Byline: Chris Jenkins, Principal Chief Architect at Red Hat
The evolution of containers and hybrid cloud technologies has brought significant benefits to the enterprise. These platforms democratize access to new applications and technologies, enabling teams to work more seamlessly together and facilitate increased innovation within the organization. Over the last few years, IT leaders have been championing migrations from on-premises based virtual machines to containers and the hybrid cloud accordingly, with almost three quarters (73%) of enterprises now using a hybrid cloud strategy.
As is the case whenever technology evolves, organizations must also adapt cybersecurity and compliance strategies to mitigate potential risks associated with this new approach. For example, perimeter-based security, which took a ‘castle and moat’ approach to protecting the internal network is no longer entirely fit-for-purpose, as certain operations will be taking place using, for example, external public cloud infrastructure.
As a result, cybersecurity teams must adopt practices that can manage and adapt to more multifaceted attack surfaces. New approaches have been developed with the hybrid cloud environment in mind, including layered, defense-in-depth security, secure by design principles, and the Zero Trust Model.
In this article, I’ll summarize the current hybrid cloud cyber-threat landscape and explain how and why modern security practices must adapt and scale. I’ll conclude by exploring the real-world benefits of these new approaches, including the value of an innovative DevSecOps culture, and the significant real-world commercial and reputational impacts on the organization.
The hybrid cloud cyber-threat landscape
The expansion of cloud technologies has seen the global cyber-threat landscape adapt accordingly. This year, IBM uncovered two in five (40%) data breaches involved data stored across multiple environments, including public clouds. When breached data was stored in public clouds, it incurred the highest average breach cost at USD $5.17 million. In this new context, security teams must evolve their approach to keep ahead of protection gaps, compliance requirements, tools, and architectural changes.
Traditional security practices alone can no longer manage modern security risks because they simply weren't designed to reflect the modern environment’s complexity. The strategic way to best protect your container and hybrid cloud based environments is to take a defense-in-depth approach to security, which requires a single-pane view of the organization.
Defense-in-depth with a single-pane view
Centralization for a single-pane view
The first step of an organization’s hybrid cloud security approach must be centralization and visibility—because you can’t protect what you can’t see. Hosted and managed hybrid cloud platforms, like Red Hat OpenShift, are purpose-built to support disparate cloud environments, helping to provide a centralized, consistent experience for users, simplifying security and compliance.
A layered, defense-in-depth approach
A concurrent step is to make security an integral part of every stage of the infrastructure and application stack and lifecycle; design, build, run, manage, and adapt. It cannot be seen as an afterthought or tick-box exercise. Robust security should be built into applications, which must then be deployed onto hardened platforms.
As security and compliance requirements change, automation and management infrastructure must be able to seamlessly adapt. Therefore, authorization between people and systems should be explicit instead of assumed. Additionally, people and automated processes should align to facilitate early threat detection and maintain compliance. This can reduce manual workloads and stop a security threat before it becomes a bigger problem.
To bring this to life, security measures can be layered across the infrastructure and application lifecycle, which fortifies environment-wide defenses. For example, reflecting that modern environments are complex and constantly evolving, Red Hat software prioritizes in-depth defense strategies that reassures organizations that they’re never just relying on a single security layer.
Breaking down a system into the operating system, the platform layer and application components and connectivity will enable teams to have confidence in the security and regulatory compliance of each level and hence the entire system as a whole.
Secure By Design principles
"Secure by design" is an approach to software development where security is integrated from the very beginning of the design process rather than being added as an afterthought. This principle emphasizes the importance of building security features and considerations into the architecture and design phases of development, ensuring that potential vulnerabilities are addressed before they can become problems. This approach involves practices such as threat modeling, secure coding standards, and regular security testing. By considering security early and often, developers can create systems that are resilient against attacks, reducing the likelihood of exploitable vulnerabilities.
The benefits of a secure by design approach are significant. First, it reduces the cost and effort associated with addressing security flaws later in the development lifecycle or after the product has been deployed. Early identification and mitigation of security issues prevent costly patches and reduce the risk of security breaches that could damage a company's reputation and lead to legal liabilities.
