We all know that infrastructures at most organizations are now oriented around the cloud, and that the cloud has introduced major changes to the way applications are designed, built, deployed and monitored.
But what security experts may not realize is how significantly the cloud changes the security game. While you surely recognize that the cloud creates new security challenges (such as the inability in many cases to control exactly where data in the cloud is stored, or the loss of physical access to the infrastructure that hosts workloads), you may not fully appreciate how much the cloud fundamentally upends IT security.
But the fact is that it does. The shift to the cloud necessitates a wholly new approach to security: one that is “cloud-native,” and designed for the inherent challenges of the cloud.
What Is Cloud-Native?
To understand what this means, let me first explain how I define the cloud and cloud native technologies.
When I talk about the cloud and the cloud-native concept, I’m referring to any type of technology that is designed first and foremost for deployments in the cloud. This includes, most obviously, cloud-based services like virtual server instances and cloud storage. But it also includes technologies like containers, which are an obvious solution for deploying applications in the cloud, even though it’s also possible to deploy containers outside of cloud environments. Serverless is another example—Although serverless has become famous thanks to cloud-based services like AWS Lambda, it’s possible to do serverless on-premises using a framework like OpenFaaS.
As virtually all workloads move to the cloud, these cloud-native technologies are rapidly becoming the go-to solutions for deploying applications. They are replacing old-generation technologies, such as on-premises virtual servers.
As that happens, we’re entering into a world where our infrastructures, applications and management processes are becoming cloud-native. Even if you don’t run every single one of your workloads in the cloud, your infrastructure and deployment strategies now very likely have become cloud-centric.
What the Cloud-Native Revolution Means for Security
On an individual basis, the technologies that fall into the cloud-native category might not necessitate a paradigm shift in the way we manage security. You can adjust your security strategy to accommodate cloud-based virtual machines without overhauling your security tool set or processes, for example.
But taken as a whole, the shift toward cloud-native computing means that old security playbooks need to be rewritten. To thrive in a cloud-native world, organizations must orient their security strategies around the following:
- Automation. Without automated security tools and processes, it’s impractical to manage the fast-changing, rapidly scaling nature of the cloud.
- Multi-layered visibility. Cloud-native environments don’t usually consist of a single layer. You might be running containers inside virtual machines that are in turn hosted on a bare-metal private cloud infrastructure. Or you might deploy multiple microservices, each of which needs to be monitored separately in order to maintain performance and security. This is why, in a cloud-native world, a singular approach to achieving visibility doesn’t work. Your security strategy needs to support monitoring of all the layers of your environment and infrastructure, regardless of where they exist.
- Thinking beyond the firewall. In the days before the cloud-native revolution, you could neatly hide your applications and services behind a firewall. That approach rarely works in cloud-native environments, where information typically needs to be routed over public networks in order to make applications accessible, and where network configurations change constantly.
- Forwards-compatibility. In a cloud-native world, it’s hard to know which technologies are coming next. You might be deploying your applications in containers today, but decide to move some services to serverless functions going forward. You want a security strategy and tool set that can accommodate any type of deployment technology you choose to embrace.
- Behavioral risk management. In complex environments, it often makes the most sense to focus on controlling how applications behave, rather than attempting to keep them secure by controlling which resources they access or who can connect to them. For example, by creating whitelists that define what an application should be allowed to do, security teams can prevent unacceptable behavior and easily recognize anomalies.
These are the strategies that enable effective security and risk management in a cloud-native world. If you’re still relying on the security practices that worked in an earlier age, you’re unlikely to be able to keep pace with the demands of a world that is increasingly built upon cloud-native technologies.