Many organizations today develop, build and deploy cloud native applications that utilize infrastructure and services offered by cloud computing providers like AWS, Azure or Google Cloud Platform (GCP). This trend highlights a critical consideration for organizations — how to secure applications, infrastructures and data in cloud-native systems.
In this article, I’ll explain what cloud native security is, including its importance, core principles of the 4Cs and 3Rs and cloud native security strategies.
Defining cloud native security… and why it’s so important
Cloud native security is the integration of security strategies into applications and systems designed to be deployed and to run in cloud environments. Rather than trying to retroactively add security measures to existing applications, cloud native security focuses on securing the cloud infrastructure and applications from the beginning of the development lifecycle.
This involves adding necessary security measures to every phase of the cloud-native application development, deployment and operation and at every layer of the cloud. For example, infrastructure planning, coding, testing, deployment and maintenance phases.
Cloud native security incorporates security into your organization’s overall cloud native application development process. This includes using a wide range of security tools and technologies, and implementing practices with preventative measures to defend the systems against cyberattacks and reactive measures that allow quick resolutions during security incidents. This provides a strong foundation for developing and deploying cloud-native applications. Common approaches here include:
- Authentication and access control with identity and access management (IAM)
- Encryption of data in transit and rest to secure data and systems
- Network security and data security strategies
- Processes and procedures for incident response and risk management
- Disaster recovery policies
- Periodic security scans
Any security loophole can impact your cloud operations. The secure infrastructure supports application designs based on cloud-native principles. Secure code enables the building of robust cloud-native applications. With such a holistic approach to security, organizations can detect and remediate any vulnerabilities in a cloud environment — enabling you to actually reap the benefits of cloud offerings: cost savings, reliability, resiliency and scalability.
The layered approach for cloud-native security
In cloud-native applications, you can consider security in layers typically known as the 4C's of cloud native security:
A set of principles should govern each layer to drive the development of secure, scalable, and resilient applications and services in cloud environments. That means each layer depends upon the next outermost layer. Consequently, your code, the inner-most code layer benefits from having strong and secure Cloud, Cluster, and Container layers.
The cloud layer is the infrastructure that hosts and executes your applications in the cloud environment. Several common security issues are associated with this layer, including:
- Misconfigurations. Some teams keep default configurations for infrastructures. For example, you might be default keep some critical ports in servers open to internet traffic. Attackers can exploit these vulnerable ports to enter the virtual network and execute cyberattacks. Another example is weak access controls to cloud resources. These common misconfiguration issues can result in losing sensitive data and costing organizations a large sum of money.
- Issues in automation. Automation allows you to create, configure and quickly deploy resources to the cloud. But that same automation means security issues also quickly deploy to the cloud environment.
To achieve cloud security, you have shared responsibility, along with the Cloud Service Provider (CSP), of securing the cloud infrastructure. Often known as the shared responsibility model, it involves securing configurations, overviewing data security and many more. Follow these best practices to move closer to cloud security:
- Obey the security recommendations from your CSP.
- Routinely review your configurations to ensure no misconfigurations in the application infrastructure.
- Use infrastructure as code (IaC) that automates cloud resource creation, configuration and deployment. This minimizes human errors from manual resource provision.
The container layer consists of resources in a containerized application, such as container images. These are common security issues associated with the container layer:
- Container images can contain security vulnerabilities
- Weak access controls
- Container content with untrusted sources
To achieve container security, you should:
- Scan for known vulnerabilities using open-source tools when building the images.
- Regularly update containers to enhance security by eliminating known vulnerabilities.
- Create users with least access privileges required to carry out the container functions.
- Use only a trusted registry to build the container images, such as an image signing tool like the Docker Content Trust (DCT).
A cloud native application is often a containerized application with a container cluster. This layer is typically a Kubernetes cluster that contains cluster components and applications. Therefore, in this layer, organizations should focus on the security of components and applications, including in these ways:
- Using encrypted communication for Kubernetes components.
- Using TLS certificates to authenticate incoming traffic.