Zero Trust principles
Red Hat also designs its security architecture on ‘Zero Trust’ principles, which should be adopted by organizations to replace traditional perimeter-based security thinking. The Zero Trust Model argues every interaction, internal and external, begins in an untrusted state. Traditional security architectures on the other hand determines trustworthiness based on whether communication starts inside a firewall, or may rely on implicit trust models and one-time authentication, which is no longer appropriate in a hybrid cloud environment. Key Zero Trust principles include microsegmentation (limiting user permissions to specific applications and services which prevents lateral movement across hybrid clouds) and continuous user validation.
DevSecOps: The future of secure development
Ultimately, humans are an organization’s last line of defense, so fostering a security-first mindset can help fortify technology and reduce breaches caused by human error. Additionally, building a culture that prioritizes both security and innovation must happen concurrently to setting the environment up with technology built for secure success. A key part of this is the facilitation of DevSecOps, an evolution of DevOps.
DevOps originally fused the disciplines of software development and IT Operations into a new collaborative way of working. DevSecOps builds on this, highlighting security as a top concern and makes considering, and applying, application and infrastructure security throughout the development process a best practice. This also includes automating security operations to keep productivity high in DevOps teams. This approach plays a critical role in building modern, secure applications that operate on safe and compliant platforms.
Given the evolved threat landscape impacting hybrid clouds and containers, developers have greater responsibility when it comes to managing workloads and ensuring security. Fostering a DevSecOps culture also pairs security teams with developers, meaning they can provide them with the right tools, feedback, and insights on known threats to code securely. When developers build on platforms that combine managing the application life cycle with built-in security features and a trusted software supply chain, like Red Hat OpenShift, they can implement security at every step of the process.
Of course, it’s not practical to turn every developer into a security expert, and most developers don’t want to read through the details of a CVE report and exploitation process. This is where Red Hat Advanced Cluster Security for Kubernetes excels, because it shows developers how to remediate issues without them becoming security experts.
Real-world impacts and business benefits
Trustworthy, reliable business infrastructure that can facilitate growth and innovation relies on two fundamental factors: having a centralized single-pane view of the operating environment and strong security practices. Good security can only be beneficial to your business; it directly translates to reduced downtime, cost savings, and more efficient operations.
For example, when Red Hat customer VDAB decided to containerize 65% of its application landscape a year ago, the team combined Red Hat OpenShift and DevSecOps principles to enable them to go to market faster, and release more easily and continuously. The team estimates this process has led to a business efficiency uptick of 10%.
Another illustration would be Red Hat customer Agile Defense, that helps the U.S. government prevent cybercriminals from accessing government systems. Many breaches that occur are a result of configuration errors, whereby regular audits to identify these errors become crucial. However, the audit process is repetitive, resource-intensive and costly. As a result, Agile Defense has leveraged the Red Hat Ansible Automation platform to reduce company time spent on audits by 98%.
Leveraging secure, stable platforms can also foster innovation within DevSecOps teams. Fewer security incidents keeps developers focused on impactful work rather than constant firefighting.
Red Hat and hybrid cloud security
Red Hat works with the open source community to build applications that support organizations to operate across the hybrid cloud environment more securely, including enabling them to centralize visibility over the business. Having a technology foundation that enables a layered, in-depth approach to security, alongside a security-first culture, helps ensure the entire infrastructure and application stack are fortified against the growing cyber threat.
All of Red Hat’s offerings, including Red Hat Enterprise Linux, Red Hat OpenShift, Red Hat Advanced Cluster Security for Kubernetes, and Red Hat Ansible Automation are secure, constantly tested, and enterprise-ready. If you’re keen to find out more about Red Hat’s solutions and engage with Red Hat thought leaders, customers, partners, and technologies, join us at the forthcoming Summit Connect event on Oct 9.
Red Hat also partners with leading cloud providers like AWS, Microsoft Azure, and Google Cloud to offer solutions for whichever platform the organization is using. Visit our blog to learn more about how we reduce risk in any environment and across the open source ecosystem.