Tech Insights / Cloud Native Security

Cloud native security:
Reduce risk in the enterprise

Security threats to enterprise systems and data have never been greater. Yet traditional approaches, including those employed by public cloud providers are simply more of the same—reactive tactics that treat the symptoms of an attack, rather than warding off the root cause. The surging popularity of cloud native applications has challenged conventional wisdom in every conceivable way. Up and down the stack—from infrastructure to application development—there is a sharp contrast between legacy methods and a more modern, cloud native approach, with most reaching a consensus on the patterns and practices that tend to be successful: a DevOps culture, continuous delivery, and a microservices architecture. Why haven’t we reimagined security for the cloud native era? Where are the bold new ideas? That’s the innovation behind cloud native security: a transformative way to reduce risk in the enterprise.

What is cloud native enterprise security?

Effective enterprise security is cloud native security. There are three principles of cloud native security:

Repair vulnerable software as soon as updates are available.

Repave servers and applications from a known good state. Do this often.

Rotate user credentials frequently, so they are only useful for short periods of time.

These are known as the 3 "R's" of security: repair, repave, and rotate.

This new approach to security is sorely needed. To understand why today’s security tradition is broken, just look at the somewhat frightening reality presented in the recent Symantec Internet Threat Report. Here are a few alarming statistics:

A new zero-day vulnerability is discovered each week

Half a billion personal records were stolen or lost

Vulnerabilities were found in three quarters of websites

Spear-phishing campaigns targeting employees increased 55 percent

Ransomware increased 35 percent

Although the volume of threats is growing at an exponential rate, with attacks moving faster and faster, the types of threats that wreak havoc in a data center are relatively simple:


This is a catch-all term for viruses, trojan horses, worms, spyware, and other programs that have malicious intent.

Advanced persistent threats

These are breaches where an attacker gains access to a network and stays there undetected for a long period of time. The longer the threat stays undetected, the more data that’s at risk.

Leaked credentials

Credentials control access to information or other resources. No matter how hard an organization tries to lock-down employee credentials to critical systems, they always seem to get out into the wild.

Why cloud native enterprise security matters

Data center security is broken

The security tradition in the enterprise today screams slow down. The answer to any request is almost always “no.” Change is resisted at every level because any change is the sign of a potential threat. Contrast this approach to application development and operations. These groups are now working together in new ways (broadly dubbed “DevOps”) to deliver new code faster. Constant, more sophisticated, and ever-evolving threats require security teams to also rethink their approach in the cloud native era.

Threats are evolving faster than ever

Malware and advanced persistent threats are proliferating. Malicious programs can be created and deployed for next to nothing. Hundreds of new threats attempt to penetrate enterprise systems every day. Traditional security measures can’t evolve nearly as quickly. A cloud native approach offers both external perimeter and internal systems protection.

Mitigating credential leakage is possible

The fact is credentials will always be leaked, but systems administrators don’t have to sit idle and let it happen. They can change the lifespan for credentials from the weeks or months that give hackers plenty of time to find vulnerabilities to hours or just 15 minutes. A cloud native security approach helps ensure leaked credentials quickly become worthless.

Enterprises need to conduct a realistic assessment of the security challenges they face and understand why today’s approaches to security are falling short:

Are systems at risk due to the patching we are intentionally not doing?

Vendors continuously release patches and that’s awesome! However, the practical reality is that a typical enterprise has procured thousands of servers over several years. Each one is loaded with different software packages. The effort to patch these systems regularly (let alone quickly) is mind-boggling. So what happens? System administrators are pragmatic. They triage. The truth is that systems go knowingly unpatched. That’s a broken process.

Are organizations, processes, and tooling designed to react to threats, rather than prevent them?

By the time you’ve detected an attack, it’s too late. Further, finding a finding a breach is only the beginning; you still have to fix it.

Are your security vendors only offering incremental improvements?

Big vendors of the cloud native era certainly look different than the dominant providers from a decade ago, but where are the revolutionary vendors in the security area? Enterprise buyers and security vendors are still having the same conversations about the same products that they did in the dot-com era. Now, products might be delivered “as a service,” added into an on-premises private cloud, or served up as a virtual appliance in a public cloud. These are hardly earth-shattering advancements in enterprise IT compared to infrastructure as a service, Agile development, or microservices.

Are you prevented from updating production systems frequently?

Going to production with new software takes months. It’s a painful, arduous journey, and once new bits are online, no one wants to change anything. Why? Because it might break, and that would be bad. Here’s what’s worse: a static environment is fertile ground for attacks. The way production systems are managed today couldn’t be more inviting to attackers—and unfortunately, cyber criminals know it.

All of these points are symptoms of a larger issue—a mindset that believes “going slower reduces risk.” In fact, the opposite is true. The faster systems change, the harder they are to penetrate. That’s the core idea of cloud native security.

