As the pace of digital innovation intensifies, agencies are looking to technology to meet emerging requirements and fulfill mission needs. In this environment, the use of cloud-native tools is a game-changer for app development.
Cloud-native refers to building and running apps in a cloud environment rather than in an agency’s on-premise data center. The major benefit of cloud is it offers speed without sacrificing quality. Cloud-native tools enable DevOps, a methodology that integrates development and operations to shorten the application lifecycle. DevOps provides continuous delivery while maintaining a high level of quality.
But security must be factored in too. Today, the DevOps team must help keep the app development lifecycle secure — thus the term Dev-Sec-Ops. One way to do that is with containers and cloud-native tools.
Let’s clarify a few more terms. Cloud-native environments are “built with technologies that include containers, serverless functions and virtual servers.” A container is a small portable bundle containing an app, the services it depends on and security, enabling the app to run practically anywhere. Think of it as an all-in-one package for your application.
However, there are some security challenges that arise with containers in cloud-native environments. Fractured development teams that don’t use a unified set of tools or libraries sacrifice consistency in securing applications. Plus, a wide variety of tools makes developer feedback more difficult.
To keep apps secure, developers use many different security rules that permit specific activities and prevent everything else. Some rules control processes that can be started and run in a container. Other rules detect changes to the file system.
The agile nature of development means apps are updated frequently, sometimes several times a week. Each release can affect the security rules designed to protect the app, so the security rules must be kept up to date as the app is modified. Containers are also ephemeral — developers frequently rip and replace them — and container sprawl is a problem. All of these issues point to the need for monitoring tools that track containers and assist with management.
Although security challenges exist, containers and cloud-native environments provide opportunities for doing security in better ways.
This technology provides the opportunity to greatly improve the collaboration of the development, security and operations teams. It also gives the security and operations teams visibility into the developer’s world.
With developers moving at the speed of operations for provisioning infrastructure, automation meets the scale issue head on and helps ensure that DevSecOps team members can keep pace. DevSecOps teams rely heavily on templates for all kinds of tasks, including configuration. At the same time, it’s important to inspect those automation mechanisms to ensure they don’t introduce new vulnerabilities. And it is critical to identify software within your environment that becomes vulnerable over time.
This article is an excerpt from GovLoop Academy’s course, “Enhancing the Security of Cloud-Native Tools and Apps,” created in partnership with Palo Alto Networks. Access the full course here.