By 2022, 90% of new enterprise applications will be cloud-native. Yet, 50% of organizations find that native security controls are inadequate and have added third-party solutions to fully meet their needs. While cloud-native security is on the rise, does it do enough to cover enterprises that are leveraging complex, hybrid and multi-cloud environments? With 81% of organizations currently working with two or more cloud providers already, that answer is now more important than ever.
By Keith Neilson, Technical Evangelist, CloudSphere
While cloud-native services present some customer-friendly benefits, organizations must recognize that the built-in measures typically lead to more security misconfigurations, less network visibility, and overprovision access.
What is Cloud-Native Security?
To fully understand cloud-native security strategies, we have to first understand what it means and how configurations are established.
Cloud-native defense structures are specifically designed for the cloud for enterprises to leverage built-in capabilities as part of the overall architecture. Applications are commonly influenced by microservices and a container-based approach. This means that they’re built to be lightweight and flexible with portability at top of mind. To accomplish this, a cloud-native approach relies heavily on automation processes that are designed by vendors for end IT users to manage into adapting and scaling environments. As a result, this enables cloud services to be managed and operated with containers, microservices, immutable infrastructure, and APIs, without any server involved whatsoever.
Traditionally, organizations’ digital applications would be monitored via on-premises security systems that were largely deployed and monitored. Now, networks are configured on externalized data centers like public clouds that tap into open data centers that are using third-party source code. The result is a vastly more complex infrastructure that has dramatically expanded enterprises’ attack surfaces. To handle rapidly growing digitization and expanding operations, companies are looking to cloud-native applications as a way to integrate workloads on AWS, Microsoft Azure, and Google Cloud platforms.
Organizations that utilize a cloud-native architecture often reap the rewards of improved network elasticity in continuous deployment. Ultimately, this is able to vastly expand the horizon of system scalability and business agility. But, it leaves one glaring hole in the security framework that cannot be overlooked by companies leaning on the posture.
Enter the Security Dilemma
To properly defend cloud environments, vendors and end-user companies must navigate a shared responsibility model where the provider and customer are each responsible for specific security measures.
Most often, the provider is responsible for the security of the cloud from physical access through to the infrastructure, while the end-users secure the interior applications and data. With the vendor drafting code and building the infrastructure, IT managers and CIOs are left in the dark on how to properly fit existing, evolving, and new applications into a foreign environment with a more expansive attack surface. As 99% of security failures typically fall squarely on the customer’s shoulders, this doesn’t position the two groups to work cohesively.
According to a 2020 IDC survey, over two-thirds of CISOs are concerned with security misconfigurations. While architecture for cloud-native applications requires heavy input from the customer’s end, the incredible pace to shift to the cloud has led many organizations to prioritize speed of the transition over associated processes, sweeping security issues under the rug in the process.
Recent research also indicates that 56% of companies have some roles and access rights that are improperly entered in cloud environments. With cloud-native security, customers are often charged with running containers, which can lead to an array of access issues and over privilege. While this can be restricted, additional measures must be implemented to avoid common pitfalls that typically occur to companies who adopt an out-of-date or generic security implementation.
Additionally, cloud-native configurations tend to lean on identity and access management policies (IAM) to further define roles, permissions, and access. While IAM is necessary to hash out responsibilities, it isn’t without flaws as 69% of enterprises have reported that IAM policy enforcement issues have led to unauthorized network access.
Security misconfigurations are the Achilles heel for cloud infrastructure, but this is typically magnified in a native security setup. Public and open cloud storage buckets are irregularly monitored as information and storage expands. Further, weaving in encryption, authentication and secure access credentials are increasingly difficult to cover with automation and don’t provide the unique protocols that each application fundamentally requires.
Lastly, visibility is crucial to properly oversee a secure network. This is very difficult to establish in hybrid or multi-cloud environments with expansive data and information, but the issue can be further magnified in a cloud-native security approach. Oversaturated access, poorly established IAM policies, and inconsistently monitored platforms are all factors that make it difficult to outline a holistic system view.
While there are several challenges associated with cloud-native security controls, there are ways to build in additional strategies to make it a more effective solution.
Making Cloud-Native More Secure
When addressing cloud-native security, it’s important to take a centralized approach that leverages automation wherever possible to control, enforce, monitor, and manage identities consistently across your cloud environment. This will limit crossover between vendor and customer teams, inherently minimize credentialed access and provide a rigorous, consistent method of monitoring potential security vulnerabilities. This reduces issues with IAM automation and enables the client to move from a reactive manual state to a proactive approach.
Prioritizing security teams to focus on the container and microservices level will also shore up defenses. From the start, containers must be designed with security in mind otherwise the entire bucket is vulnerable. This is best established right at cloud development, where the corresponding code can be uniquely created.
Threats don’t sleep and neither should security. As developers expand and build out the cloud environment, security policies must be continuously programmed, monitored, and regulated to identify potential gaps and mitigate unauthorized access. Customers, therefore, need to make this a habitual action as information, storage and applications expand.
A shared responsibility model is also essential for cloud-native organizations, and by taking a DevSecOps approach, organizations can better monitor and construct containers, ensure data and applications are safeguarded, and better oversee their sensitive data. When security is the core of the container life cycle, it yields fewer vulnerabilities for threat actors to take advantage of.
Without proper awareness in the cloud environment, any unnoticed change or update in policy puts customer data at risk. To minimize the attack surface and prevent hackers from accessing private data, businesses should focus on creating a platform with complete visibility into the cloud environment and real-time security monitoring.
Cloud-native security services possess some distinct advantages in terms of flexibility, portability, and speed to scale cloud infrastructure. Yet, there are some glaring issues that are prevalent if cloud-native security measures are not properly addressed. This in turn can lead to issues in visibility, misconfiguration, and access that can magnify security vulnerabilities for threat actors to maliciously exploit.
To bolster cloud-native security, organizations need to create a centralized approach that enhances control, visibility and also lean on automation to better distribute and actively monitor attack surfaces. Ultimately, organizations that take a cloud-native approach need to prioritize security ahead of speed and growth to build a properly configured IT environment.
About the Author
As CloudSphere’s Technical Evangelist, Keith is responsible for the company’s analyst and cloud provider relationships and strategy with a focus on ensuring the wider market understands the business and technical value proposition of the CloudSphere platform. In addition to helping create collateral and messaging that supports the company’s go-to-market, Keith ensures that customer use cases are documented back into the various internal teams to ensure product advancements are geared towards real-world scenarios and contribute to the company’s vision. Prior to CloudSphere, Keith held senior lead pre-sales engineering and management roles at Optibus, Cloudhouse, and Sourcebits with a successful reputation for creating and defining compelling product positioning, advocating product advancements internally, leading strategic partner & customer engagements, and creating and executing GTM strategies that attributed to significant growth. He has a broad and strong multi-discipline skillset with a focus on cloud migration, modernization, and management.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.