GUEST ESSAY: Embracing ‘Zero Trust’ can help cloud-native organizations operate securely
Some 96 percent of organizations — according to the recently released 2021 Cloud Native Survey — are either using or evaluating Kubernetes in their production environment, demonstrating that enthusiasm for cloud native technologies has, in the words of the report’s authors, “crossed the adoption chasm.”
Related: The targeting of supply-chain security holes
It’s easy to understand why a cloud-native approach elicits such fervor. By using flexible, modular container technologies such as Kubernetes and microservices, development teams are better equipped to streamline and accelerate the application lifecycle, which in turn enables the business to deliver on their ambitious digital transformation initiatives.
However, despite cloud-native’s promise to deliver greater speed and agility, a variety of legitimate security concerns have kept IT leaders from pushing the throttle on their cloud-native agenda.
According to the most recent State of Kubernetes Security report, more than half (55 percent) of respondents reported that they have delayed deploying Kubernetes applications into production due to security concerns (up 11 percent from the year prior) while 94 percent admitted to experiencing a security incident in their Kubernetes or container environment in the past year.
It’s clear that until we can deliver security at the same velocity in which containers are being built and deployed that many of our cloud-native aspirations will remain unfulfilled.
Cloud-native requirements
Traditionally, developers didn’t think much about application security until after deployment. However, as DevOps and modern development practices such as Continuous Integration and Continuous Delivery (CI/CD) have become the norm, we’ve come to appreciate that bolting security on after the fact can be a recipe for future application vulnerabilities.
Security must be ‘baked in’ rather than ‘brushed on’—and this current ethos has given rise to the DevSecOps movement where security plays a leading role in the DevOps process. However, it’s not enough to simply shoehorn these practices into the dynamic cloud-native development lifecycle.
Sivasankaran
Because traditional enterprise network security relies on static firewall rules that can only be updated in maintenance windows after a change approval process, securely developing and deploying applications in an automated way will not work in dynamic cloud environments where rules and policies are constantly in flux.
For this reason, most cloud environments come with built-in concepts like security groups and container service meshes that provide a way to control how different parts of an application share data with one another. While such methodologies might work well for simple applications, they lose their effectiveness as soon as you make a connection to or from various regions, clouds or technology stacks. For example, there is no interoperability between different cloud vendors’ security groups or different Kubernetes clusters.
Being cloud-native demands an approach that provides control and visibility across the entire application development lifecycle. A modern cloud-native security approach should tick the following three boxes:
•Dynamic: The ability to dynamically express and administer policies for controlling network traffic both to and from a Kubernetes pod should be considered table stakes, especially as software is being deployed across multiple cloud environments.
•Granular: Secure controls must extend to the ‘pod level’ of a container, not just the cluster level. A software-defined approach makes it easier to dispense granular access controls based on pre-defined policies that connects users to authorized functionality rather than simply at the network level.
•Unified: Slicing cloud-native security across multiple point solutions leaves you with a partial view. A unified policy engine should be omnidirectional and able to manage user-to-resource access (for both traditional and cloud native applications) and resource-to-resource access (in cloud native development environments).
Cloud-native Zero Trust
A Zero Trust security approach, which applies the principle of least privilege access, assumes there is no clearly defined network perimeter. Because it’s software-defined, policies can be easily applied to systems, applications and users alike.
As one of the original vendors in the Zero Trust access market, Appgate has a long history of success in helping our customers ensure secure access as they migrate more of their applications and workloads to the cloud. To support them as they grow their cloud-native development initiatives, we recently introduced new Kubernetes access control capabilities for our flagship Appgate SDP product.
By deploying Appgate SDP natively inside a Kubernetes cluster as a “sidecar”—a helper application of sorts that runs alongside an application container in a Kubernetes pod—Zero Trust principles can be universally applied throughout the cluster, while providing fine-grained, differentiated access controls on a per-pod basis, thereby delivering greater control over service-to-service access.
This effectively limits the potential attack surface and makes it more difficult for an attacker to escalate privileges in the event of a network compromise.
Organizations gain a single unified policy engine for Zero Trust access that enables them to control user-to-resource access (i.e., for remote user access) and resource-to-resource access (i.e., for containerized workloads) to streamline management and reduce complexity. This allows them to protect all users (remote, onsite and hybrid), all resources (traditional, cloud-native and legacy applications) and all environments (cloud, hybrid, multi-cloud and on-premises) with one solution.
Cloud-native application development brings enormous capacity for innovation and efficiency gains for many organizations. By embedding Zero Trust security principles into the process, we can realize the full potential of cloud-native.
About the essayist: Jawahar Sivasankaran is the President & COO of Appgate, a supplier of secure cybersecurity solutions for people, devices, and systems based on the principles of Zero Trust security.
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/meeting-the-security-challenges-of-cloud-native-with-zero-trust/
