What Does Cloud Native Security Really Mean and do Vendors’ Security Claims Stack Up?
The growing prevalence of large-scale cloud native deployments is forcing enterprises to combine ‘shift left’ DevSecOps, intelligent automation, CSPM (cloud security posture management) and CWPPs (cloud workload protection platforms) to bring efficiency and speed to cloud native security. But doing this on their own is proving highly challenging. As a result, there are many vendors making some big claims when it comes to cloud native security.
With so many buzzwords being thrown around, it’s difficult to identify the essential components a fully integrated cloud native security solution – otherwise known as a Cloud Native Application Protection Platform (CNAPP) – should contain.
This goes some way to explaining why many CISOs are grappling with a growing stream of vulnerabilities coming from their CI/CD pipelines. Meanwhile, SecOps teams are being bombarded by a flood of alerts and configuration issues emanating from their production environments.
Getting to grips with the unique characteristics of cloud native and where traditional security approaches will prove ineffective is an essential first step for any CISO looking to initiate a strong cloud native security strategy.
How cloud native characteristics impact security
Cloud native has engendered a huge shift to the way modern applications are built. New agile methodologies, automation and a growing reliance on open source code is just the start. Microservices – loosely-coupled snippets of applications that are dynamically networked – have emerged as the architecture of choice for cloud native applications, with each microservice typically hosted in a container, a serverless function, or a combination thereof.
Since enterprise deployments can feature thousands of containers and functions running in production, organisations are increasingly using tools like Kubernetes to automate the deployment, scaling, and management of their cloud native applications.
But venturing into the world of Kubernetes has significant implications for security and, as many CISOs are discovering, traditional security tools were never designed for these dynamically orchestrated environments. Traditional tools implicitly rely on a permanence of location and longer lifespans of workloads, while in cloud native applications workloads are ephemeral (running for a duration that’s between a few hours to seconds), and are dynamically assigned internal network addressed by the orchestration layer. Additionally, Kubernetes itself (and all its distributions and commercial versions) brings its own complexity in terms of user roles, networking, storage, and resource usage, and much like public clouds can create significant configuration risk.
To minimise their risk and overall exposure, organisations will need to gain comprehensive visibility and control over all open source components, so that security vulnerabilities can be identified and addressed prior to releasing applications into production. Alongside automating ongoing security testing into their CI/CD workflows, organisations should also ensure that security controls can follow workloads wherever these run to for protection at all times.
CNAPP – an integrated and holistic security approach
Cloud native requires a fundamental shift in thinking when it comes to managing the security of applications and workloads. Indeed, Gartner states that rather than treat development and runtime as separate problems – secured and scanned with a collection of separate tools – enterprises should view security and compliance as a continuum across development and operations. And that’s where CNAPP comes in.
Instead of using different point solutions that solve specific security issues and need to be stitched together, CNAPP combines an integrated set of capabilities to secure and protect cloud native applications across development and production.
So, what are the essential attributes that a Cloud Native Application Platform needs to possess in order to qualify as a true CNAPP?
- Cloud native (for real)
It might sound obvious, but solutions that were not built specifically for cloud native environments aren’t CNAPPs. So, a solution that scans for container vulnerabilities but is oblivious to other aspects of cloud native isn’t a CNAPP.
CISOs should be on the lookout for solutions that can analyse, track, monitor and control all types of cloud native workloads (containers, serverless functions and VMs) and interface and work within the full stack of cloud native infrastructure: Kubernetes, infrastructure-as-code (IaC) tools, multiple public cloud providers and more.
A CNAPP should support multi-cloud and hybrid cloud security without any need to reconfigure controls and policies for each environment – so you can secure once, run anywhere with minimal effort.
- Delivers full lifecycle security
A CNAPP needs to be embedded into the CI/CD pipeline and integrated with a broad suite of modern DevOps tools. If a solution can’t scan code in the build phase and maintain integrity from build to deployment – so that unvetted images are prevented from running in production – it’s not a true CNAPP.
CISOs need to be aware that using separate solutions for shifting left and runtime protection will create security gaps and result in organisations endlessly chasing vulnerabilities and runtime events with no context to prioritise and mitigate these rapidly.
- Provides real-time protection
CNAPPs should be more than just a monitoring or scanning solution, they should be able to stop attacks as they happen. Unfortunately, even the most robust ‘shift left’ protection or hardening of the environment won’t protect against zero-day exploits or sophisticated runtime attacks using evasion techniques.
Cloud native attacks move at the same speed as cloud native apps and the runtime piece is where many so called CNAPPs fall short today. To stop attacks in progress that others can’t see, opt for solutions featuring runtime policies that provide surgical and real-time protection for containers, VMs, and serverless workloads.
In addition, CISOs should also be on the lookout for solutions with drift prevention capabilities that will assure the immutability of container workloads at run time – prohibiting any changes such as code injection – together with security controls that make it possible to monitor workloads and block any suspicious container activity, with no container downtime or restarts.
Go for deep integration and embedded controls
Today’s CISOs need to deploy enterprise-grade cloud native security solutions that are purpose-built for the task of stopping cloud native attacks from development to production, while also securing the underlying infrastructure. But while many vendors claim to offer CNAPP style solutions, many fall short across the application lifecycle.
For organisations that want to protect applications from day one and in real-time, a little knowledge and insight on what to look for and why will ensure they’re able to accelerate their cloud native development and digital transformation while enjoying unprecedented protection and reduced risk.