Going Cloud-Native in Highly Regulated Industries

IT divisions working within highly-regulated industries are under intense scrutiny. These environments must carefully deal with sensitive data to meet compliances and corporate standards. This pressure often results in vigorous tooling assessments and heightened due diligence around third-party software vendors. As a result, cloud-native technology is often viewed as too precarious for these walled-off environments.

With all the precautions, it may seem that highly-regulated industries have no hopes of really accelerating their growth using new cloud-native tools. Unfortunately, this could limit rapid deployment and stunt standardization across the tech stack. However, it doesn’t necessarily have to be this way. The myth of on-premises = high security is being challenged by new approaches like zero-trust, which aim to treat all actors with the same level of vigilance.

DevOps Connect:DevSecOps @ RSAC 2022

I recently met with Matt Young, previously principal architect at EverQuote and now TAG Observability co-chair at CNCF. He admits that highly-regulated spaces, like healthcare and financial services, are usually too hesitant to adopt cloud-native. Yet, such intransigence is becoming a hindrance to progress. Below, we’ll cover many valuable points that Young believes could be used to securely adopt cloud-native technologies at scale within the most stringent of use cases.

Pressures of Regulation on Cloud-Native

All companies working with customer data must meet privacy regulations such as GDPR and CCPA. But heavily regulated sectors demand an even greater focus on privacy. For example, financial institutions working in the U.S. must meet SOC compliance requirements, which dictate the need for high availability, integrity, confidentiality and privacy of sensitive data. Similarly, health care providers must meet HIPAA standards to protect patient information. Ignoring these regulations could result in hefty fines.

“We’re custodians of the data,” says Young. “It’s on us to not have exfiltration, leaks or unsecured S3 buckets.” Naturally, the heightened implications of data leakage affect decision-making concerning cloud technologies. Large organizations have strict mandates and vetting processes can significantly slow down tooling adoption. “Some very direct conversations need to happen,” Young says.

Vendor management and due diligence may often even require a third party to perform an audit. Questions must be answered: Do they have a BAA agreement? What is their SOC type; 1 or 2? What do the SLAs guarantee? Going cloud-native can force a vast review process. Cloud-native promises to efficiently deliver rich data-driven experiences to the end customer, but getting there is sluggish.

Ways to Secure Highly-Regulated Cloud-Native Applications

There are ways large organizations can ensure their cloud-native stack is up to snuff. EverQuote is proof, says Young—most new apps there are cloud-native and many are wholly cloud-hosted and use modern event-based architectures. Doing so has required a holistic approach—”security in depth must be practiced,” says Young. He also shared the following tips.

Always start from zero-trust. Zero-trust is often conflated with on-premises and cloud, says Young. Yet cloud-hosted environments “can always start from zero-trust,” he said. Using an OAuth2 proxy with a secure framework like SPIFFE could help establish authorization control to run, say, EKS, specifically for certain roles.

Put in place processes guided by NIST. On that note, Young recommends highly regulated environments follow National Institute of Standards and Technology (NIST) guidelines. Since large regulated enterprises share many similarities with government digital requirements, it makes sense to follow these recommendations.

Default the platform to secure. Insecure defaults remain a threat for standard cloud-native tools like Kubernetes. “Kubernetes clusters are intrinsically insecure,” writes Robert Brennan. Thus, companies must design with a defense-in-depth posture from the get-go, Young adds. This means considering threat models early on in the design phase and coding policies. This is an area where Open Policy Agent (OPA) could reduce hassle with a GitOps approach to applying universal cloud-native policies.

Place as much as possible within the cluster itself. Cloud-native doesn’t necessarily mean cloud-dependent. Another way to enforce permission boundaries is to have as little as possible leave the cluster, Young says. This means placing more dependencies and services closer to workloads with fewer links from the cluster to external tools.

Create more walled-off clusters. Young notices a general trend of companies starting to have more single-purpose, single-tenant Kubernetes clusters. Of course, managing multiple clusters at scale introduces a new pain point. “For anything with more than 12 clusters, you need more life cycle management,” Young says. This could be mitigated, in part, by multi-cluster mesh mechanisms like Cluster API.

Apply mTLS consistently across all environments. High-regulation environments require deep analysis and vetting of internal services to ensure they are usable and secure. According to Young, Linkerd is one way to do this. “Linkerd has been hugely impactful” as a way to quickly apply mTLS consistently across the stack, he says. The lightweight open source Linkerd service mesh can apply nonfunctional requirements and encrypt everything from the beginning, reducing the total effort required to do things securely, explains Young.

Maintaining Rapid Deployment

Maintaining rapid deployment is now critical; even in highly-regulated industries, releasing new features can help organizations stay ahead of the competitive curve. Whereas other companies in other industries find this easier, iterating quickly is difficult when dealing with compliance. But, according to Young, these small architectural techniques can, over time, relieve the strain on what would otherwise be an arduous process.

In the modern development stack, you’re not only dealing with your own rapid change but the rapid evolution of dependencies. A single project could be maintaining a Helm chart with 40 projects, all issuing upgrades on a weekly basis. Managing updates in heavily-regulated environments presents an inevitable challenge, says Young. He again points to Linkerd as an example solution organizations can use to reach target versions, easing the update process.

In addition to the tips mentioned above, highly regulated companies will likely require active monitoring to spot threats early on. This can inform your posture and mitigations, says Young. Companies should also complement architectural decisions with the proper security training to instill a DevSecOps culture company-wide.

Blameless Retrospectives

The cloud is omnipresent. And to stay relevant, teams of all types are beginning to embrace cloud-native technologies. This paradigm is absolutely possible to implement in companies that operate under heavy compliance mandates—but it requires a reliable system that customers can trust. To reach that ideal, default end-to-end encryption via mTLS and platform-level observability is a must, stresses Young.

“We assume everything needs to be at that level of scrutiny. If you haven’t indexed for security and integrity from the beginning, it’s really hard to add that later.”

Perhaps the most significant point here is the culture around security. Because if engineers do not feel empowered to speak up and accept faults, the business is less likely to find and respond to issues.

“You have to have an open culture of blameless retrospectives and post mortems,” says Young. “Check your ego at the door.”

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high-impact blog on API strategy for providers. He loves discovering new trends, interviewing key contributors, and researching new technology. He also gets out into the world to speak occasionally.

Bill Doerrfeld has 72 posts and counting. See all posts by Bill Doerrfeld