Managing the Security of Cloud-Native Architectures

Container-based and serverless cloud-native architectures represent the most significant computing advancement for deploying enterprise applications since VMware introduced its first product, Workstation 1.0, in 1999. While these technologies offer many benefits in terms of flexibility, cost savings and scalability, they also introduce new security challenges that must be addressed as part of the migration of applications from the data center to the cloud. When done properly, container-based and serverless cloud-native development and deployment models can be secured to a level that has never been possible before. However, CISOs must be aware of how these modern technologies impact their organizations’ security and compliance postures as they roll them out in production and reset their expectations from their existing tools and methods.

In the past, security teams were able to provide late-stage reviews and guidance before applications moved from development into live systems running in production. Before release, required changes would be made, in many cases with significant delays, to meet operational, security and compliance goals. That’s no longer the case. The DevOps movement emphasizes speed and empowers developers to build and ship applications faster than ever, often through automated processes. Security cannot hinder these advances and will lose the war if it tries to slow them down. CISOs should prioritize developing and implementing a strategy to proactively address cloud-native security requirements.

Cloud-Native and Beyond: The Changing Landscape

One challenge comes up time and again while we’re talking to our customers: how fluid and dynamic the landscape has become. This introduces a new security paradigm: enterprises must gain the ability to secure their cloud-native applications from the early stages of development through deployment in production, across multi-cloud environments and on an ever-changing technology stack.

Container storage and data management company Portworx has conducted its annual Container Adoption Survey every year since 2016. 2019’s report, which was jointly conducted with Aqua, “… tells a story of unabated growth in containerization with over 87% of respondents stating that they are running container technologies up from only 55% in 2017. Of those running applications in containers, nearly 90% are running them in production, up from 84% in 2018 and 67% in 2017.”

While the Portworx survey found that persistent storage was the top data challenge to container adoption in 2017, that doesn’t appear in last year’s top three. In 2019, the three most common challenges noted were data security, vulnerability management and runtime protection.

Security in a DevOps World

Yet, even in this rapidly changing security landscape, many enterprises still rely on traditional security tools that often cannot handle the velocity, scale and dynamic networking environment of containers. The addition of newer serverless functions exacerbates the problem by abstracting infrastructure further to provide a simple execution environment for applications and microservices  Cyberattackers look to leverage a weakness or a vulnerability in the serverless function code, or they’ll try to take advantage of misconfigured cloud infrastructure permissions settings to reach services or networks containing sensitive information.

The increasing reliance on open source is another potential source of security vulnerabilities. No one’s writing new code from scratch; they’re grabbing components from GitHub and other open source projects or reusing code from repositories inside or outside their company, and may not be aware of existing vulnerabilities in the codebase.

It’s a DevOps world—everyone’s trying to move faster. Productivity increases, but so does the security risk. Yesterday, the best practice was to re-architect the code before it went into production on the standard operations platform chosen by IT. Today in the interest of speed, organizations are deploying applications developed on containers straight into production, managing them with Kubernetes and running them somewhere in the cloud (potentially still on-premises, but frequently on a public cloud service). In this model, both the developers and the operations team need to become more security-aware, and security must be fully integrated into the software life cycle.

Living With Multi-Cloud, Multi-Stack

Many of our customers are experimenting with technologies from different vendors, running on multiple cloud providers, and even deploying applications across multiple platforms at once. This keeps your options open for either cost optimization or to utilize the stack that best fits a given need, and avoids vendor lock-in, but can be difficult on developers, particularly at the serverless level where standards are still emerging. Experimenting is fine, but in production, you need to set a strategy that specifies which platforms you will use and how you will implement security policies across all deployed applications, regardless of the underlying platform or provider. A single security solution that supports all your operational environments with a consistent set of policies, management tools and reporting can make this possible.

Cloud-native environments offer several traits that make them easier to secure if managed correctly. This requires organizations to adopt a new type of security model—one that examines container images as they’re created, vets their contents, and then enforces workload immutability during runtime, not allowing any changes to running workloads against their originating images. The result: a highly controlled environment where the attack surface is greatly reduced before the application is deployed, and then monitored during runtime where it’s easy to deterministically detect and automatically respond to anomalies.

Dror Davidoff

Dror Davidoff is co-founder and CEO of Aqua Security. Dror has more than 20 years of experience in sales management, marketing, and business development in the enterprise software space. He has held executive positions at several emerging IT security and analytics companies. Before co-founding Aqua in 2015, he headed up global sales of Database Security Products at McAfee (Intel Security), and prior to that was EVP of Sales and Business Development at Sentrigo where he led its fast market share increase. Dror holds an MBA in Finance from City University of New York and a BA in Economics. He likes to start his day with an early morning swim in the Mediterranean.

Dror Davidoff has 1 posts and counting. See all posts by Dror Davidoff