All organizations are going through digital transformation in one way or another. Whether they have adopted hybrid working since the start of the pandemic, or are introducing artificial intelligence and machine learning into their workloads, integrating technology into a business is fundamental to survive in today’s world. Cloud native development - a way to build and run responsive, scalable apps anywhere, be it in public, private or hybrid clouds - is forging its place as a huge disruptive wave that many organizations embrace as part of their digital transformation efforts.
Alex Chalkias, Product Manager for Kubernetes at Canonical.
When looking at the state of cloud native development, there are around 6.5 million cloud native developers worldwide; that’s 1.8 million more than in mid-2019, representing 44% of backend developers according to the Cloud Native Computing Foundation. In addition, 46% of developers use open source Kubernetes in development, which has become the gold standard choice for container orchestration.
Despite all the benefits cloud native architectures can bring, businesses are recognizing the changes they need to make to their security posture to ensure the applications are secure. Nearly 60% of organizations have increased security concerns since adopting cloud native. Because of this, developers are four times more likely to take ownership of security protocols when developing these applications. Kubernetes committers are also improving the security of their containers to help reduce the surface for intrusions such as sandbox escape attacks. The consequence is that malicious code can be executed from a sandbox outside the container’s environment.
While cloud native development cybersecurity is a complex topic, understanding its qualities is vital to help bolster a company's services and improve its security posture. Professionals need to consider these five crucial aspects when it comes to secure cloud native development:
1. Consider resources carefully
While there are several resources for cloud native developers to create their applications, knowing the right approach is essential to maintain security. It’s critical for developers to consider what content they can rely on, its quality and how long it will serve them well. Importantly, they need to know whether it contains any security exposures or malicious code and if it's actively maintained and patched on time.
Now more than ever, developers must exercise extreme caution and wisely pick resources. Enterprises can help their developers by providing “sane defaults” for choosing software to underpin and support their applications. Sane defaults involve providing a default setting selected to ensure an optimal experience that can be reproduced across multiple machines. This is important because developers are fully supported in their role and resources are provided that the enterprise knows can be relied upon.
2. Use secure and stable base images
The software that comes in a container image is largely down to the chosen base image. Base images provide the necessary foundation for the applications to run, including shared libraries like SSL and libc, and enable developers to focus on their applications rather than the entire container. Often, base images also tend to contain more software than the applications added on top of it, and with more software comes more security liability.
Enterprises should approach the task of picking a secure and stable base image very carefully and consider aspects such as how often it's updated if the software ecosystem is large enough to be built on top of, and whether the base image is developer-friendly. These aspects are crucial as security becomes an afterthought if the base image isn’t created correctly with security in mind.
3. Look into cloud native buildpacks
Borrowing from the previous generation's best Platform as a Service (PaaS) offerings, cloud native buildpacks enable developers to create hardened, optimized, safe containers for code effortlessly.
Kubernetes is the standard cloud native container orchestration. Still, it leaves a lot of essential aspects of running complex applications to its users, such as handling certificates or selecting and setting up ingresses. What end-users want is a comprehensive, easy-to-use, reliable PaaS with good support for components of different sizes, and this is what buildpacks provide.
4. The importance of patching early and often
Often, if the software goes into production without known vulnerabilities, it’s likely some will be discovered later down the line. Software must be kept up to date to prevent breaches, and this involves rolling updates out in a timely fashion but in an easy and non-obtrusive way. This is well understood concerning operating systems and is equally true for containers.
With this in mind, organizations should ensure containers are refreshed with the latest security patches. The same rules should apply to the runtimes and infrastructure underpinning the containers. For example, the kernel must be updated using technologies such as live patching that reduce unplanned downtime to be rolled out seamlessly in production.
5. Don’t forget about automation
When a vulnerability is identified, the fix needs to be rolled out quickly and reliably, which requires automation throughout the rollout process. Over the last decade, the industry has made great strides in automating how it builds software; however, the continuous delivery of patches is not always up to the same standard. This is due to automation gaps, which has impacted the time it takes to roll out security fixes in applications.
Moving forward, organizations should rely on automation to efficiently respond to breaches to minimize the disruption it can cause. If the software is harder to patch, the less frequent it will happen, but this wouldn’t worry organizations if they adopted automation.
As more organizations turn to cloud native development because of the benefits it can bring to the business, they cannot forget about the importance of minimizing security risks. The consequences of a breach can be wide-reaching, so developers must ensure security is baked in from the beginning of an application’s development and that they are regularly updated and patched. Despite cloud native security being perceived as a complex topic in theory, it doesn’t have to be in practice with these five steps.
