As security threats evolve, all organizations – regardless of size, industry or location – are looking for ways to beef up the protection of their data and applications. For 60% of companies that have embraced cloud-native technologies, increasing security throughout application lifecycles is essential, according to a new report.
The 2021 State of Cloud Native Application Security, produced by Snyk, a developer security platform, found that, since going cloud native, organizations are four times more likely to have increased security concerns.
Securing a traditional enterprise datacenter – one that supports monolithic applications running on VMs – has always been challenging, according to Sean Roth, director of product marketing, virtual and cloud native compute at Nutanix.
“But cloud native environments represent a completely different playing field for security practitioners, infrastructure admins and developers alike,” he said.
For starters, container environments yield orders of magnitude more events than traditional application environments, making observability, monitoring and logging critical but also challenging.
“Because cloud native technologies are relatively new for most enterprise organizations and their security teams, there is still a lot to learn about what cyberattacks in container environments actually look like,” said Roth.
Complicating matters further is the ephemeral nature of containers themselves.
“When a container fails or is compromised, it is usually immediately replaced with a fresh container performing the exact same function,” Roth said. “For attackers seeking to cover their tracks, conditions don’t get any more ideal.”
Going Cloud Native: New Technologies, New Challenges
Cloud native technologies are helping organizations stay agile and release software and application updates more quickly and efficiently. Cloud native adoption is increasingly common and becoming mainstream across all company sizes, according to the Snyk report.
New technologies bring new challenges.
“Now is the time to be more vigilant as we adopt cloud-native technology,” said Andrew Krug, security evangelist at Datadog, in the report. “It’s no surprise that cloud computing allows us to go fast as a business but it also lowers the difficulty of making mistakes. We need more tools and training than ever before …”
Organizations must keep in mind that adopting a new approach to development will have implications on how they approach security in their overall applications and services.
“While the core security principles remain constant,” said the report, “as with all emerging ecosystems the best practices are still being defined, driving fresh concern as teams navigate through unfamiliar landscapes.”
The Most Common Security Culprit Is Misconfiguration
According to the report, “misconfiguration and known unpatched vulnerabilities were responsible for the greatest number of security incidents in cloud native environments.” In fact, more than half of the companies surveyed (56%) had experienced one or both of those issues in their cloud-native applications.
For organizations with high levels of cloud native adoption – meaning high levels of automation – the report showed data leaks caused by insiders were more than twice as likely to have occurred. This fact makes the adoption of zero trust principles more critical than ever.
Part of the problem is that cloud native platforms that use automated tooling “rely on credentials such as secrets and API tokens in order to operate, necessitating a more decentralized approach to managing such access,” the report stated.
In the more centralized pre-cloud environments, these types of artifacts weren’t an issue. Today, however, they are a big concern for organizations as they move to cloud-native practices.
Security Responsibilities Are Shifting Left
One way to address these vulnerabilities is to make security a priority for developers, according to Guy Podjarny, Snyk founder and president.
“With misconfigurations and known vulnerabilities being the top concern and incident driver, we need to rethink how dev teams should prioritize security work,” Podjarny said in the report.
“When a developer is responsible for securing the full cloud-native app, it’s often more important they tackle these security hygiene concerns than the vulnerabilities in the app’s custom code, which most security programs start with.”
Security is no longer the sole responsibility of the security team. The report said that developers are beginning to add security into their bag of tricks, giving rise to the DevSecOps approach: “Developers now have a pivotal role in ensuring that cloud native applications and infrastructure are secure since they increasingly contribute to the application, the infrastructure code, and workload deployment technologies.”
Interestingly, the notion of developer responsibility is coming from developers themselves. The report found that “while less than 10% of respondents in security roles believed developers were responsible for the security of their cloud native environment and applications, over 36% of developers stated that they were responsible.” This shows that security teams still have a way to go in adjusting to shifting responsibilities in a cloud native environment. They tend to hold on to the traditional view, while developers are recognizing their growing role in ensuring the security of cloud native applications.
Automation Enables Security Testing and Repair
In one way, going cloud native can help increase security. According to the report, “while building fully automated deployment pipelines can be challenging, once automation and processes are in place, they create a virtuous cycle providing multiple integration points to enable further automation. This is a key enabler for security testing.“
Survey responses indicated that companies with high levels of deployment automation were two times as likely to have adopted security testing throughout the entire software development lifecycle, compared to organizations with no automation.
Organizations that had integrated security tooling throughout the software development lifecycle were able to continuously test for security vulnerabilities. Almost 70% of companies with high levels of deployment automation were testing security at least daily, and sometimes even more frequently.
Faster, more frequent testing means faster fixes, too. Among those fully automated teams, 72% were able to find and fix critical vulnerabilities in less than a week – with 36% fixing issues in a day or less.
While containers running in production present big challenges for security professionals, an organization’s overall cloud native security approach covers a broad set of focus areas, beginning with Kubernetes’ various components and the underlying infrastructure that supports them. Roth said this is why observability and privilege management are two key capabilities that practitioners must get right.
“For containers, security applies not only during runtime, but during build and deploy lifecycle phases,” said Roth. “The trend is to apply security practices early on in the development cycle, but without burdening developers in a way that impacts their productivity.”
He said this is giving rise to DevSecOps, where both developers and IT operations work together to secure environments and application containers.