includes file integrity monitoring
  • Security alerts
  • Combines strategies

Datadog is very good at presenting data in a digestible manner in its dashboard, so you don’t get bogged down with technicalities when using the system. You just need to look at the live reports of activity on the screen that summarizes activity and highlights threats and possible security breaches.

The Datadog detection strategy combines a vulnerability scanning style of detection with an anomaly detection system. The tool will scan through systems and their contributing modules, capture their code and scan it. The system includes an alerting function so you don’t have to sit and watch the dashboard to catch security issues.


  • Cutting edge technology
  • Preventative scanning as well as live activity tracking
  • Custom detection rules are possible
  • Scans containers
  • Web-based console


  • Doesn’t monitor AWS Fargate

Datadog is easy to subscribe to and its Cloud Workload Security package is just one of the modules that this platform offers. You can combine this tool with log analysis, a SIEM, and network monitoring to get full control over your entire IT system. Datadog Cloud Workload Security is available for a 14-day free trial.

2. Zscaler Cloud Protection

Zscaler Cloud Protection

Zscaler Cloud Protection is a zero-trust access system that secures paths between modules operating over the internet and creates a virtual network. The package also includes a Cloud Security Posture Management (CSPM) service that assesses configuration vulnerabilities in cloud services. So, the system strengthens security in workloads and then protects their data exchanges against intruders.

Key Features:

  • App-to-app data transmission protection
  • Workload containerization
  • Implements micro-segmentation
  • Allows behavior baselining

The Zscaler system is complicated and it amounts to a form of containerization that wraps groups of services that are working together so that they can be protected from interference. This is possible even though those associated processes and workloads might be running on many different servers in different locations.

Activities of each segmented workload bundle can be baselined, using machine learning, and then deviations from that standard behavior will provoke security alerts.


  • Innovative protection
  • Lightweight security methods that don’t slow down transmissions
  • Protection for data exchanges
  • Vulnerability scanning for cloud systems


  • Difficult to conceptualize

The Zsaler system can be applied to all processes that are deployed by hybrid networks, this system implements application security across sites and platforms and it doesn’t only apply to cloud workloads. You can ask for a demo to assess the Zscaler strategy.

3. Microsoft Defender for Cloud

Microsoft Defender for Cloud

Microsoft Defender for Cloud is a cloud-based version of the Windows Defender system that can be found on any PC as part of the Windows operating system. The Cloud system is a service on the Azure platform. This package combines cloud security posture management and cloud workload security to prevent security weaknesses and then watch software-based or manual threats.

Key Features:

  • Hosted on Azure
  • Vulnerability assessments
  • Live protection

Although Microsoft Defender for Cloud is hosted on Azure, it doesn’t just protect assets on that platform. It can also provide security for workloads running on AWS and Google Cloud Platform. The service even covers on-site systems as well, so this is a complete security package for hybrid and multi-site networks. It will protect virtual systems and containers, plus applications, such as databases, mail systems, and Web servers.


  • System hardening and security monitoring
  • Covers on-site assets on multiple sites
  • Can be tuned to standards compliance requirements


  • No good for people who want to avoid Microsoft products

Microsoft offers a free tier for this and 25 other services on its Azure platform. This gives you a service value of $200 for the first month. Usage above that level is charged at a pay-as-you-go rate.

4. Illumio Core

Illumio Zero Trust App Group Map

Illumio Core uses a micro-segmentation strategy and is application-focused. These are buzzwords that boil down to a wrapper around a bundle of services that contribute to a single user-facing application. This is the same strategy that Zscaler uses.

Key Features:

  • Cutting-edge technology
  • Performance monitoring
  • Applicaiton protection

Like Zscaler, Illumio grants access to applications rather than to platforms or equipment, such as servers. This is a difficult concept to understand but it is a meaningful solution to the complexity of dealing with components that run on different servers. The containerization of several services into a virtual application blocks malware attempts to get into a running system – if a program isn’t on the list of participating modules, it isn’t getting in. Similarly, the outer shell encrypts data exchanges between units, so intruders and snoopers are confounded.

The Illumio method cloaks internal components to the outside world but not to its monitoring service. As part of its micro-segmentation work, the Illumio Core system researches all contributing services and creates an application dependency map. Thus, while creating a wrapper to protect the group, it still tracks the activity of each unit individually.


  • Protects microservices that contribute to a single application
  • Application dependency map
  • Monitoring of components and groups of services


  • Some might struggle to understand the technology

If you are the type of person that needs to understand all of the technology you use, you might be put off using this service because it requires a complete shift in comprehension to the way you are used to thinking about how your network runs and how it should be protected. You can get a look at the Illumio Core system by attending a Virtual Lab session.

5. VMWare AppDefense

VMWare AppDefense

VMWare AppDefense is a protection service for data movements. VMWare is the master of virtualization, creating imaginary endpoints on a single device and connecting them with a network that only exists within the server. Port this concept to the internet and you have the outline of the AppDefense system.

Key Features:

  • Connection protection
  • Behavior analytics
  • Anomaly detection

AppDefense creates a virtual network between workloads that interact with each other. This means that outsiders can’t insert themselves into the process by intercepting traffic or by insinuating extra modules into the pot. As well as providing a cloak for operations, this tool uses machine learning to establish a baseline of normal behavior and spot anomalous activity.

VMWare’s virtualization products are available for on-site implementation and as services on the major cloud platforms. AppDefense interlaces with your current VMWare systems to create a hybrid environment and link together all of the virtualizations so that composite applications and their microservices can safely swim together within the virtual environment no matter where the supporting physical infrastructure may be.


  • Links together on-site and cloud VMWare virtualizations
  • Creates a safe space for fragmented systems to work together
  • Separates application dependencies from operating systems


  • Doesn’t integrate container activity

VMware AppDefense works better as a total VMWare solution. That is, you would be advised to go all-in with VMWare products on all of your platforms to get the best out of this cloud security solution. Check out this system through a 30-minute VMWare vSphere Lab.

6. Trend Micro Deep Security

Trend Micro Deep Security dashboard

Trend Micro Deep Security is a combined vulnerability manager, anti-malware, and intrusion detection system for on-site, cloud, and virtual resources. This system includes an autodiscovery mechanism that will identify any new software installed on a monitored platform and then search through to discover all of its supporting services and create an application dependency map.

Key Features:

  • Protects hybrid systems
  • Identifies system vulnerabilities
  • Blocks malware

This service will interface with the native reporting tools provided by AWS, Google Cloud Platform, Azure, IBM Cloud, Oracle Cloud, Hyper-V, Citrix XEN, VMWare, Docker, and Kubernetes to track activity and then establish a baseline of normal behavior. It then looks for deviations from that pattern that would indicate the presence of malware, an insider threat, or an intruder.


  • Includes application dependency mapping
  • Uses anomaly detection
  • Self-hosted option


  • Doesn’t include code profiling

Trend Micro Deep Security is a SaaS platform. However, you can also request the software to run as a virtual appliance on-site or on your private cloud. The service can also be used for application security testing on systems under development. You can assess this system with a 30-day free trial.