10 Ways Cloud-Native Development Changes Cybersecurity

As more organizations today transition to cloud-native development patterns, cybersecurity teams are scrambling to keep up. Cloud-native infrastructure, applications and developer workflows fundamentally change cybersecurity in so many ways.

These changes offer an opportunity to achieve application security gains that risk advocates have been championing for well over a decade. But the transition to cloud-native security is going to demand new tooling and a different mindset for AppSec and security operations, which will take many cybersecurity professionals out of their comfort zone.

Here are some insights gathered from a range of developers, AppSec experts and cloud-native technologists on how cloud-native cybersecurity differs from traditional approaches.

Everything-as-Code Makes AppSec Paramount

In cloud-native architecture, microservices and API-dominated interactions between components of not just the applications but the underlying infrastructure means that everything becomes an AppSec problem, says Scott Piper, principal security researcher for Wiz.

“Traditionally, network security, in part, involved knowing where physical wires were connected. You knew where your connection point to the public internet was because you could physically see where that was,” he says. “In the cloud, a single change in a configuration can result in something being publicly exposed to the internet. No need to connect physical wires somewhere.”

Attack Surfaces Are Bigger

Cloud-native applications, infrastructure and data flows increase complexity for organizations, which consequently introduces a lot more places that attackers can pick apart, says Kristen Bell, director of application security engineering for GuidePoint Security.

“With the increase in microservices and APIs, data flows are more complex. There is more integration between applications and systems,” Bell says. “All of this leads to a larger attack surface and more intricacies to consider from a security perspective. In conjunction with these changes, we have seen an increase in the number of emerging privacy laws requiring the geolocation of data.”

New Architectures Need New Specialized Security Tools

While the traditional AppSec scanning tools like static application security testing (SAST), dynamic application security testing (DAST) and software composition analysis (SCA) still remain relevant in cloud-native environments, developers and cybersecurity teams now need a host of new features and niche security products, says Rebecca Deck, principal application security engineer for Avalara.

“In addition to the legacy tools, we have had to add cloud compliance tools, drift control tools, intrusion detection which can monitor cloud workloads and orchestration to bring it all together,” she says, explaining that to keep pace with the rate of change, her team’s modus operandi has been making these security functions as transparent as possible. “Security tools should be transparent—only making themselves known when a security weakness is identified.”

On-Premises Security Tools Could Incur Huge Costs

Deck also warns that though traditional tools still can play a valuable role in cloud-native security, development and security teams have to be careful about how they’re architected and what it will take to run them. If they’re on-premises tools not designed for a cloud-first, containerized model, they could potentially cost a lot to run in these environments.

“The cost of running tools in the cloud that were not purposely designed for the cloud can have significant costs in terms of compute, storage and network traffic,” Deck says. “Many vendors require systems that are extraordinarily expensive to run when the on-premises costs may have been comparatively low. Routing network traffic through choke points is often not feasible due to system latency requirements, which requires drastically different thinking from security teams who may not have significant experience in the cloud.”

Change is Constant

The dynamic and ephemeral nature of cloud-native infrastructure and development patterns means that change is the only constant.

“In the cloud, things are ephemeral. One minute you might have 10 servers; an hour later, you have 10,000 and an hour after that you have only one,” says Wiz’s Piper. Piper explains that developers are empowered to make these changes on the fly to suit the business mandate for innovation. “You also have the developers’ flexibility to spin these up on their own and try out new services and features. AWS has over 200 services now, and they are just one of a handful of cloud providers.”

This constant state of flux in the environment creates big challenges for security pros, who are tasked with maintaining a consistent security posture, says Juan Orlandini, CTO, North America, Insight Enterprises.

“Because cloud-native environments are dynamically orchestrated, there’s a constant stream of changes associated with scaling up and down, rotating secrets and upgrading software,” he says.

Threat Modeling Becomes Imperative

Given the expanding attack surface and the dynamic conditions of cloud-native environments, threat modeling becomes an increasingly important part of managing software risks, says Orlandini.

“Tooling needs to evolve to support threat modeling as a core component of cloud-native security,” he explains. “This means providing tools for identifying potential vulnerabilities and attack surfaces and automating assessments to identify misconfigurations and other issues.”

Developer-Centric Security Tools Become Crucial

Keeping up with the rate of speed and flexibility in development workflows means that manual reviews and hand-offs don’t work so well anymore, says Jeff Talon, director of software delivery for Liberty Mutual. Security work needs to be streamlined in the development workflow and security teams have to find a way to create developer-centric tooling and processes for reviewing code and maintaining security postures, he says.

“Tooling must seamlessly integrate into the core developer tools—IDE, GIT, CI/CD pipelines, avoiding manual handoffs or context switching,” Talon says. “Compliance and security policy evaluation need to be consistent throughout the development process and in the cloud runtimes.”

Security Should Strive for Standardization

The emerging state of cloud-native environments has bred a sort of ‘wild west’ atmosphere that can pose serious challenges for rule-oriented security folk. Security teams can help enable developers by coming up with standards and security-focused guidelines that can guide them as they walk the cloud modernization journey.

“It is important that, as this process starts to take shape, application and cloud security concepts are thought through, documented and then used later to create standardization,” says GuidePoint’s Bell. “Examples might include baseline container images, standards for decommissioning legacy applications as they are replaced by cloud-native applications, build and implementation guidelines and baseline standards for pipeline configurations, etc.”

Security-as-Code Helps AppSec Keep up the Cloud-Native Pace

Coming up with those standards can provide the foundation for sustainable cloud-native security if it is paired with another crucial concept: Security as code. Automating the enforcement of security requirements in developer-centric tooling through policy-as-code is the ultimate goal for cloud-native security, Talon says.

“Security requirements are automated through the usage of policy-as-code in both the CI/CD pipeline and the cloud runtimes, providing a consistent development experience that ensures security and compliance are met throughout the development,” he says. “With this, developers are getting security feedback much earlier in the process and in a context that allows them to self-correct and keep moving forward.”

Continuous Monitoring Becomes Easier

The best cloud-native security approaches will embrace continuous monitoring, says Orlandini, who explains that this can be a departure from traditional AppSec approaches that are more focused on periodic scans rather than real-time monitoring.

The good news is that the everything-as-code approach to cloud-native infrastructure makes it easier to set up telemetry in places that weren’t possible before—as long as security pros can accustom themselves to the fact that older network monitoring mechanisms may no longer work for them anymore.

“Some things become more difficult in the cloud for defenders and some things become easier, and you need to take advantage of those,” Piper says. “In the cloud, you can’t rely on network packet monitoring as easily as you could in physical servers, so you have to rely on other concepts, like identity.  In the cloud, it becomes much easier to be able to do things like scan a hard-drive snapshot of your servers all at once.”

Ericka Chickowski

An award-winning freelance writer, Ericka Chickowski covers information technology and business innovation. Her perspectives on business and technology have appeared in dozens of trade and consumer magazines, including Entrepreneur, Consumers Digest, Channel Insider, CIO Insight, Dark Reading and InformationWeek. She's made it her specialty to explain in plain English how technology trends affect real people.

Ericka Chickowski has 1 posts and counting. See all posts by Ericka Chickowski