Cloud native technologies are powering critical aspects of business, enabling organizations to greatly speed software delivery. By building and deploying applications faster with containers and Kubernetes, modern enterprises are launching new digital initiatives, creating innovative business models and transforming their industries. While adoption is rising rapidly, security remains one of the main concerns when embarking on a cloud native journey.
Cloud native development brings tremendous benefits of speed and agility, but it’s exponentially more complex than traditional development. The fundamental shift in architecture has significantly changed the way enterprises secure their applications, and CISOs need to be aware of the challenges, benefits and underlying differences inherent to cloud native security. Cloud native application protection platforms (CNAPPs) enable CISOs to ensure that the pace of security matches the pace of development.
How the characteristics of cloud native impact security
In the cloud native environment, ephemeral workloads are dynamically managed by orchestrators and continually deployed across multiple diverse environments. These workloads are supposed to remain untouched and immutable in production, which shifts security left into the development process. Development itself is dynamic, with fast and regular code commits and continual integration and delivery through the CI/CD process. Protecting applications that are built using this method requires a purpose-built approach that spans the entire application lifecycle.
The scalability, speed and agility of cloud native development stems from fundamental differences between cloud native architecture and traditional development environments. Some of these differences, such as the immutability of containerized deployments, provide huge security benefits, while others, like microservice and serverless-based architectures, have a tremendous potential upside but increase complexity and significantly expand the attack surface when improperly configured.
One huge shift cloud native brings to how modern applications are built is the extensive use of open source components, often with only a small amount of custom code. Driven by the fast pace of DevOps and frequent release cycles, developers pull and use myriad ready-made components, packages and libraries as building blocks to assemble their applications without writing them from scratch.
Containers themselves are commonly built on top of base images taken from public registries, such as Docker Hub. A vulnerability in one of these components may impact all applications using the compromised image. The practice of relying on code an organization did not write themselves introduces tremendous risk, which must be properly addressed — or attackers may utilize known vulnerabilities to target deployments.
The CI/CD pipeline automates the cloud native development lifecycle by providing a consistent and automated way to build, package, test and deploy applications where code flows only in one direction, from build artifacts to workloads running in production. This is critical for accelerating the software development cycle, allowing organizations to add features quickly to address evolving customer needs.
With developers moving faster and continually releasing new code into production, each one of them can affect the security posture of the entire environment. Moreover, speed can sometimes take precedence over security and, not being security experts, developers can unknowingly put the applications at risk.
Microservices have emerged as the architecture of choice for cloud native applications. In contrast to monolithic architectures, where every piece of the application is intertwined, a microservices-based application is broken up into smaller pieces that can be developed and managed independently. Each microservice has well-defined boundaries of functionality, which makes them easier to understand and predict.
A benefit of microservices is their ability to be updated and reconfigured separately without interrupting the overall application, but their many APIs and ports present a dramatically expanded attack surface. With the right security tool, securing an application at the microservice level offers security advantages, preventing an attack from spreading sooner and restricting it to a tight radius.
One of the primary benefits of cloud native is the ability to scale at will, adapting resources to current demand. Cloud native apps that handle 100 customers can scale seamlessly to serve millions of customers. To accommodate this, orchestrators, such as Kubernetes, are utilized to automate the process of deploying and managing containers, each of which often contains a single microservice.
This dovetails with another cloud native advantage: the “run anywhere” stack. Containers can be deployed in diverse environments as they come equipped with everything they need to run, which allows for constructing multi-cloud strategies and different stacks. However, as the container’s workload is typically isolated from the underlying infrastructure, security leaders have to secure the workloads independently from the infrastructure while at the same time hardening the host, orchestrator and cloud platform.
When it comes to securing workloads, the immutability of containers provides tremendous benefits from a security standpoint. In a traditional environment, with a monolithic application running on a VM, developers usually make changes by remotely logging in to the machine or pushing code changes manually. By contrast, containers are designed to be immutable, meaning they don’t change once they’re deployed. Instead, images are patched upstream in the development stage and rolled out as part of a regular CI/CD pipeline. This aspect, unique to containers, means that security can be deterministic and drift prevention can be enabled at runtime and prohibit any unauthorized changes.
Why traditional approaches fail
Approaches that fail to account for the unique aspects of cloud native development may only partly secure the application lifecycle or fail to work at all. For instance, orchestrated container environments with dynamically provisioned IP addresses leave IP-based firewalls at a loss. Further, approaches that rely on host-level controls to secure the runtime environment aren’t sufficient because there’s no context for orchestrated workloads. Host-level controls also lack the appropriate control points for a cloud native stack.
Endpoint detection and response are also made difficult to perform by the ephemeral nature of workloads. Container logs and monitor records aren’t persistent, and the application instances themselves come and go.
Tools offered by cloud providers may seem like an obvious solution. However, they can be incompatible with multi-cloud strategies and fail to provide a single-pane-of-glass view across all environments. Utilizing each cloud provider’s tools can overcomplicate a stack and hinder security efforts more than helping.
The need for holistic cloud native security
By shifting left and addressing security earlier in the pipeline, security leaders raise the likelihood of catching issues before they cause problems and preventing vulnerable images from reaching production. Identifying and mitigating potential risks in the code and build phases dramatically reduces the attack surface before an application is even deployed. This is the combination of scanning and automated prevention across the code, build and deployment phases that reduces the largest attack surface before production.
As enterprises continue to rapidly adopt containers, microservices and orchestrators to improve the speed and agility of application delivery in their move to the cloud, there’s a need for an enterprise-grade cloud native security solution built for the purpose. As we’ve seen, the difference between a cloud native environment and a traditional environment requires unique security capabilities that stop cloud native attacks from development all the way to production.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.