Overcoming the challenges of cloud-native security

BY Alex Jones, Director of Kubernetes Engineering at Canonical.

  • 4 months ago Posted in

Cloud-native applications are driving digital transformation strategies around the world. By taking a cloud-native approach, businesses can boost innovation, accelerate speed to market and bring about cost savings to drive new growth. It can also enable organisations to tap into the agility required to keep up in a competitive landscape and create new business models, and with an estimated 75% of companies focusing development on cloud-native applications, these benefits are already being widely recognised.

However, despite all of the advantages, security remains a foremost challenge. As companies transition to a cloud, hybrid cloud, or multi-cloud environment, security teams face an increased number of hurdles, from corporate policies to budget constraints, but most importantly, new threats of attack. In fact, many businesses transitioning to the cloud feel they have also significantly expanded their organisation’s attack surface, and 59% believe the transition to the cloud made their organisation less secure.

To bolster security and address these challenges, businesses need to ensure defence protocols are baked into every layer of their security infrastructure - often referred to as the four Cs of cloud-native security. Once the four layers have been addressed and correctly configured, companies can then turn their attention to some of the common problems that arise when trying to mitigate security risks, ensuring they continue to thrive while cloud-native.

The four Cs of cloud-native security

Cloud, Clusters, Containers, and Code. Together, they create a security strategy that protects cloud resources with a layered, defence in-depth approach.

When it comes to the cloud layer, cloud service providers are responsible for securing the infrastructure that supports the cloud environment. It’s down to the company to configure the cloud services, including the login credentials and automation settings, to ensure the service remains secure. Typical security issues affecting the cloud layer include misconfigurations and automated attacks. Attackers can exploit misconfigurations resulting from error or neglect, such as unchanged default settings or weak access protection.

The cluster layer consists of Kubernetes components which also need to be protected. Each cluster contains multiple pods which freely communicate with each other, meaning if an attacker has access to one pod, they can easily infiltrate connected pods. Designing strong cluster networking policies can restrict traffic and strengthen security protocols.

The next layer is container, consisting of container images which may possess vulnerabilities that can be scanned for. Organisations commonly overlook issues such as image security, the use of external

libraries or registries - which can themselves be insecure - and weak privacy configurations. It is important to keep containers regularly updated to minimise exposure to vulnerabilities.

The last layer of the four C’s is code. Securing this layer provides the highest level of security control. Typical security issues here involve insufficient risk assessments and vulnerabilities in third-party software dependencies. Businesses can use a static code analysis (SCA) tool to identify insecure code and ensure safe coding practices are quickly implemented.

Traditional IT security relies on seeing and monitoring the entire attack surface to detect vulnerabilities and address security risks. However, since a cloud-native infrastructure is always evolving, it’s difficult to have complete visibility and maintain secure environments. IT teams must introduce security into the development lifecycle from the beginning - this is the strongest tactic a company can adopt to prevent attacks across each layer of the four Cs.

Overcoming common challenges

When it comes to implementing cloud-native security measures, organisations can face difficulties. This can be for a number of reasons, but an inability to enforce consistent policies - often due to not having the correct infrastructure in place - is one of the most common. Cloud-native environments consist of a variety of tools from numerous vendors, making it difficult to centralise security policies and apply them consistently. IT teams need to look for tools that consolidate the entire cloud infrastructure into one easy-to-manage platform, rather than trying to harness disparate tools to gain the visibility needed to ensure effective cloud security management.

A diverse landscape requires a diverse approach to defence, and data is central to enabling businesses to advance how they protect themselves. Organisations migrating to the cloud must understand the importance of data analysis, intrusion detection and threat intelligence to protect sensitive data - especially when there is so much data to analyse. Cloud intelligence tools can analyse events within the cloud environment and provide account activity insights through machine learning and threat research. The accumulation and interpretation of data collected during daily cloud operations prior to an incident play a critical role in proactively securing a cloud-native infrastructure.

Dealing with misconfiguration is incredibly important in cloud-native environments. Mistakes by users are the 'open door' which can allow cybercriminals in. For security practitioners, this means that they should opt for security tools that scan for misconfigurations automatically, otherwise, they can face data loss, system subversion and other threats. Hardening systems by the use of automated tooling is essential - particularly when Kubernetes meet host operating systems, as it leaves two different levels where misconfiguration could potentially create problems. Automated security tools such as Kubescape can handle everything from scanning for misconfigurations or software vulnerabilities. For organisations hoping to comply with strict security standards such as ISO 27001, it can also help security practitioners to identify potential compliance in issues.

Rising to the challenge

Cloud-native security comes with challenges - as does any new technology, particularly one that is rising to prominence in so many sectors at the same time. The likes of misconfiguration to software vulnerabilities can be navigated successfully with a proactive security approach and automated tooling. For any business leader opting for a cloud-native approach, the rewards are great, in terms of cost-efficiency and time-to-value - but forward-thinking business leaders need to keep security in mind, right from the start.

By Ash Patel, General Manager, EMEA - Zimperium.
By Andy Swift, Cyber Security Assurance Technical Director at Six Degrees.
By Simon Godfrey, VP Sales Europe for Secureworks.
By Antonio Sanchez, Principal Cybersecurity Evangelist, Fortra.
By Emma Lowe, Director International Field Marketing, Virtru.
By Dirk Schrader, VP of Security Research and Field CISO EMEA at Netwrix.
DevSecOps is an increasingly popular approach to securing critical infrastructure and applications. It integrates security into the development process from the beginning, ensuring that it is at the heart of every step of development. In a largely technology-driven world, it is no surprise that the demand for integrated security is rising, with the average cost of a critical infrastructure breach being £3.7 million in 2022.