Cloud-Native Security Best Practices

Cloud-native security should be a top consideration as organizations embrace DevOps

Enterprises have adopted DevOps practices and are looking to bake security into the code during the development process instead of retroactively addressing it during testing or when the code is already in production. In parallel, developers are increasingly taking more responsibility for the security of Kubernetes clusters as shift-left methodologies are being implemented across the application delivery model.

While security must be a priority for any production system, a cluster of distributed environments requires even stricter security attention. Securing a workload that may be distributed across many machines, cloud providers and networks requires a different approach to securing the distributed services that make up workloads today.

These best practices will help your organization integrate security into your software engineering DNA to produce security-conscious code for your cloud-native applications.

Security Pitfalls Common to Cloud-Native Applications

Containers and microservices have delivered incredible speed and flexibility to DevOps, but the benefits come with associated security risks as traditional definitions evolve regarding where the software lives and how it communicates.

Some pitfalls of cloud-native software include:

  • Elastic attack surface: Cloud-native applications have complicated relationships between a rapidly changing number of VMs, containers, functions and service-mesh and may span multiple cloud providers. While this allows them to scale from a few workloads to thousands in seconds, the unintended consequence is an elastic attack surface that grows and shrinks with the applications, making such environments really tricky to secure.
  • Traditional security perimeters have dissolved: Software-defined scaling means cloud-native applications can extend beyond the expected territory that is in the control of dev, ops or even security teams, making it impossible to deploy traditional firewalls to build an effective perimeter around a cloud-native application, which is very porous by nature.
  • Securing DevOps velocity: When the pipeline and release cycle is measured in minutes, manual provisioning and management of security policies is no longer feasible. Security cannot be the sole responsibility of the security team, so developers, DevOps engineers and security teams need to collaborate to implement better security measures.
  • Challenges diagnosing security issues: The elastic nature and growing complexity of cloud-native software is making it increasingly difficult to find the origin of a security anomaly or incident and respond quickly.

Best Practices to Secure Cloud-Native Applications

As the complexity and security exposure of cloud-native workloads increase, some security configuration and tests must shift left and move into earlier steps in the development pipeline. Developers must take on responsibility for delivering secure code. Here are three best practices every cloud-native team needs to embrace:

Start Early

Start early in the development process by implementing security at the container and microservices level. If the application’s containers aren’t designed with security in mind, the entire cluster will be at risk. Containers are best secured during development, where security can be engineered into the code directly. For example, by allowing developers or DevOps to define network policies that will be used at build time, security can be implemented as part of the fundamental structure of the application.

Automate More

Automation is really about controlling assets to achieve your business goals. Immediate feedback on failed or successful automated tests speeds the automation process.

Look for more ways to automate security. If the development team is governed by security compliance, the higher the percentage of automation, the easier the security audit.

Repeat

Security is not a one-time event. As the developers iterate and the application evolves, security policies should be applied continuously to ensure that no vulnerabilities have been introduced along the way. Therefore, security should become a repeated required step in the ongoing development cycle of the application.

Starting Left and Small With Security Will Help You Go Big With Cloud-Native

Securing vulnerabilities against hackers to prevent attacks such as shellcode injection and elevation of privileges inside the application can be accomplished with solid security policies implemented at the container and microservices level. Begin at the smallest components to create secure containers, and their security benefits will extend into the cluster.

Begin with security on the small scale at the beginning of a project, securing containers and network controls, and automate as much as possible, and development teams will be rewarded with robust security that will scale fluidly with the cloud-native applications they protect.

Ranny Nachmias

Ranny Nachmias

Ranny Nachmias has 15 years experience in customer successes, business operations and product sales. Ranny’s rich expertise includes the establishment of the global customer success operations at Dynamic Yield. Ranny has held leading roles such as VP Customer Experience and Service Operations at LivePerson as well as leading global pre-sales teams and infrastructure support at Amdocs.

Ranny Nachmias has 1 posts and counting. See all posts by Ranny Nachmias