The State of Cloud-Native Security

Cloud native is becoming the defacto development method for new applications and workloads. Yet, the cloud-native trend also brings accelerated deployment timelines, which could leave security gaps in CI/CD. Studies also find a rise in time to remediate security incidents and uncertainty concerning cloud-native security tooling adoption. The cloud-native also trend brings some interesting nuances for cybersecurity, such as the need to continually scan your catalog for vulnerabilities and validate various cloud-native policies.

Prisma Cloud recently released a helpful study entitled The State of Cloud-Native Security Report 2023. I also met with Ory Segal, CTO of Prisma Cloud, Palo Alto Networks, to review the report and identify some key takeaways. Below, we’ll explore the state of cloud-native security in 2023 and consider some methods to respond to the continually evolving threat landscape.

Analyzing The State of Cloud-Native Security

Shift left tactics for spotting vulnerable code are becoming more of a top priority. The report found risks introduced early in application development to be the number one concern. Other top concerns are areas like workload images with vulnerabilities or malware, vulnerable web applications and APIs, and unrestricted network access between workloads.

The study also found that cloud-native security incidents are becoming more challenging to maintain. A full 42% of respondents reported an increase in the mean-time-to-remediate cybersecurity threats and incidents. To respond to an influx in cloud-native cybersecurity vulnerabilities, 81% of enterprises have embedded security professionals in their development and operations teams.

Another trend is that deployment frequency continues to increase across the board. A full 77% now deploy new or updated code to production weekly and 38% commit new code daily. “Deployment models are shrinking, yet security is not something that comes automatically to most people,” explained Segal. Without security forethought for the deployment process, organizations could miss significant CI/CD vulnerabilities, such as those defined in the OWASP Top 10 CI/CD Security Risks.

Overall, the report didn’t expose any surprising findings, said Segal. Instead, it validated many trends he’s witnessed accelerating over the past few years. However, the survey did reveal some immaturities in cloud-native observability practices. For example, one damning finding was that 75% of organizations still don’t enable cloud trail logs on AWS. “This is very baffling to me—I thought with all the public cloud adoption, the basics would be behind us,” Segal said. “How can they expect to perform any investigation if they don’t have that enabled?”

Cloud Migration ≠ Cloud Native

Organizations continue to evolve their cloud infrastructure adoption and move more workloads into the public cloud. The report found that 53% of cloud workloads are hosted on public clouds. Yet interestingly, not all of these workloads are technically cloud-native.

Just 37% of applications are cloud native, meaning they are net new applications built entirely in the cloud. Just over one-third (36%) of cloud migrations are “lift-and-shift,” meaning they were migrated to the cloud as-is with only minor modifications. And 27% were refactored or rebuilt, meaning they were migrated to the cloud with significant modifications.

Cloud native has become more of the defacto choice for developing new applications. And Gartner forecasts that by 2025, over 95% of new digital workloads will be deployed on cloud-native platforms. “As things turn to mass adoption, developing in cloud native is no longer in the domain of early adopters, it’s becoming the norm,” said Segal.

Yet, once the migration to the cloud and cloud-native components is complete, it may be challenging to maintain these environments due to ongoing burnout and turnover in software development teams. In fact, 75% of respondents reported a higher-than-usual turnover rate in DevOps roles.

Mitigations for Securing Cloud-Native Technologies

Currently, most security professionals struggle to make sense of their cloud-native security posture and the data these systems produce. This is partially due to a fragmented security tooling landscape. In fact, 77% of organizations struggle to identify what security tools are necessary to achieve their objectives, and most report that the high number of tools in use creates blind spots. This may be a contributing factor due to the finding that 90% of organizations cannot detect, contain and resolve cybersecurity threats within an hour.

Plugging this gap may lie in more visibility and centralization of security tools. The majority (78%) of respondents agreed that cloud security needs more out-of-the-box visibility and risk prioritization filtering with minimal learning. And 80% of respondents said they would benefit from a centralized security solution that sits across all of their cloud accounts and services.

Engineers need to measure how secure their code is, and this will require defining security as a first-class citizen, documenting your workflows and encouraging more developer education, said Segal. Knowing these requirements, Segal shared four steps to increasing your cloud-native security posture.

Four Steps For Cloud-Native Security

  1. Know your surface area. You can’t secure what you don’t know about. Thus, it helps to audit your surface area to better understand the situation. According to Segal, agentless scanning can help you amalgamate disparate logs and unify knowledge.
  2. Shift left and scan IaC. Segal then recommends scanning infrastructure-as-code (IaC) templates in code repositories to flag things like misconfigurations, permission errors or vulnerabilities. Shifting this left can help realize mistakes earlier on before they reach production. Segal recommended Checkov for scanning cloud infrastructure configurations.
  3. Look at your roles and permissions. Next, up your identity and access management game. This is essential because hackers routinely leverage broken access control to achieve lateral movement. Setting guardrails will also help developers avoid pushing problematic code or misconfiguration.
  4. Use AI to flag behaviors in runtime. There are plenty of use cases for AI to improve cloud-native security efforts. One way is to create a model of typical behaviors and use that to understand the behavior of each container, what they are typically communicating with, and which nodes they connect to. Then, you can automatically enforce rules and send instant alerts when behavior is atypical.

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high-impact blog on API strategy for providers. He loves discovering new trends, interviewing key contributors, and researching new technology. He also gets out into the world to speak occasionally.

Bill Doerrfeld has 105 posts and counting. See all posts by Bill Doerrfeld