Cloud-Native Security Best Practices for Evolving Cloud Environments
There have at all times been two basic pillars of cloud safety. One is the visibility to detect points. The different is the flexibility to remediate threats successfully — ideally, in a proactive method, which suggests mitigating dangers earlier than they’re actively exploited. Neither of those pillars has modified since corporations started transferring workloads into the cloud greater than a decade in the past.
What has dramatically advanced lately, nonetheless, are the instruments and processes companies have to enact cloud safety. As organizations have shifted from primary cloud environments powered by VMs to distributed, microservices-based, cloud-native environments, the cloud safety methods that sufficed 5 or 10 years in the past are not sufficient for staying a step forward of risk actors.
Today, it’s crucial to make sure cloud safety evolves together with your cloud technique and structure. This article explains what meaning, and which greatest practices companies needs to be following to fulfill cloud native safety necessities.
From Cloud Security to Cloud Native Security
There is an enormous distinction between conventional cloud computing environments and cloud-native computing environments. By extension, there’s a massive distinction between conventional cloud safety and cloud-native safety.
In a conventional cloud setting, you secured workloads by establishing cloud firewalls and defining safety teams. You achieved safety visibility by loading brokers onto VMs, which collected logs and metrics. You might have used your cloud supplier’s native safety instruments (like Amazon GuardDuty or Microsoft Defender) to interpret that knowledge and detect threats. You may additionally have periodically audited your cloud IAM settings to detect potential misconfigurations. Perhaps you even outsourced some safety operations to a Managed Security Service Provider (MSSP).
These varieties of instruments and processes stay vital in cloud-native environments. However, they don’t seem to be sufficient on their very own to fulfill the brand new and distinctive safety challenges that come up within the context of cloud-native workloads. Traditional cloud safety doesn’t handle wants such because the followiing:
- Identifying dangers past IaaS: Cloud-native assault surfaces prolong past standard infrastructure and purposes. For instance, Kubernetes RBAC configuration errors might create safety dangers, however monitoring simply VMs or purposes received’t warn you to them.
- Managing continually altering configurations: A contemporary, cloud-native setting would possibly embody dozens of customers and workloads, with 1000’s of entry management guidelines defining who can do what — and the settings are continually altering. Periodic audits aren’t sufficient for proactive risk detection in such a dynamic, fast-moving setting.
- Multi-cloud safety wants: Cloud distributors’ native safety instruments don’t suffice when it is advisable to safe workloads operating throughout a number of clouds directly.
- Remediating root causes: Knowing {that a} danger exists isn’t at all times sufficient to repair it rapidly in complicated, cloud-native architectures. For occasion, detecting a code injection vulnerability in an software doesn’t essentially imply you may rapidly hint the difficulty again to the actual microservice or code commit that triggered it.
So, whereas standard cloud safety stays a part of the inspiration for cloud-native safety, it’s not a whole basis by itself. To defend cloud-native workloads totally, it is advisable to prolong the safety instruments and processes you’ve gotten in place to guard conventional cloud workloads.
Cloud-Native Security Best Practices
To obtain full safety for cloud-native workloads, try to observe practices similar to the next:
1. Bake safety into your growth pipeline
In a cloud-native world, you don’t wish to wait till after you’ve deployed an software to search out dangers. Instead, maximize your possibilities of discovering and fixing points pre-deployment by baking safety exams into your CI/CD pipeline. Ideally, you’ll carry out a sequence of exams – beginning with testing of uncooked supply code and continuing to operating exams towards binaries in a pre-production setting.
2. Move past brokers
While agent-based safety could also be sufficient for defending easy cloud workloads like VMs, in some instances – similar to if you find yourself utilizing serverless capabilities – you may’t deploy brokers to realize safety visibility.
Instead, you’ll have to instrument safety visibility into your code itself by making certain that your purposes expose the info it is advisable to detect threats, with out counting on brokers to be your middleman..
3. Implement layered safety
Cloud-native environments embody many layers – infrastructure, purposes, orchestration, bodily and digital networks and so forth – and it is advisable to safe each. This means deploying instruments and safety analytics processes which can be able to detecting dangers in, say, the way in which you configure your Kubernetes deployments or from inside container photographs, along with catching standard cloud safety dangers like IAM misconfigurations.
4. Audit repeatedly and in actual time
Again, periodic auditing or validation of cloud configurations isn’t sufficient for making certain you may detect and remediate threats in actual time. You ought to as a substitute deploy instruments that may monitor your whole configurations repeatedly and warn you to dangers instantly.
5. Automate remediation
Where attainable, you must also deploy automated remediation instruments that may isolate or mitigate threats immediately, with out requiring a human to be “in the loop.” Not solely does this strategy cut back the burden you place in your IT and safety groups, but it surely additionally permits you to remediate threats as rapidly and proactively as attainable.
