Cloud-Native Security Best Practices

Cloud-native security should be a top consideration as organizations embrace DevOps

Enterprises have adopted DevOps practices and are looking to bake security into the code during the development process instead of retroactively addressing it during testing or when the code is already in production. In parallel, developers are increasingly taking more responsibility for the security of Kubernetes clusters as shift-left methodologies are being implemented across the application delivery model.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

While security must be a priority for any production system, a cluster of distributed environments requires even stricter security attention. Securing a workload that may be distributed across many machines, cloud providers and networks requires a different approach to securing the distributed services that make up workloads today.

These best practices will help your organization integrate security into your software engineering DNA to produce security-conscious code for your cloud-native applications.

Security Pitfalls Common to Cloud-Native Applications

Containers and microservices have delivered incredible speed and flexibility to DevOps, but the benefits come with associated security risks as traditional definitions evolve regarding where the software lives and how it communicates.

Some pitfalls of cloud-native software include:

• Elastic attack surface: Cloud-native applications have complicated relationships between a rapidly changing number of VMs, containers, functions and service-mesh and may span multiple cloud providers. While this allows them to scale from a few workloads to thousands in seconds, the unintended consequence is an elastic attack surface that grows and shrinks with the applications, making such environments really tricky to secure.
• Traditional security perimeters have dissolved: Software-defined scaling means cloud-native applications can extend beyond the expected territory that is in the control of dev, ops or even security teams, making it impossible to deploy traditional firewalls to build an effective perimeter around a cloud-native application, which is very porous by nature.
• Securing DevOps velocity: When the pipeline and release cycle is measured in minutes, manual provisioning and management of security policies is no longer feasible. Security cannot be the sole responsibility of the security team, so developers, DevOps engineers and security teams need to collaborate to implement better security measures.
• Challenges diagnosing security issues: The elastic nature and growing complexity of cloud-native software is making it increasingly difficult to find the origin of a security anomaly or incident and respond quickly.

Best Practices to Secure Cloud-Native Applications

As the complexity and security exposure of cloud-native workloads increase, some security configuration and tests must shift left and move into earlier steps in the development pipeline. Developers must take on responsibility for delivering secure code. Here are three best practices every cloud-native team needs to embrace:

Start Early

Start early in the development process by implementing security at the container and microservices level. If the application’s containers aren’t designed with security in mind, the entire cluster will be at risk. Containers are best secured during development, where security can be engineered into the code directly. For example, by allowing developers or DevOps to define network policies that will be used at build time, security can be implemented as part of the fundamental structure of the application.

Automate More

Automation is really about controlling assets to achieve your business goals. Immediate feedback on failed or successful automated tests speeds the automation process.

Look for more ways to automate security. If the development team is governed by security compliance, the higher the percentage of automation, the easier the security audit.

Repeat

Security is not a one-time event. As the developers iterate and the application evolves, security policies should be applied continuously to ensure that no vulnerabilities have been introduced along the way. Therefore, security should become a repeated required step in the ongoing development cycle of the application.

Starting Left and Small With Security Will Help You Go Big With Cloud-Native

Securing vulnerabilities against hackers to prevent attacks such as shellcode injection and elevation of privileges inside the application can be accomplished with solid security policies implemented at the container and microservices level. Begin at the smallest components to create secure containers, and their security benefits will extend into the cluster.

Begin with security on the small scale at the beginning of a project, securing containers and network controls, and automate as much as possible, and development teams will be rewarded with robust security that will scale fluidly with the cloud-native applications they protect.