Container-based and serverless cloud-native architectures represent the most significant computing advancement for deploying enterprise applications since VMware introduced its first product, Workstation 1.0, in 1999. While these technologies offer many benefits in terms of flexibility, cost savings and scalability, they also introduce new security challenges that must be addressed as part of the migration of applications from the data center to the cloud. When done properly, container-based and serverless cloud-native development and deployment models can be secured to a level that has never been possible before. However, CISOs must be aware of how these modern technologies impact their organizations’ security and compliance postures as they roll them out in production and reset their expectations from their existing tools and methods.
In the past, security teams were able to provide late-stage reviews and guidance before applications moved from development into live systems running in production. Before release, required changes would be made, in many cases with significant delays, to meet operational, security and compliance goals. That’s no longer the case. The DevOps movement emphasizes speed and empowers developers to build and ship applications faster than ever, often through automated processes. Security cannot hinder these advances and will lose the war if it tries to slow them down. CISOs should prioritize developing and implementing a strategy to proactively address cloud-native security requirements.
Cloud-Native and Beyond: The Changing Landscape
One challenge comes up time and again while we’re talking to our customers: how fluid and dynamic the landscape has become. This introduces a new security paradigm: enterprises must gain the ability to secure their cloud-native applications from the early stages of development through deployment in production, across multi-cloud environments and on an ever-changing technology stack.
Container storage and data management company Portworx has conducted its annual Container Adoption Survey every year since 2016. 2019’s report, which was jointly conducted with Aqua, “… tells a story of unabated growth in containerization with over 87% of respondents stating that they are running container technologies up from only 55% in 2017. Of those running applications in containers, nearly 90% are running them in production, up from 84% in 2018 and 67% in 2017.”
While the Portworx survey found that persistent storage was the top data challenge to container adoption in 2017, that doesn’t appear in last year’s top three. In 2019, the three most common challenges noted were data security, vulnerability management and runtime protection.
Security in a DevOps World
Yet, even in this rapidly changing security landscape, many enterprises still rely on traditional security tools that often cannot handle the velocity, scale and dynamic networking environment of containers. The addition of newer serverless functions exacerbates the problem by abstracting infrastructure further to provide a simple execution environment for applications and microservices Cyberattackers look to leverage a weakness or a vulnerability in the serverless function code, or they’ll try to take advantage of misconfigured cloud infrastructure permissions settings to reach services or networks containing sensitive information.
The increasing reliance on open source is another potential source of security vulnerabilities. No one’s writing new code from scratch; they’re grabbing components from GitHub and other open source projects or reusing code from repositories inside or outside their company, and may not be aware of existing vulnerabilities in the codebase.
It’s a DevOps world—everyone’s trying to move faster. Productivity increases, but so does the security risk. Yesterday, the best practice was to re-architect the code before it went into production on the standard operations platform chosen by IT. Today in the interest of speed, organizations are deploying applications developed on containers straight into production, managing them with Kubernetes and running them somewhere in the cloud (potentially still on-premises, but frequently on a public cloud service). In this model, both the developers and the operations team need to become more security-aware, and security must be fully integrated into the software life cycle.
Living With Multi-Cloud, Multi-Stack
Many of our customers are experimenting with technologies from different vendors, running on multiple cloud providers, and even deploying applications across multiple platforms at once. This keeps your options open for either cost optimization or to utilize the stack that best fits a given need, and avoids vendor lock-in, but can be difficult on developers, particularly at the serverless level where standards are still emerging. Experimenting is fine, but in production, you need to set a strategy that specifies which platforms you will use and how you will implement security policies across all deployed applications, regardless of the underlying platform or provider. A single security solution that supports all your operational environments with a consistent set of policies, management tools and reporting can make this possible.
Cloud-native environments offer several traits that make them easier to secure if managed correctly. This requires organizations to adopt a new type of security model—one that examines container images as they’re created, vets their contents, and then enforces workload immutability during runtime, not allowing any changes to running workloads against their originating images. The result: a highly controlled environment where the attack surface is greatly reduced before the application is deployed, and then monitored during runtime where it’s easy to deterministically detect and automatically respond to anomalies.