There is a big difference between securing traditional applications with dedicated infrastructure and securing dynamic cloud-native apps based on containers and running in a microservices architecture. Traditional security practices simply aren’t designed for this environment, and they won’t protect cloud-native apps effectively. Here’s why:
- Cloud-native applications are developed incrementally, with continuous streams of code that are constantly updated and deployed into the environment. This creates a large attack surface of known and unknown vulnerabilities.
- Traditional applications always have a virtual machine (VM) or server attached, so they retain the same IP address and location at all times. Cloud-native applications have no permanence of location, with no clear perimeters. Every component is independently and automatically spun up or down, multiplied, spun down in one place and spun up in another. That means security must follow application services, wherever they are.
- The conventional method of securing applications focuses on identifying and mitigating code vulnerabilities before they’re exploitable. For example, security policy might require fixing all critical vulnerabilities before moving an application to production. But analyzing the relative risk and criticality for thousands of vulnerabilities is time-consuming and difficult. The lack of prioritization when dealing with a proliferation of vulnerabilities in the cloud-native supply chain and infrastructure slows development and does not position DevOps teams to mitigate overall risk
Solution: A Risk-Based Approach
When it comes to cloud-native applications, security can’t be an afterthought. Instead of relying on bolted-on solutions and approaches, security must be integrated into the continuous integration and continuous development (CI/CD) pipeline.
It starts by taking a risk-based approach to cloud-native development, which allows DevOps teams to detect, evaluate and fix vulnerabilities in the artifact pipeline as an integrated component of the development process and maintain ongoing monitoring of how containers behave once deployed.
“Everybody runs tens or hundreds of thousands of vulnerabilities at any given moment, and the risk-based approach allows you to prioritize,” explained Rani Osnat, Vice President of Strategy at Aqua. “By using a risk-based approach that includes scoring to assess how dangerous each vulnerability is, you can understand which poses the biggest risk and should be handled first.”
A comprehensive risk-based approach includes:
- Shifting security controls into the development pipeline and focusing on the artifact pipeline to ensure that risks are evaluated and mitigated before code goes into production. Without this change, organizations are more likely to face a large attack surface at runtime that’s too complex to understand and mitigate.
- Establishing an “acceptance gate” that ensures that customizable policies address all security risks and vulnerabilities, and allows security teams to evaluate containers in a sandboxed environment for risks such as supply-chain attacks before they are deployed.
- Having a plan for “drift prevention” — detecting changes to apps and containers that cause them to fall out of compliance with security requirements.
Adopting a risk-based approach is critical, but it’s not the complete solution. It’s much better when combined with layers of security that move beyond detection and assessment to remediation or mitigation. For example, in cases where you can’t or don’t want to remediate, you might choose to create a runtime control that detects, prevents and tracks the exploit for specific vulnerabilities.
Together, these steps create a full lifecycle approach to security starting with development and continuing through deployment to runtime. It ensures that nothing too risky flows through, while allowing organizations to prioritize and remediate what they can, accept or mitigate what they can’t, and once running, easily detect and stop events.
This article is an excerpt from GovLoop’s recent report, “Navigating the Security Challenges of Cloud-Native Operations.” Download the full report here.