Cloud-native applications need a unified continuous security approach

Cloud-native has arrived and now, it’s taking over. By 2021, 92% of companies will go cloud-native. It’s faster, it’s more efficient, more scalable, and more flexible. But is it more secure?

As businesses integrate cloud-native technologies, such as Kubernetes, across their clouds, the complexity and distributed nature of these platforms increasingly require companies to rethink their approach not only to Dev and Ops, but also, security.

The primary cloud platforms – AWS, Azure and Google Cloud, each offer various security features, however, their flexibility differs from one platform to the next. And what happens when a company deploys multiple Kubernetes clusters across multiple platforms simultaneously, as is often the case?

Build fast – deploy fast sounds familiar? Well, think again. To keep pace with the cloud-everything motion, Dev. teams are now deploying code on a daily basis and sometimes even multiple times a day. Additionally, cloud-native has given rise to a new software supply chain, one that embraces open source and 3rd-party code in an effort to accelerate development cycles.

As a result, companies are integrating code into their applications that they did not necessarily create and which may introduce unanticipated and unknown threats or vulnerabilities. This dynamic pace, combined with complexity, creates a new risk, which if not properly identified and managed, can expose companies to substantial financial and reputational damage.

Pinpointing, preventing and mitigating vulnerabilities and threats in this new accelerated cloud-native development model and infrastructure requires a new approach to security, one that is uniform across platforms and continuous across the software development lifecycle (SDLC). It requires a shared security responsibility & ownership, as well as shared process and tools, to keep cloud-native deployments in general, and infrastructure, applications and data specifically, safe.

The evolution of Dev, Sec and Ops and the rise of continuous security

Traditionally, Development built the application, Operations managed the application and Security protected the application. Each team had a role and a place in the process, the handoffs were clear and the roles distinct. But that world doesn’t exist anymore.

As software has evolved from tightly controlled monoliths, centrally managed and owned, to rapidly evolving, distributed clusters of microservices managed by platforms like Kubernetes, the supporting roles too have evolved requiring these once independent teams to think and work collaboratively and collectively.

The introduction of containers, microservices, open source and 3rd-party code to applications on accelerated development and delivery schedules are forcing these teams to share the responsibility of authoring and enforcing security policies from the start. Developers need to whitelist their application’s requirements and specify the methods of enforcement of distributed security policies that apply to its own, 3rd-party code and its supporting services.

By applying security at the code, container and microservices level early in the development cycle, enterprises incorporate security into their applications in a way that is practical, that scales and grows with the application, and doesn’t slow development, application or business agility. Operations then must monitor the behavior of the microservices for anomalous behavior and evaluate behavioral outliers to detect vulnerabilities and isolate security risks before they threaten the performance and integrity of the application or its data.

This collaboration by Dev, Sec and Ops protects cloud-native applications throughout the entire application life cycle, creating a continuous process for the definition and enforcement of uniform security policies across all core application components – the software supply chain, the services mesh (e.g., Istio, AWS AppMesh), and the underlying container-based infrastructure (e.g., Kubernetes). This, in return, enables engineering teams to not only eliminate security vulnerabilities before causing costly re-engineering, rollbacks or patches, but to also add the capability to monitor and manage all security layers of their growing cloud-native applications.

Implementing a continuous and uniform approach to security

Once committed to cloud-native technologies and the realization that security must be applied throughout the Development pipeline not only at the end, DevSecOps teams need uniform cross-platform security controls that should start as early as possible. As a starting point, DevSecOps teams should implement the best practices recommended by the leader in container orchestration, Kubernetes, and mesh contenders Istio and AWS Service Mesh. These best practices provide a foundation upon which DevSecOps can build a more expansive security program.

Ongoing DevSecOps teams can proactively take these steps to ensure security:

From the start: Spin up a Kubernetes cluster with the latest patches and recommended configurations. Teams should then deploy the cluster and tune the access controls next.

Scan for vulnerabilities: Assess what is running and its level of integrity and hygiene. Look for embedded secrets or secrets wired to the wrong locations (locations are one way to determine how much to trust a container). Look for excessive privileges that would enable a bad actor to read K8s secrets as root, which could take over the entire environment.

Master your cluster: Work with your Sec and Ops teams to design and deploy uniform security policies across all development stages. Pinpoint common misconfigurations security best practices, to avoid runtime security drifts.

Don’t compromise on agility: Evaluate the appropriate amount of hardening based on the workload and the speed and agility called for based on the criticality of your application or the specific security and governance rules followed by your company.

While the perimeter of defense for cloud-native applications has grown harder to define in recent years, thoughtful evaluation of the development environment, communication privileges of containers, and the application of security policies early in the development process will help DevSecOps teams secure applications and mitigate threats.

Continuous security for cloud-native: The time is now

The dynamics of software development have changed substantially with the advent of cloud-native and show no signs of slowing down. As a result, the inherent risks for cloud-native application platforms such as Kubernetes and Istio are growing too as they increasingly become targets for sophisticated hackers.

By delivering security from the start, uniformly and continuously, enterprises will position themselves to keep pace with the speed of innovation without compromising their networks, applications or data. The automation, technologies and processes exist, it’s time for DevSecOps teams to embrace them.

Don't miss