- Meeting or exceeding security standards and network policies.
One of the most important components of this layer is the Kubernetes API. Use role-based access control (RBAC) rules for Kubernetes API authorization.
(Learn how to set up basic, vanilla Kubernetes.)
The innermost layer, the code layer benefits from secure cloud, cluster and container layers. Also known as the application layer, it focuses on secure coding strategies. Common security issues associated with coding in cloud-native applications include.
- Developers often use third-party software for developing apps, which can contain security vulnerabilities.
- Insecure coding practices like unhandled validations, hard-coding passwords, etc.
- Inadequate security risk assessments.
These robust strategies will help secure your application code:
- Use dynamic security scanning software to automatically scan your code to reveal vulnerabilities like cross-site scripting (XSS), insecure password stores, cross-site request forgery (CSRF) and SQL injection.
- Detect insecure code with a static code analysis tool. You can integrate this into your coding pipeline to trigger the analysis in every code commit.
- Suss out vulnerabilities in third-party dependencies using dependency-checking software like OWASP Dependency-Check and Snyk.
Three principles for cloud-native security
The 3 Rs of cloud security — rotate, repair and repave — are the core principles for securing cloud-native infrastructure and applications. The core security strategy behind these principles is embracing the changes as fast as possible to minimize time open for attacks and attackers.
Cloud-native applications use different credentials such as:
- Encryption keys
- Access tokens
To maximize security, do not keep the credential values for long. Instead, rotate or change them frequently, like every few minutes or hourly. This rotation makes it difficult for attackers to leak them, as one credential is kept for only a short period.
Typically, software releases and updates include security patches to repair security vulnerabilities. Keep your systems and applications up-to-date by applying software patches as soon as they release.
If you need to rebuild the cloud servers and applications, use a known secure state to rebuild them. Also, repair the entire software stack by revamping it from a verified secure state without patching.
Strategies for cloud-native security
Overall, organizations can adopt several security strategies to improve the safety of their cloud-native applications and services. The most common strategies follow.
Use identity and access management (IAM) controls
This includes implementing IAM policies and authorization mechanisms to limit access to only the required resources in the cloud. IAM controls help ensure that only authorized users can access the necessary resources.
Leverage cloud-native security tools
Take advantage of cloud-native security tools that enable you to:
- Monitor and detect security violations.
- Automate the deployment and management of security controls.
Encrypt wherever possible
Protect sensitive information from unauthorized access by encrypting data at rest and in transit. For example:
- Encrypting data stored in databases, object storages and server volumes.
- Encrypting data transmitted between the cloud and other systems.
(Explore encryption strategies and learn about a new option, homomorphic encryption.)
Adopt a shit-left security approach
Integrate and test security controls from the beginning of the software development lifecycle rather than in a single phase and production environment. This approach enables developers to identify the effects of the security strategies and vulnerabilities beforehand, offering plenty of time to fix them.
Take the zero-trust approach
The zero-trust approach says that you should assume all network traffic is potentially malicious. Therefore, you should implement security controls to confirm identity and access rights before granting access to your resources.
Enforce security in container and container orchestrations
Containers and container orchestration technologies, such as Kubernetes, are increasingly used to deploy cloud-native applications and services. Implementing security controls to protect these environments from cyber threats is crucial.
Try the “defensive depth” strategy
In this strategy, the security team must monitor every network layer to detect any threats and provide remediation as soon as possible. This includes:
- Preparing backup plans
- Implementing various defense mechanisms
- Preparing for data breaches
Stay up to date with security resources
Security is an ever-changing landscape, so stay up to date with additional resources. Read expert-recommended security articles and books, understand emerging threats, attend in-person and online security events and build resilience into everything across the enterprise.
Securing the cloud from the start
Cloud-native security incorporates security strategies, applications and underlying infrastructures, focusing on security at all cloud layers. To achieve cloud-native security, you should implement reactive and proactive security approaches. Three basic principles lie behind this: rotate, repair, and repave.
By following a variety of security strategies, you can maximize your cloud-native security according to your organization’s requirements.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.