Built in the cloud and for the cloud, cloud-native applications are driving digital transformation and creating new opportunities to increase efficiency.
Taking a cloud-native approach brings both speed and scalability — attributes its proponents can all agree on, even if they can’t agree on what the term “cloud-native” actually means. For CrowdStrike, cloud-native technologies are purpose-built for the cloud and leverage its unique capabilities as part of their architecture.
No matter what the term means to you, the growth of serverless functions, microservices and containers by developers has introduced new security risks that have to be accounted for.
A survey recently performed by consulting firm Enterprise Strategy Group (ESG) reported that:
- Twenty-nine percent of respondents said, “Our current server workload security solution does not support or offer the same functionality for containers, requiring that we use a separate container security solution adding cost and complexity.”
- Twenty-seven percent said the speed at which containers are built and deployed “results in security controls not being included from the outset.”
The architecture of cloud-native applications requires its own unique approach to security in terms of policies and controls. Beyond meeting the challenge of maintaining consistent security across their data center and the public cloud environment where their applications are deployed, IT must also contend with a lack of mature tools for securing containers, API vulnerabilities and other issues. In virtual-machine (VM)-based cloud deployments, security tools and best practices are more mature, offering more fully featured detection and visibility into threats and performance issues. The same cannot be said of cloud-native environments leveraging microservices and containers. In short, the threat model has changed.
Despite these challenges, cloud-native approaches offer an opportunity — and not just to develop, test and get applications to market more quickly. Embracing cloud-native approaches enables businesses to transform their security alongside their digital initiatives to support the organization. To reach the peak value of DevOps promised by its advocates, organizations need to find a way to embrace cloud-native app development securely.
Manage Complexity, Increase Security
“Simplicity” is a word vendors use in promises, but it is rarely used to describe IT environments themselves. In fact, two-thirds of survey respondents noted that their environment has become more complex in the last two years, according to ESG.
For DevOps teams, the answer to this complexity is to use infrastructure-as-code (IaC) templates that enable them to rapidly spin up the cloud infrastructure they need. However, this is often done without the oversight of the security team, leading to shadow IT and increased risk. If a template is misconfigured, that mistake can quickly become a showstopper and ultimately endanger resources.
For this reason, moving security into the development process early is critical, and integrating security into DevOps processes is a must. For cloud-native architectures, focusing on security cannot wait until deployment. Weaving capabilities such as secure configuration management and vulnerability scanning into the earliest parts of the app development stages reduces risk without slowing down release cycles.
As the demands of application development cycles escalate in response to business needs, security will have to keep pace. The key is providing security that is automated, platform-agnostic and integrated into the application development process driving today’s IT. According to the ESG study, DevSecOps automation was named by the highest number of respondents as their top cloud security priority to enforce policy and protections of Agile, DevOps and continuous integration/continuous delivery (CI/CD) workflows.
This finding should come as no surprise. The lack of mature cybersecurity tools to support cloud-native approaches has led to a growth of point solutions that, while effectively addressing a specific challenge, fail to provide comprehensive visibility and control across the environment.