Cloud Native Security Versus Traditional Enterprise Security

Cloud Native Security
Traditional Enterprise Security
Automated. Threat mitigation occurs when systems can be quickly updated. Automation and the adoption of immutable infrastructure help to eliminate systems with unique (and therefore problematic) security configurations. Monitored and instrumented. Because organizations believe that a system change is the sign of malware, massive investments are made to detect data center changes.
Proactive. Malware thrives on vulnerable software and static, unchanging systems. The priority is to aggressively change the state of systems, eliminating the conditions malware needs to survive. Reactive. Detecting threats quickly is the priority. Steps to mitigate the threat are then taken once a vulnerability has been identified.
Patched via clean-slate redeployment. Patches are applied as soon as they become available. New “golden” images with the latest bits are applied across the data center using automation and immutable infrastructure concepts. Patched incrementally. Patches are applied incrementally to systems, as each one is approved by internal teams. Patches for operating systems and middleware are triaged then applied.
Promoting change. Organizations believe the faster systems change, the harder it is for malware to thrive. Resisting change. Organizations believe the slower the pace of change, the safer the enterprise will be.

What to keep in mind if you're addressing threats

The notion of going faster to make your enterprise more secure may be new, but it’s proven. Some of the world’s largest companies, from banks and retailers to telecom providers and automotive manufacturers, today rely on cloud native security that includes several borrowed concepts from cloud native development and operations.

When you consider these three types of threats and their root causes, there is a practical 3 Rs approach to fighting them:

Root Cause
Cloud Native Mitigation Approach
Malware Feeds on misconfigured and/or unpatched software. It often takes months to deploy patches to operating systems and application stacks, even in a virtualized world. It’s not uncommon for an enterprise to leave a server vulnerable for six months or more. Repair vulnerable software as soon as updates are available.
Advanced persistent threats (APTs) Requires time to thrive inside a network. APTs thrive in environments that change incrementally. Systems are hardly ever restored to a last-known good state. Repave servers and applications from a known good state to reduce the amount of time an attack can occur.
Leaked credentials Credentials seldom rotate. So, if an attacker can find some, they are likely to remain valid and useful for a long time. Rotate the credentials frequently so they are only useful for short periods of time.

Cloud native security and VMware Tanzu

Here’s how VMware helps organizations embrace the 3 Rs model:

With VMware Operations Manager, enterprises can repave every virtual machine (VM) in their data center from a known good state every few hours without application downtime. They can deploy applications from a continuous integration tool such as Concourse, and application containers will also be repaved every few hours.

Organizations can repair vulnerable operating systems (OSs) and application stacks consistently within hours of patch availability. This is a twist on operations’ traditional use of the golden image. VMware refers to this as a “stemcell,” and we update the stemcell with the latest OS patches for VMware Tanzu Application Service customers. Administrators then can roll out the new image to their environments. For application stacks, VMware uses buildpacks to ensure the latest use of run-times and frameworks.

Enterprises should be able to easily rotate system credentials every few minutes or hours, a daunting task for today’s enterprises because modern systems can contain dozens of individual credentials. Today VMware customers can use identity management systems with multi-factor authentication to help safeguard systems as we work on automated credential management.

Additionally, VMware helps ensure compliance with industry standards and security requirements:

PCI compliance can improve with VMware Tanzu Application Service. Specifically using the optional IPsec add-on module, teams add security to the network layer of the OSI model with a strongSwan implementation of IPsec. The IPsec add-on provides a strongSwan job to each BOSH-deployed VM. IPsec encrypts IP data flow between hosts, between security gateways, and between security gateways and hosts. The IPsec add-on module secures network traffic within a Cloud Foundry deployment and provides internal system protection if a malicious actor breaches a firewall, further meeting PCI regulations.
Single Sign-On (SSO) is an all-in-one solution for securing access to applications and APIs on VMware Tanzu Application Service. The SSO service provides support for native authentication, federated SSO, and authorization. Operators can configure native authentication and federated SSO, for example SAML, to verify the identities of application users. After authentication, the SSO service uses OAuth 2.0 to secure resources or APIs.
VMware Tanzu Application Service uses a role-based access control (RBAC) system to grant elastic runtime users permissions appropriate to their roles within organizations or spaces.

Customer Stories

A large investment bank routinely eliminates CVEs from their environment with regular stemcell updates from VMware.
An automotive manufacturer used our roles and permissions to segment access across dozens of teams and hundreds of microservices.

Frequently Asked Questions

Why do organizations adopt cloud native security?

Today's security tradition is broken and cloud native security is a new approach to security that is sorely needed. Threats ranging from malware to advanced persistent threats and leaked credentials are imminent, so cloud native security allows teams to rethink their approach to security in the cloud native era.

What is the cloud native security 3 Rs model?

The three principles of cloud native security include repairing vulnerable software as soon as updates are available, repaving servers and applications from a known good state, and rotating user credentials frequently.

Why is cloud native security important?

Cloud native enterprise security is vital because data center security is broken and security teams must rethink their approach in the cloud native era. In addition, threats are evolving faster than ever and credentials will always be leaked as a result, so a cloud native security approach helps ensure leaked credentials quickly become worthless.

What is the main difference between cloud native security and traditional enterprise security?

Cloud native security is proactive in eliminating the conditions malware needs to survive. In contrast, traditional enterprise security is reactive and takes steps to mitigate the threat after it has been identified. In addition, cloud native security promotes change, whereas traditional security resists change since organizations believe the slower the pace of change, the safer the enterprise will be.