Security considerations in a cloud-native world
As the cybersecurity landscape continues to evolve at pace and with many organisations moving to the cloud, IT security pros face ever bigger challenges. It’s reported that 65-70% of all security challenges in the cloud arise from common cloud misconfigurations - glitches, gaps or errors that can expose an environment to cyber threats. This is often a result of a company’s rapid move to the cloud, foregoing adequate planning that can leave areas of the tech environment open to attack.
Contrary to compliance, which is considered a necessity early on by organisations, security remains more of an afterthought for many businesses. There are also key differences in the way security is approached from the more mature private cloud infrastructure perspective when compared with cloud-native applications where security teams are not necessarily consulted.
Differing cloud security approaches
Despite in theory the DevSecOps movement being widely accepted within the tech industry, businesses are not practising what they preach in terms of practical security being embedded in the process. The first approach, with private or hybrid cloud, or traditional on-premise infrastructure, has a high level of maturity of plugging compliance and security into that process. Many organisations are adopting security tools, not just to provide them the infrastructure that they need, but also to provide them in a state where all the policies are already enforced.
In contrast, with cloud native applications seeing very fast paced market evolution, the autonomy of the decision power has become decentralised. This means application developers get click-happy buying services, often not even understanding that they’re buying and hence not consulting the security team – therefore the adoption of security is still happening as an afterthought.
How security differs from compliance
It’s common for security and compliance to be treated as one and the same, as the distinction between them is not clear. Security can be divided into two parts - compliance and core security. When an organisation has created a product and they want to sell it to a large enterprise, it requires compliance certifications before they hit GA or sell a product to a specific market segment or geography. For instance, this could be the PRA and FCA in the financial domain, or The Data Protection Act for healthcare.
Compliance is considered essential for many organisations to stay operating in a specific business or a specific region. However, security should be considered equally essential if leaders want to protect their intellectual property, their data, and their customer’s data. While compliance is regarded as the essential checkbox, security is turned to too late, when problems arise.
Challenges for CISOs to secure cloud-native applications
With cloud native, for instance AWS Azure, GCP, or hybrid cloud, there are so many services it’s almost impossible for a CISO or security professional to track and identify where a problem lies. While Cloud Native technologies including container and Kubernetes has so many advantages, managing it and ensuring it is secure and compliant is another challenge still.
It’s hard to find the right tech experts that understand the new needs for security, that are also familiar with the security and compliance aspect of all these heterogeneous services that an organisation is using. Another key challenge is the time to value. If you buy a product, if you have multiple products, the question is how fast you can integrate them and how fast you can get started. It’s no mean feat to secure multi clouds and make them compliant in the same way organisations are used to making the private cloud compliant while also providing a similar level of compliance and security capabilities for Kubernetes.
Benefits of policy-as code
Organisations are scrambling for tips and best practices for minimising cloud misconfigurations, such as Policy as Code (PaC) and continuous monitoring for vulnerabilities. PaC can eliminate misconfiguration pre-deployment by testing cloud infrastructure for adherence to compliance and security policies earlier in the SDLC. By taking a proactive focus and catching misconfiguration earlier, cloud engineers can save themselves time and headaches, as well as costly recovery strategies. Continuous cloud runtime monitoring is essential for cloud security and tech teams can promote innovation and business continuity, whilst protecting what’s theirs.
With policy-as-code is policy management in which policies are defined, updated, shared and enforced using code. Senior leaders of an organisation must devise many policies - many of which are related to how physical assets are managed - but when it comes to their software, there are also many policies and these policies could be at infrastructure level. They need to consider what hardware to use, and decide which region or which cloud provider they want to host on.
Policies are across the board and cut across infrastructure compliance and security. Smart organisations are automating this process, bringing security, DevOps and compliance teams together, with code being the common language.
The importance of policy as code for future innovation
If an executive aims to speed up time to market for an app, but if the check boxes are not really understood and validated earlier in the development cycle, this can set a product back not just by days and weeks but potentially months or even entire quarters. From a business perspective, it’s critical to invest in automation of compliance early on in your product development life cycle.
For organisations looking to improve their security posture, it’s a no brainer to take advantage of policy as code. The basic approach involves excluding known vulnerabilities and having automated checks in place so that we validate such misconfigurations or identifying vulnerable products that are not to be used which can save a lot of team effort. Automating security and bringing it within the software development lifecycle will benefit CISOs, security teams and development teams, whilst radiating benefits throughout the organisation.