Securing cloud-native apps can be overwhelming; the expansion of services combined with the need for agile delivery leaves seemingly little room for proper security procedures. Enter the cloud native security platform; one dashboard for total security visibility, allowing you to spend less time on chasing down false positive alerts, and more time building.
In their Cloudsec session, Mick McCluney, tech lead for Trend Micro Australia, and Kelly Griffin, AWS solutions architect, discuss 5 essential security components to review. This article will cover the basics of each component and why a cloud native security platform is instrumental in the review process.
5 key components to review
To ensure secure apps are developed and deployed, McCluney and Griffin recommend implementing review processes for the following:
- Cloud posture and compliance
- Vulnerability visibility and management
- Container security
- Template scanning
- Securing your code
Before delving into each of these components, let’s review why each one is key, and understand how the state of the industry has shaped these key security components.
4 cloud native development trends
McCluney and Griffin point to 4 emerging cloud native trends as indicators of the 5 key security focuses:
Containerization and container sprawl
Griffin pointed out that years ago, containerization was started by developers just playing around with different storage methods. Years later, cloud-native apps are running and breathing on containers.
Why the rise in popularity? Thanks to their portability across platforms and small size, it is ideal for modern DevOps, serverless, or microservices application architects that are built in small chunks for better efficiency.
Infrastructure as code (IaC)
Like containers IaC isn’t anything new, but it’s becoming the go-to method for deploying app environments.
Considered one of the most important DevOps practices, IaC provides real benefits for developers who need to build quickly and securely in the cloud; they can now deliver multiple test environments reliably and on-demand in any type of cloud workload or architecture.
If you’re running serverless or containerized applications, IaC accelerates the release cycle, freeing you from mundane, repetitive tasks, and reduces potential misconfigurations due to human error.
Microservices
Say good-bye to monolithic apps and hello to a microservices architecture. Whereas a monolithic app is a single, unified unit, the microservices architecture breaks down the app into independent components.
For teams building in the cloud, microservices allows developers to work on their assigned components using the programming language and tools of their choice. This flexibility increases agility, reduces time to market, and accelerates your CI/CD pipeline.
It also simplifies app changes or fixes. With microservices, you only have to make changes to the applicable component, compared to a monolithic app, which requires you to implement the change across the entire app. Sounds time-consuming, right?
Serverless
The move to the cloud has also led to the adoption of serverless computing. Just as the name suggests, you no longer need to rely on physical servers to host your apps. Now, you can rely on third-party services like AWS Lambda to manage the physical hardware, virtual machine operating system, etc., while you worry about managing your code.
How to review the 5 key cloud security components
Okay, now that we’ve discussed the why, let’s return to the 5 key components to review for secure apps.
Cloud posture and compliance
Ah, compliance, the necessary evil. Without compliance, you’re at risk for a breach. And without proper cybersecurity policies, controls, and standards, you’re at risk of breaking compliance.
The rules and regulations that can haunt SecOps teams are there to double, triple, quadruple check you’re actually building apps that can keep troves of data secure.
However, meeting compliance requirements isn’t just a task for security teams. Developers also play a part. As cloud builders, leveraging the AWS Well-Architected Framework or similar guides ensures you’re meeting compliance standards.
As Griffin explained, you wouldn’t just apply your deodorant on Monday and expect it to last the week; the same concept applies to meeting and maintaining compliance. Compliance and cloud posture management isn’t a one-time ordeal. As technology progresses, and compliance follows suit, your app security must evolve and adapt.
How can you achieve continual compliance? According to Griffin: a CSPM security tool that provides comprehensive visibility and quick observability.
A cloud native security platform provides a dashboard for visibility across your entire, fast-changing environment and at-a-glance insight into your alignment to frameworks and compliance standards.
With enhanced vulnerability visibility, security teams can identify areas of improvement for developers before it’s too late.
Vulnerability visibility and management
You’ll notice that visibility is a common theme here. And for good reason. Vulnerabilities aren’t going anywhere—Apache Log4j (Log4Shell) is proof of that. Griffin speculated there are more than 50,000 vulnerabilities in the CVE database with a critical or high-severity rating. But you can’t stop what you don’t see, hence the importance of visibility.
Griffin notes that visibility into your open source code is paramount to vulnerability management. Is your code trusted? To answer that, you need a full understanding of its dependencies and libraries.
Okay, maybe you don’t need to know that information like the back of your hand, but you do need a cloud native security platform that can run the necessary scans to give your code the greenlight.
