기술 통찰력 / Cloud Native Security

Cloud native security:
Safeguarding enterprise data and applications

Today, enterprises rely on digital technologies—especially cloud native infrastructure and applications—to process information for thousands, even millions, of users. The rapidly growing popularity of cloud native application technologies—including DevOps, microservices, continuous integration/continuous delivery (CI/CD), containers, and Kubernetes—combined with the rise of APIs (83% of internet traffic is API-driven) has accelerated the need to integrate cloud native security practices throughout the entire software lifecycle. Critical technologies, including DevSecOps, API security, a software bill of materials, and a secure software supply chain, are necessary to protect applications and data.


What is cloud native security?

With security risks increasing every year, protecting cloud native applications against cyberattacks and other security breaches has never been more important. To ensure cloud native application security, organizations need to protect against infrastructure and platform vulnerabilities and ensure the security of the entire software delivery system including container images, application dependencies, and CI/CD pipelines in addition to the application itself.

How to build secure applications with cloud native security

The following cloud native security concepts are critical for organizations that want to build and operate secure cloud native applications:

  • DevSecOps. Instead of applying security measures to applications after the fact, DevSecOps, weaves security into every aspect of the cloud native software development process. DevSecOps embraces “shift left” collaboration that brings security teams into the process from the start.
  • Secure software supply chain. A secure software supply chain provides confidence that your code and its dependencies are trustworthy, compliant, updated, and release ready. It also ensures that regular scans are in place to detect, report, and eliminate vulnerabilities.
  • Software bill of materials. A software bill of materials or SBoM is an effective way to inventory application dependencies, a critical component of cybersecurity. When a new software vulnerability is identified, SBoMs make it possible to quickly identify the affected software that needs to be updated.
  • API security. As APIs have become essential to modern applications, attacks against them have exploded. API security encompasses the set of strategies and methods necessary to protect APIs from security risks, malicious attacks, and data breaches.
  • Kubernetes security. Kubernetes provides several cloud native security tools—including API security controls, container isolation, and resource limiting—to enforce security within a cluster. It’s also important to define and implement security policies so that only containers from trusted sources can run on your Kubernetes clusters.



Cloud native security platforms unify the CI/CD lifecycle

Cloud native security platforms help bring together the diverse capabilities necessary for cloud native security. A cloud native security platform should provide visibility into underlying infrastructure and offer modern defense strategies for cloud native applications and workloads throughout the entire CI/CD lifecycle, including:

  • Implement security beyond the data center. In cloud native environments, you must defend an ever-broadening attack surface. Security teams need an adequate level of visibility across workloads, devices, users and networks to detect, protect, and respond to cyber threats.
  • Encrypt network and application access. Security teams must isolate components with application-level authentication and network access controls to prevent unauthorized access. User identities should be validated by implementing the principle of least privilege. Security teams must limit network inbound and outbound traffic, and control how resources communicate with each other and other network endpoints.
  • Mitigate vulnerabilities. Integrate DevSecOps principles, orchestrate supply chain resources (test, build, scan, and deploy) and automatically update components as soon as patches become available.
  • Threat deterrence. Malicious activity can go undetected for a long time before attackers launch a ransomware attack or surreptitiously try to steal sensitive data. Cloud native security must offer both perimeter protection and internal segmentation to contain threats that penetrate your defenses.

Many of these principles are encapsulated in the 4 Cs of cloud native security.




What are the 4 Cs of cloud native security?

The 4 Cs of cloud native security constitute a security model for Kubernetes that provides an organized way of thinking about the sprawling cloud native environment and the division of responsibility between platform engineering, IT, developers, and security teams.

The 4 Cs are: Cloud, Cluster, Container, and Code. VMware Tanzu adds a fifth “C” to the model: Connectivity. We also explicitly recognize the critical importance of Data. Starting with Data and moving through to Code, Container, Cluster, Cloud, and then Connectivity, each layer builds on the layer below it, creating a defense-in-depth strategy that utilizes multiple security mechanisms.

