Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

About CWPP

The Skyhigh Security Cloud-Native Application Protection Platform (CNAPP) allows you to easily discover cloud assets, audits the cloud with CSPM, audits PaaS and Container (KSPM) resources, and also protects workloads as they run in the cloud (CWPP).

The Cloud Workload Protection Platform (CWPP) supports the following features on your cloud or on-premises environments:

  • File Integrity Monitoring (FIM)
  • Application Control
  • Container Image Control
  • Runtime VM/Container Vulnerability Assessment (VA/CVA)
    NOTE:  Vulnerability Scans for VM snapshots are not yet supported in Agentless Mode.
  • Image Hardening
  • Malware Scans for Virtual Machines (VMs) and Cluster/Container Workloads 

CWPP is supported for AWS, GCP, and Azure-managed Kubernetes and VM workloads. It supports Docker, containerd, crio or any CRI compliant container runtimes.

These features are supported in two modes: agentless and agent-based modes. 

Agentless Mode

In agentless mode, Skyhigh CASB can scan your VM snapshots to monitor the different cloud workloads such as VMs or containers. Skyhigh CASB just needs adequate permissions to access the VM snapshots that are created on your organization's premises.

This approach is recommended for organizations that don't want to install agents on each workload. You can get started by providing a few IAM permissions to Skyhigh CASB. This way, Skyhigh CASB can discover all the cloud workloads and scan the snapshot to detect vulnerable versions of software.

In AWS, Skyhigh CASB also uses Native SSM (Systems Manager) agents to provide certain runtime functionality, including Security Configuration Audit for application components. This approach is also considered agentless because there is no vendor or functionality-specific agent to run on those machines.

Agent-based Mode

In agent-based mode, a lightweight agent is installed on the cloud workload, either via a package manager or by running the agent container on the clusters. (In certain cases, the container approach is also called agentless.) 

Along with the agent, a Point of Presence (PoP) must be installed in your cloud or on-prem deployment for the agent to communicate back to Skyhigh CASB. A typical deployment is depicted in the following diagram.


  • Was this article helpful?