By greenlight we mean you should scan code before it’s deployed, so your workloads are essentially born secure. This practice is part of starting left, which enables secure and quick app development.
Access and credential management is also important. If they’re leaked out in the code you’ve written, which is then exposed to a public repo, you’ve exposed opened your entire environment to vulnerabilities.
Griffin said he often hears the line: “That’s just my dev account,” in response to access management. Whether it’s your dev account or not, it’s still a public account within a cloud platform, and therefore requires the same security boundaries.
Back to the important of visibility. You have too many accounts to keep track of manually, but a cloud native security platform can provide visibility into everything in one dashboard. From there, you can manage access to active and dormant accounts (just because it’s closed to you, doesn’t mean it’s closed to vulnerabilities).
To summarize, to be able to stop vulnerabilities, you need to see them. And to be able to see them, you need to see every entrance point like open source code, keys, containers, and accounts. And to be able to see every entrance point, you need a unified platform that consolidates all that information into one dashboard for quick observability.
Container security
As containers become more popular, container sprawl is an emerging security concern. Defined as “the tendency to run up an unnecessary number of containers,” container sprawl has critical security implications. The more containers you spin up, the harder it is to keep track of efficiency issues.
Container sprawl isn’t the only security issue; using insecure images, running with the privileged flag, and unrestricted communication are chief among others. Also, keep in mind that even if a container was deemed secure yesterday, that could quickly change by tomorrow.
The need for comprehensive visibility within a platform strikes again. Being able to see all your containers from one place can help wrangle in the ones gone rogue and limit sprawl. Moreover, it can drastically reduce misconfigurations (the #1 cause of data breaches). The danger of misconfigurations mean you must have security practices in place to ensure you’re properly configuring container images, secrets, runtime privileges, and networks policies to name a few.
You can avoid misconfigurations by running automated scans across all your containers to validate images before they land and check for any overly permissive or open containers.
By leveraging a platform with runtime application self-protection (RASP) capabilities, the platform can learn the expected behaviors (i.e., network communication) of the containers, before they’re set to live. This ensures that when the containers are switched to live, any changes in learned behavior will be detected or blocked and security teams will be immediately notified.
IaC Template Scanning
IaC is being widely adopted because it supports the agile practices of modern app development. However, Griffin noted that securing IaC is “one of the most overlooked areas for security management.”
This is largely due to the notion that after you’ve established a secure template, it’s going to stay that way and you can deploy at will. However, if you’ve changed the template to public—let’s say for internal security testing—and you forget to close it, the next time you deploy it, the vulnerability is wide open.
Secure secret storage is critical; if you accidentally publicize your IaC, application tokens necessary for authentication, Secure Shell (SSH) keys, and passwords are now exposed and ready for the taking. If you’re storing secrets in source code management (SCM) systems or plain text files, this makes it even easier for bots that scrap public SCM sites to quickly exploit them and compromise the infrastructure.
Also, tracking and traceability can be challenging the more widely used the template is across multiple teams. That’s why scanning templates before deployment is critical. And having visibility via a platform can ensure all your templates’ code meets compliance requirements and is configured properly.
Securing your code
We’ve mentioned code quite a bit already, so it might seem like overkill to go through it again. Key word: seem. Securing your code is so important, we will never stop saying it. And with 80% of code being open source, it needs to be screamed from the mountaintops with a megaphone.
Think of your code as the ingredients for a tasty beef stew. If you use expired meat, you’re most likely going to get food poisoning. Similarly, if you use unchecked open source code, your app is most likely at risk for an attack.
Thus, it’s important to always check the expiry date of your meat—or in this case, the dependencies and libraries of your open source code. Many open source projects have other open source dependencies, which may also have their own dependencies, which may also… You get the picture. This never-ending chain of dependencies may introduce new and undetected vulnerabilities into your workloads.
Also, open source code libraries typically require manual updating, which is understandably hard to track and manage, especially considering the sheer number of components embedded in your app.
To make open source code management easier, an automated platform is key. By automating open source code scans (starting before code is committed), vulnerabilities can be surfaced and monitored quickly, allowing security teams to proactively mitigate potential risks before the app is exploited. In the best case scenario, scanning the code at the start, prevents vulnerabilities from ever reaching the production environment.
Next steps
A cloud native security platform is essential to covering these 5 security components. If you’re interested in learning more about Trend Micro Cloud One™, our cloud-native security platform composed of 7 services, you can check out our extensive documentation. You can also start a free, 30-day trial and see how our security services platform can review the 5 security components using turnkey, customizable APIs, automation, and more.