In 2015, when many organizations hadn’t even heard of cloud-native computing, one of the country’s largest organizations was heading in just that direction. The idea grew out of discussions about what it needed from its mission-critical applications, such as the ability to update applications frequently and run them in an orchestrated environment.
By adopting DevOps principles and cloud-native application development pipelines that build on reusable artifacts as container image building blocks, agencies have benefitted from faster development, improved user experience, easier management, higher reliability and lower costs – mostly because of the efficiencies that reuse of existing components across multiple container images affords.
Although the benefits are compelling, cloud-native architectures also introduce new types of security risks and potential sources of vulnerabilities for DevOps teams to address as part of their workflows and processes. Existing approaches to application security are not designed for this new paradigm.
Instead, DevOps teams need a new approach that helps them better identify where potential risks exist and enables them to integrate vulnerability management into their development and delivery pipelines.
This made it clear that the way forward was embracing DevOps and cloud-native application development. At the same time, the group understood that this change would require a new approach to security.
Once the decision was made, the organization got started. After scanning containers and images in its pipeline to detect and manage vulnerabilities, the security division began exercising deployment controls and runtime protection capabilities, activating more preventative runtime controls over time. All told, it took the group about three years to build the capability from the ground up.
At the same time, the organization addressed the security changes required to smooth cloud-native application development. By implementing cloud-centric container security and vulnerability management tools, the IT staff was assured full visibility and tracking capabilities.
By systematically and proactively switching its approach to cloud-native development and adapting its security practices to keep pace, the organization avoided many of the issues that others experience during major changes: slowdowns, scalability problems and rejection from security or compliance officers when seeking to deploy something new.
This article is an excerpt from GovLoop’s recent report, “Navigating the Security Challenges of Cloud-Native Operations.” Download the full report here.