Application development Cloud-Native Development Cloud-Native Security Topics 

Cloud-Native AppSec: Lessons From the Fortune 100

, , ,
by Ratan Tipirneni

While cloud-native technologies are relatively new to many businesses, Global 2,000 companies have run containers and distributed applications built with microservices and running on platforms like Kubernetes at scale for over a decade. Although these household-name companies are high-profile targets for hackers, they have avoided devastating security incidents. This is evidence of their holistic security strategies and advanced cloud-native and container security tactics.

Here are a few lessons other businesses can apply to cloud-native application security.

Take a Zero-Trust Approach

First and foremost, these companies have adopted a zero-trust approach. Choosing zero-trust as a foundational pillar is one way Fortune 100 companies keep their environments secure. In a zero-trust model, everything is denied access by default except the things that need to be able to communicate. Zero-trust is crucial in securing distributed applications and containers, as it prevents threats from sneaking in as they are deployed and maintained. It is nearly impossible to secure these environments without a zero-trust foundation.

The concept of zero-trust has existed for many years, long before it was named or widely adopted. Zero-trust exemplifies the importance of returning to the basics and learning from successful companies rather than chasing after new solutions that often overpromise and underdeliver.

Address Infrastructure and Security Holistically

In addition to a zero-trust approach, companies that have secured their cloud-native environments take a holistic approach to security. Hackers and bad actors do not always target the most obvious entry points and can find–and exploit–vulnerabilities in any open door or window. Therefore, it is crucial to secure all potential attack vectors, including containers. This requires a comprehensive approach to security rather than focusing on just a few key areas.

Treat Security as Code

Another key lesson from these leading companies is the importance of treating security as code. Unless security and IT leaders treat security as code, they initially configure security to secure all their doors and windows, but once they get into the day-to-day operations, it is only a matter of time before one of those points of entry pops open.

With a security-as-code approach, security is programmed in along with the software so that the security controls move wherever the software goes. Incorporating security into the development process and treating it as an integral part of the software makes it much easier to ensure that security controls are consistently applied. This is particularly important in cloud-native environments, where applications and infrastructure constantly evolve and change.

Strip Down Infrastructure and Rebuild It

At Tigera, we work with a customer who completely strips down their entire infrastructure and rebuilds it regularly. They clean their entire stack every three weeks and reinstall through automated scripts. Stripping down their infrastructure flushes out potential threats that may have infiltrated the application or infrastructure. However, doing this on a large scale requires a high degree of automation and underscores the need to treat everything as code. Without treating security as code, the highly advantageous ability to rebuild that stack on an ongoing basis would not be feasible.

Democratizing This Level of Security

Fortune 100 companies have been running cloud-native apps at scale for years; they started long before the current array of cloud-native security solutions was available. These companies had the monetary resources and talent pool to build their own solutions and processes. Now, cloud-native technology adoption has exploded, and smaller teams and companies are using cloud-native solutions for daily operations.

The same level of security the Fortune 100 has achieved should be available to companies across the globe. The next step in cloud-native security solution development should be taking what these leading companies have done, codifying it, packaging it into a repeatable solution and rolling it out as a service so that smaller organizations can use it to secure their environments.

Security is an Ongoing Process

As the threat landscape changes and evolves, businesses must constantly re-evaluate and adapt their security measures to stay ahead of potential threats. Security is not a one-time effort; it’s an ongoing process that organizations of all sizes must prioritize. By learning from the successes of Fortune 100 companies, businesses can adopt best practices and build a secure foundation for their cloud-native environments.

Ratan Tipirneni

Ratan Tipirneni is President & CEO at Tigera, where he is responsible for defining strategy, leading execution, and scaling revenues. Ratan is an entrepreneurial executive with extensive experience incubating, building, and scaling software businesses from early stage to hundreds of millions of dollars in revenue. He is a proven leader with a track record of building world-class teams.

Ratan Tipirneni has 1 posts and counting. See all posts by Ratan Tipirneni