Written by Michael Coté and Rita Manachi
A version of this article appears in The New Stack.
Securing cloud native environments can be overwhelming, especially if you're building your own stack from the hot-pot bar of the CNCF landscape. You'll fit each of those projects together, making sure you find and follow all the security to do's. Then you customize them to behave however you need - after all, that's why you built a custom stack, right? Then, as each of those projects is updated, or you discover new features you need, you tinker with your platform a bit and need to run through those checklists again. This is all while also making sure you're on versions of every project that are verified to work with each other across the hot-pot bar that you've built!
Hopefully we didn’t trigger anyone with that scenario. It’s just that the cloud native security landscape is complicated and security teams are having a hard time keeping up. Taking on a continuous and integrated security approach can help make this less daunting. As Jurgen Sussner put it in this article:
“Cloud native security is totally different from [sic] traditional enterprise security. Traditionally, security has been a gate someone has to go through on their way to production. Applying this to cloud native would disrupt the continuous delivery and improvement process. Therefore, security has to be part of the pipeline — not just shifted left, but shifted everywhere. Meanwhile, platform engineers need overall visibility of the whole application landscape to see who is affected by what and how to fix it or if it was fixed. That’s why cloud native application protection platforms are gaining importance.”
— Jürgen Sußner
This piece explores the tradeoffs between assembling your own stack and taking on and managing more security risk. Both these things require investments either with time or money or both! So what is worth it?
We asked our friend Whitney Lee what "kubernetes security" means and she shared this talk that demonstrates how intense and encompassing kubernetes security is. Little wonder: Kubernetes' scope is huge, looking to standardize not only the infrastructure layer, but also how applications are architected, run, and managed. There are so many seams, connections, and surfaces that need to be secured in Kubernetes that it all becomes a red string crazy board.
This isn't meant to be FUD, it's just how it is when you build a custom stack. What the crazy board means is that you need to plan for and prioritize security and governance in your platforms across every component within the custom stack. According to the results for this year's State of Cloud Native Platforms survey (formerly State of Kubernetes) people using cloud native platforms get it. This is the fifth year we’ve done this survey and it feels like the best one yet.
Putting your money where your priority is
When it comes to priorities, what people spend money on is one of the best ways to see what actually matters to them. In my decades of working in the tech industry, including as an analyst, security is usually a top three investment priority. Our own research shows the same thing when we asked "in your opinion, which of the following types of tools or capabilities are worth investing in paid support or services?"
Security and compliance aren't the only drivers to use an off-the-shelf (or "off-the-cloud"?) platform, but based on the spending habits above, we theorize that it's an important reason.
Who needs continuous compliance?
Our focus this year was on large companies, with 66% of respondents coming from companies of 5,000 or more employees, 35% with more than 20,000 employees. We also tracked the number of developers in each organization and, of course, industry type. Those demographics are important because they represent organizations functioning in highly regulated industries who need to keep up with changing guidelines and regulations.
By volume, these are typically the organizations with the most software, the most software that needs to be modernized, and the most widely used software. This means that any improvement made in those organization's software will have a huge impact on our daily lives. Think about renewing your driver's license all in an app, ordering your groceries online, or just quickly transferring money to friends after a fancy dinner.
An easy place to start
When it comes to improving software, here's one more look into a finding from the survey: the number one use case people were focusing on was deploying and testing applications in the CI/CD pipeline. This is fantastic since a shocking low amount of organizations have build and test automation in place. Automating your software pipeline not only speeds up release cycles, meaning you have more opportunities to try out new ideas to improve your apps. But, it also gives you more controls for security and governance.
If you want to get a feel for how large organizations are using cloud native app platforms, check out the full survey. You'll get a good sense of the priorities, the struggles, and also the benefits people are getting with cloud native platforms. From what we're seeing in this year's survey, people are focusing on the right things as they look up the stack and focus more and more on their platforms.