Virtualization Technology News and Information
Article
RSS
Risk, Ramifications, and Recommendations: Cybersecurity in the Cloud Native Era

Article Written by Josh Thorngren, VP of Marketing, Twistlock

Twistlock and thousands of other attendees will be discussing a variety of open source and cloud native topics while attending KubeCon + CloudNativeCon EU, May 2-4, 2018 in Copenhagen, Denmark. 

From Domino's to Walmart, companies outside of traditional technology sectors are increasingly staking their future on the ability to deliver software applications faster and more reliably than their competition. DevOps, agile development, digital transformation - these buzzed-about terms are the methodologies upon which this acceleration is built. Underpinning these movements is the rise of continuous delivery, microservices, and other cloud native technologies.

But there's a risky undercurrent to this focus on delivering software faster. Put simply, all the attention has gone to getting applications built and out the door, with very little being put towards ensuring those applications are secure. In the past two years, there's been a significant rise in the number of cyberattacks, data breaches, and hacks, and as more companies adopt DevOps practices and cloud native technologies while maintaining a traditional security approach,this number is only set to increase.

The Barrier to Entry for Hackers has been Lowered

Whereas launching a cyberattack once took significant technical training, resources, and planning, DIY hacking kits are now traded across the dark web. Anyone willing to spend the money can gain all the necessary tools to launch a crippling attack against a target of their choice. What's more,while hackers used to seek ongoing control of a company's systems, or specific information, they now race down the fastest path to cash. Whether that's ransomware that locks corporate users out of their own systems or cryptominers discreetly installed on line of business applications,both are simpler goals to achieve than ongoing command and control.

Add to this the fact that, at least in the United States, less than 10% of top Computer Science programs require students to complete ANY cybersecurity coursework - and it's no wonder that 2017 survey from DevOps automation provider Chef showed that only 15% of companies could redress security gaps or compliance violations within hours - with the remaining 85% of organizations needing days, weeks - or even longer to address known flaws in critical applications.  

It's easy to point fingers at Equifax or Panera - who both went months before making necessary patches - but in doing so a bigger picture is missed. The problem is with cybersecurity writ large. he industry has not seen anything like the full-scale reinvention that IT operations saw with the DevOps movement. As a result, security teams lack the tools or training to keep up with their counterparts in development and operations groups.

With this in mind, it's no wonder that  94% of respondents in a recent survey from analyst firm ESG claimed that technologies such as containers negatively impacted security. While these technologies can actually more secure than the legacy platforms they replace, the traditional approach to security fails entirely when applied in this new world.

It's time for something to change in the way cybersecurity has been practiced. The remainder of this article lays out five principles for cybersecurity in this era of containers, continuous integration and DevOps. By adopting these principles and choosing tools and processes to complement them, companies can not only empower their security teams to keep up with developers, but they can actually begin to deliver more secure software than ever before possible. Let's take a look at those five pillars:

Implement Continuous Security and Increase Visibility

"Shift left" is a very buzzy term these days in security. he concept that by integrating security controls earlier into the application delivery pipeline, an organization can improve it's overall security posture. In itself, that's a powerful recommendation. By addressing vulnerabilities before applications are ever shipped, organizations can significantly reduce risk. But, this concept alone is not sufficient.

The challenge presented in breaches like Equifax is the gulf between security teams who identify a new vulnerability or risk in running applications, and the development teams responsible for remediation. To close this gap, developers need visibility into the risk posture of their applications even after those applications are deployed in production. If a new CVE is identified in a production application, that information needs to quickly (and ideally automatically) shared with developers along with an assessment of the potential risks. By surfacing this information directly to developers, they're able to prioritize security work in line with other business needs and address risks sooner after they arise.

Automate Policy Creation & Enforcement

Developers have tools like Jenkins to automatically build and ship their code. Operations teams leverage Ansible or Puppet to automatically scale out their infrastructure. Yet, security teams are left manually configuring firewall rules and writing application-specific security policy. In a world of continuous deployment, this manual effort simply isn't possible. As a result, many teams shift towards more permissive security policies, increasing their exposure simply to keep up with the speed of software.  

In order to address this, security teams must adopt tools that automatically profile applications to create policy, then automatically enforce those policies. This shifts the responsibility of security teams away from being creators of security models, and into a review/approve mindset that better enables them to keep pace with their development counterparts.

Take a Whitelist-First Approach

With the threat landscape shifting by the minute and the number of risks growing exponentially, traditional blacklist based approaches aren't sufficient for strong security. Modern cybersecurity must use tools like machine learning to automatically profile applications and create models based on expected good behavior -- shifting the security posture from "prevent every known bad action" to "allow only known good actions." This not only provides stronger overall security, but short-circuits the game of catch-up with the bad guys security teams have historically engaged in

Developers Can Help Ensure Applications are "Secure by Design"

Applications are typically developed against a set of business requirements and a set of operational requirements. But it's equally as important for developers to build towards security needs - understanding not just how an application handles data, but also how to code in a way that reduces risk vectors and.  This often involves security teams working directly with development groups to set requirements for each feature. In teams without dedicated security-focused developers, this can be a rotating role,where a member of the team takes ownership of all security features for each sprint or release. This approach helps teams quickly uplevel their overall security knowledge and ensures that building to security requirements is always top of mind.

Defense in Depth

Traditional security tools focused on a single element of the application delivery lifecycle, or a single layer of the stack. You had your network firewall, your application firewall, your active threat protection, your vulnerability management, your source code analysis, and then spent as many cycles integrating them all as you did gaining value from them. Moreover, these tools couldn't learn from each other. What this means for many organizations is that during an attack, they get alerts on individual steps in the attack, but are left to correlate different anomalies together to form a comprehensive picture of the incident and best understand the impact. This approach doesn't scale.

Cloud Native Makes All This Possible

We're proud to work with innovative organizations committed to leveraging containers and cloud native technology throughout their business units. We're proud to be a trusted partner working with talented teams to scale security in ways never thought possible. 

##

About the Author

Josh-Thorngren 

Josh Thorngren is Twistlock's VP of Marketing, where he oversees product messaging and marketing activities. Prior to Twistlock, Josh worked at Puppet, streamlining and scaling the marketing practice there. Josh began his career managing operations for developers - before the world had a better way to describe that combination. Since making the transition to the dark side (marketing), he's spent the past 6 years helping devops-focused organizations better bring their products to market.

Published Thursday, April 12, 2018 7:29 AM by David Marshall
Filed under: , ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
top25
Calendar
<April 2018>
SuMoTuWeThFrSa
25262728293031
1234567
891011121314
15161718192021
22232425262728
293012345