Data

Data security should be at the center of any security conversation. While security is important everywhere, an application or microservice that handles sensitive data like credit card numbers, SSNs, or personally identifiable information (PII) warrants greater attention than one that does not.

Code

At the code layer, your software teams must ensure that the code they create is secure. Secure the code layer by:

  • Scanning for insecure code as part of a secure software supply chain, ensuring that your code and its dependencies are trustworthy, compliant and updated and that regular scans are in place to detect, report, and eliminate vulnerabilities.
  • Securing third-party libraries by creating a software bill of materials to inventory application dependencies, track application changes, and identify and remediate vulnerabilities in an automated, machine-readable list.
  • Limiting access over TLS. Encrypt data in transit and network traffic between services, and grant only the strict minimum of permissions that applications require to operate.
  • Analyzing source code using tools that can audit software and identify code dependencies that may have otherwise been missed. OWASP offers free tools.
  • Signatures, provenance, and attestations are integral to vetting the trust of supply chain artifacts.

In recognition of how important the software supply chain is to security, the Open Source Security Foundation (OSSF) created Supply-chain Levels for Software Artifacts, or SLSA (pronounced "salsa"), a security framework for safeguarding artifact integrity across any software supply chain. SLSA can be used by software producers for protection against tampering and insider threats and by consumers to verify that the software they license is secure. Visit slsa.dev to learn more.

Container

Containers offer a straightforward way to deploy and manage applications, regardless of the target environment. Cloud native security integrates security into the entire container lifecycle, from build to deployment to runtime. Secure the container layer by:

  • Scanning container base images regularly for known vulnerabilities.
  • Building images using signed, verified images from trusted sources or a trusted container registry.
  • Isolating containers with network policies and/or a service mesh.

Cluster

The cluster layer is where you secure workloads running on Kubernetes. There are two main areas of concern:

  • Kubernetes cluster components that are configurable
    • Encrypt API communications with TLS.
    • Authenticate all API clients.
    • Enable role-based access control (RBAC) for API authorization.
  • Containerized applications running in a Kubernetes cluster
    • Implement API authentication and RBAC authorization.
    • Encrypt data at rest in etcd.
    • Ensure QoS.
    • Apply appropriate network policies.
    • Ensure defined pod security standards.

Antrea is a Kubernetes-native project that implements the Container Network Interface (CNI) and Kubernetes NetworkPolicy, providing network connectivity and security for workloads running in Kubernetes pods. To find out more, visit antrea.io.

Cloud

Kubernetes can run in a public or private cloud, but cloud security practices vary from one environment to the next. If the base cloud layer is vulnerable or misconfigured, you won’t be able to ensure the security of the applications built on top of it. Secure the cloud layer by:

  • Following CSP-specific user and permission management guidelines for APIs and services.
  • Securing network access to infrastructure by restricting control plane access to just the API server and nodes, using valid TLS certificates, and encrypting all storage at rest.
  • Keeping software up-to-date by automating upgrades and patches.

Connectivity

The State of Kubernetes 2023 report shows that organizations that run Kubernetes are adopting a multi-cloud operating model with operations in multiple public clouds as well as on-premises. This makes secure connectivity across clusters, datacenters, and clouds that much more critical.

  • Manual configuration of physical network connections between clouds can be complex and error-prone.
  • Virtual networking that is automated, policy-based, and offers software-defined networking overlays and microsegmentation capabilities can simplify connectivity and deliver self-service networking for developers and application owners.


Cloud Native Application Protection Platform (CNAPP)

The Cloud Native Application Protection Platform is a new category of cloud security tooling that encompasses many of the capabilities necessary to implement the 5 Cs of cloud native security—Code, Container, Cluster, Cloud, and Connectivity—as described above as well as runtime protection.

Implementing a CNAPP can reduce the complexity of your cloud native security environment and simplify operations.




