Cloud Workload Security Best Practices: Ensuring Robust Protection in the Cloud

Blog Author
Brian Thomas

We’ve posted quite a bit about how more companies are shifting their workloads to the cloud. But a key question is how do you secure those workloads in the cloud? With some many different permutations of cloud workloads, from virtual machines, to endpoints, to containers, getting started with how to secure it all can seem a little overwhelming? So what are some cloud workload security best practices?


Cloud Workload Security Best Practices

People and Processes

First and foremost, you need the right people and policies and organizational structures in place. There’s a saying that organizations don’t have technology problems, they have people and process problems.


Protecting your cloud workloads should begin with having a designated point person to oversee security in the cloud. This person should work closely with devops, devsecops, and other cloud users to understand their business needs, and work with those teams to develop processes and procedures that ensure cloud workloads stay secure. This may include educating employees on their responsibilities with security, common risks, and what procedures or tools should be used to mitigate those risks.


Pay attention to:

  • Privilege allocation and user-/role-management for workloads
  • Put in place a culture of continuous monitoring, automating the process if possible
  • Involve the devops team and business owners in discussions about security, patching and and policy
  • Ensure there’s a two-way conversation with devops to ensure security measures don’t get in the way of the work they’re doing or slowing down progress

Security is everyone’s responsibility, but extending a hand as a partner can go a long way to getting other teams to buy into promoting a culture of continuous security improvement.


Securing VM Workloads

To protect your virtual machine workloads, take the following steps:

  1. Put configuration standards in place for all the operating system and builds you’ll have operating in the cloud. We suggest using CIS benchmarks as a good place to get started, but you’ll need to customize the requirements for your organization. Many cloud providers provide virtual machine templates that can be leveraged, which can give you a good starting point to ensure your configurations match the vendor best practices or requirements.
  2. If you’re fully cloud native using one vendor, try using cloud native management tools available from most vendors that can help manage patching and maintenance. 
  3. If you’re running hybrid cloud, use one tool like Puppet to automatically configure and monitor virtual machines, both in-house and in the cloud. 
  4. If patches and updates need to be run, update the templates and deploy new VM’s and terminate the old ones to ensure that the configurations are correct and deployed correctly.


Endpoint Protection

Remember that under the Shared Responsibility Model your organization is responsible for securing everything in the cloud. That means anti-malware, firewalls, and endpoint security and endpoint posture management solutions need to be put in place on all cloud images.


Many organizations have endpoint protection solutions such as EDR in place, and many EDR vendors have taken steps to adapt their product to cloud deployments. However cloud native solutions are usually a better option.


Securing Containers

Container controls can usually be implemented with container image scanning through your vendor. Both Google and AWS offer image scanning services that natively integrate with their products. This makes it easy to automate most vulnerability and checkin scans, and lessens the manual burden on the team. Run time scanning will require a third-party tool, which should be installed into all containers to monitor for attacks.


Cloud Workload Protection Platform

A relatively new category, cloud workload protection platforms (CWPP) can offer complete security observability for your cloud workloads, collecting and analyzing real-time workload activity in detail—for hosts, VMs, containers, microVMs, and serverless functions—alongside the cloud infrastructure and orchestrator telemetry that acts as the control plane for these cloud-native applications.


The best ones take advantage of industry frameworks such as MITRE ATT&CK, CIS Benchmarks, and SOC 2 to ensure you meet recognized standards for security.



At the end of the day, it’s difficult to secure what you can’t see. Using a cloud-native analytics platform can give you deep insights into behavior, posture, and performance. Implementing tools that allow you to ask any question of your cloud endpoints and get the answers you need is vital to securing complex cloud environments, aid in forensics, and assess weak points and status.



Technology and business requirements are constantly evolving, and not always in the same direction. As the business presses for speed, agility, and flexibility, those needs must be balanced against the necessity for security. The cloud landscape is very much in flux, with many organizations stuck in the middle space between hybrid and fully cloud-native, but following these best practices can give you a good starting point to securing your cloud workloads.


Want to learn more about the fundamentals of securing the cloud?
Read our new guide to find out more.

cloud fundamentals ebook cta image