Built in the cloud and for the cloud, cloud-native applications are driving digital transformation and creating new opportunities for organizations to increase efficiency, speed and scalability at a time when they face the disruptive impact of the COVID-19 pandemic and a fast-evolving threat landscape.
The mass adoption of cloud services can be clearly seen in the IDG Cloud Computing Study 2020 report, with 92 percent of organizations surveyed saying their IT environment is now at least somewhat in the cloud – public, private or hybrid.
Each cloud model serves the same purpose, to share computing resources across a network and enable the delivery of cloud-based services. Ultimately, this is helping organizations deliver consumer-grade online experiences that employees have come to expect.
All sounds perfect, right? In many ways, yes, but the benefit of cloud computing is also its main drawback. Users can access cloud environments from anywhere with an internet connection and by the same logic, so can cybercriminals and adversaries.
So, how can organizations keep their IT environments secure while leveraging the full benefits of a cloud-native approach?
The problem with securing the cloud
Taking a cloud-native approach brings both speed and scalability – attributes we can all agree on, even if the term “cloud-native” isn’t set in stone among the IT community.
Essentially, cloud-native technologies are purpose-built for the cloud and leverage its unique capabilities as part of their architecture.
Cloud computing requires security measures from customers and providers alike since they operate under a shared security model. Both the cloud computing provider and the customer have a responsibility to ensure the security within their area of control.
In general, the provider is responsible for security of the cloud – physical access and infrastructure. In turn, the customer is responsible for security in the cloud – their applications, identity management, data and encryption.
The issue is, the architecture for cloud-native applications requires its own unique approach to security in terms of policies and controls at the customer end. But with the rapid adoption of cloud deployments, many organizations rely on outdated strategies intended to protect on-premise hosted networks and associated assets.
Key challenges in securing cloud-native environments revolve around the use of Shadow IT (systems deployed by departments other than the central IT department), added complexities due to “sprawl” caused by organizations adopting and deploying solutions before they have put a comprehensive security strategy in place; and an absence of container runtime protection.
In response, organizations must design and implement a comprehensive security solution to protect against an expanding array of threats and increasingly sophisticated attacks within the cloud environment.
Prevention is better than cure
For cloud-native architectures, focusing on security cannot wait until deployment. Given the radical shift in attacker focus, security must be embedded during development. The best way to achieve this is to implement a “shift left” security strategy.
In its simplest terms, shift left security is moving security to the earliest possible point in the development process. Modern CI/CD is typically a multi-stage process and security teams become involved in the concluding steps of operations and monitoring, when it’s too late.
There are multiple benefits to a shift-left approach, reducing not only cyber risk but also costs. According to The System Sciences Institute at IBM, addressing security issues in the design phase is six times cheaper than during implementation and 15 times cheaper during testing.
It’s essential that during cloud journeys, security teams are given the time and space to plan and embed security processes and tools into the CI/CD pipeline.
CNAPP – a better-together story
Traditionally there’s been a tri-sector approach to cloud security, made up of three different stages: CASB – A Cloud Access Security Broker acting as a checkpoint between the user and an application; CSPM – Cloud Security Posture Management preventing misconfigurations and supporting compliance during the test and build stage; and CWP – Cloud Workload Protection, covering deployment and operation of an application.
However, the integration of these separate products from different vendors (or sometimes even the same vendor) can cause a headache for IT teams as many don’t integrate very well or work together at all. This is also leading to a lack of end-to-end visibility in the cloud, creating blind spots that can be exploited by cybercriminals.
To meet the security challenges of being cloud-native head-on, more organizations are turning to a new cloud security stack, that brings together the best of CSPM and CWP. While not exactly a catchy title, Cloud Native App Protection Platforms (CNAPP for short) are changing the game.
Relatively new to the cloud security market, CNAPP provides the optimal level of protection for cloud infrastructure across the lifecycle, from build time through to run time.
This consolidation is delivering many benefits: it’s easier for skillsets as individuals no longer have to correlate information from different analytics platforms, it reduces human error, provides more context about security threats and reduces spend on multiple cloud security products. Ultimately, this equates to a more secure cloud environment while reducing demands on already overstretched IT teams.
When looking for a CNAPP solution, there are certain criteria to look out for. The first is the full integration of CSPM and CWP into one management console that’s 100 percent cloud-native. The second is that it leverages the power of machine learning (ML), artificial intelligence (AI), indicators of attack (IOAs), and behavioral detections and analytics combined with human threat hunters to give continuous runtime protection. The third is end-to-end visibility from endpoint to cloud, and finally, that the platform delivers the same level of protection for on-premises and serverless containers.
The CNAPP space is an exciting space that’s maturing quickly, with more vendors entering the market with innovative solutions every year, helping organizations to achieve complete security and compliance for cloud-native applications. Watch this space!