Threats to enterprise cloud application security

Mounting risks posed by ransomware attacks, phishing, container and supply chain vulnerabilities, and the rapid increase in the number of APIs are among the greatest threats to enterprise cloud native security. The most recent Global Incident Response Threat Report for 2022 found that:

  • More than half (57%) of respondents experienced a ransomware attack in 2022. And at least 25% of all ransomware attacks included double-extortion.
  • Zero-day exploits were encountered by 62% of respondents. Gartner predicts that by 2025, attacks on software supply chains will triple, affecting 45% of organizations worldwide.
  • Exploits of container vulnerabilities, such as unhardened images from third-party registries, were encountered by 75% percent of respondents.
  • Almost a quarter (23%) of all attacks in 2022 compromised API security.



The 3 Rs of secure cloud native operations

In addition to the processes and tools described as part of the 4 Cs (or 5 Cs + D), there are three essential operational principles for achieving cloud native security and protecting against cyber threats. These principles will facilitate a significant improvement in the overall security posture of your organization—even if you’ve already deployed a CNAPP.

Rotate

No matter how hard an organization tries to lock down credentials to critical systems—such as passwords, API tokens, or encryption keys—leaked or misused credentials get out, leading to the potential exposure of sensitive information. Rotating credentials automatically every hour, or even every few minutes, reduces the risk of leaks and starves attacks of the resources they need to grow. For API security, don't embed credentials or API keys in code or store them in GitHub or other repositories.

Repave

Persistent threats, in which an attacker gains access to a network and stays there undetected for a long period of time, can be particularly destructive. They thrive in environments that change incrementally. If VMs and containers are not rebuilt frequently to a known good state, they become vulnerable to this type of attack. Repaving servers and applications from a verified source reduces the amount of time available for an attack to occur.

Repair

Unpatched and/or out-of-date systems are a major security risk, yet too many organizations run old versions of software because they’re either afraid of upgrading, don’t know how to upgrade, or think it will require too much downtime. Repairing vulnerable systems and application stacks as soon as patches are released reduces risk with minimal downtime and disruption. A CI/CD pipeline can be constructed to automatically receive and validate software updates.



Cloud native application security vs traditional application security

Cloud native concepts speed up the software development process, but also introduce new security challenges. Security teams must evolve from traditional approaches to security to address the constant onslaught of sophisticated and ever-evolving cyber threats. Cloud native security methods and technologies automate security management and compliance.

Cloud native security
Traditional enterprise security
Automated. Threat mitigation occurs when systems can be quickly updated. Automation and the adoption of immutable infrastructure help to eliminate systems with unique (and therefore problematic) security configurations. Monitored and instrumented. Because organizations believe that a system change is the sign of malware, massive investments are made to detect data center changes.
Proactive. Malware thrives on vulnerable software and static, unchanging systems. The priority is to aggressively change the state of systems, eliminating the conditions malware needs to survive. Reactive. Detecting threats quickly is the priority. Steps to mitigate the threat are then taken once a vulnerability has been identified.
Patched via clean-slate redeployment. Patches are applied as soon as they become available. New “golden” images with the latest bits are applied across the data center using automation and immutable infrastructure concepts. Patched incrementally. Patches are applied incrementally to systems, as each one is approved by internal teams. Patches for operating systems and middleware are triaged and then applied.
Secure software supply chain. Regularly scheduled scans find vulnerabilities in source repositories and container registries and validate the provenance of third-party images and libraries. Inconsistent manual processes. Traditional security methods can miss malicious code and threats lurking in applications and dependencies.


Cloud native security with VMware Tanzu

VMware Tanzu products and services provide the expertise, advice, and tools you need to deliver no-compromise cloud native security.

Tanzu Platform includes the capabilities you need to jumpstart your cloud native efforts, boost developer velocity, and accelerate the path to production while increasing security and embracing DevSecOps. It also provides a simplified, consistent approach to container deployment, scaling, security, and management with tools, automation, and data-driven insights.

Tanzu Labs can help your teams build the skills they need to succeed with cloud native and modern development methods while increasing the security of your operations. Our experts can help you get better results from any and all stages of the application lifecycle from governance to development to maintenance.