An Essential Guide to Cloud Native Security: Part 1

Part 1 of 3: What is Cloud Native?

What Is Cloud Native?

Cloud native applications are designed and built on the cloud. On a higher level, “cloud native” is a fundamentally new approach to application design and deployment that leverages native cloud capabilities (e.g., auto-scaling, continuous deployment, and auto-management). An open source approach leveraging IaaS capabilities (eg. AWS, Microsoft Azure, and Google Cloud) to create new tools and services that are more responsive in the age of the customer. From a developer’s perspective, cloud native means shipping fast and often – without sacrificing reliability. From an operations’ perspective, cloud native means automatic management and massive economic gain in resource consumption.

Cloud native applications are typically built using a microservices or container-based approach running on Linux. These applications are designed to be lightweight, flexible and focused on single tasks. Ultimately, they’re like smaller building blocks that are pieced together to achieve speed, scalability and efficiency savings that you simply can’t get with a traditional monolithic architecture.

Put simply, Cloud Native Is

  • Microservice centric: A cloud-native application today must be built on microservices. Traditional monolithic applications do not support continuous deployment, continuous update and auto-scaling, which are some of the core benefits of cloud.  
  • Portable:  Being cloud-native means that your applications should not be tied to a specific cloud platform. In a cloud-native environment, interactions between the application components are done via standard service APIs. Operations tasks such as deployment, monitoring, and workload management are all conducted via either open source or common functions that can run across different clouds.
  • Automatically managed: Common workload management tasks such as deployment, update, monitoring, and scaling are all done automatically. Manual tasks, including manual security analysis or configuration, are the exception rather than the rule.

And Cloud Native is NOT

  • Replicating your on-premises setup in an IaaS cloud: Don’t think just because you migrated parts of your application environment to run in some EC2 instances, you are cloud native.
  • Packaging your monolithic applications with APIs: Adding APIs to your monolithic applications do not make them cloud native. You must re-architect your applications to be distributed, service driven, and on-demand. This also applies to data and workload management services.

Understanding the Cloud Native Landscape

What does the cloud native landscape look like today?

According to Gartner: “By 2018, more than 50% of new workloads will be deployed into containers in at least one stage of the application lifecycle.” More than 90 percent of the Fortune 500 companies today are already running Linux. While the cloud native approach is a very recent phenomenon, change is happening rapidly – and it’s disrupting industries.

The current cloud native landscape is dominated by three major trends:

  • Simplifying and automating existing IaaS capabilities: this means integrating workloads on AWS, Microsoft Azure, and Google Cloud platforms to only run when required.
  • Moving to a microservices architecture: one of the ways to understand microservices is to look at companies like Google, Netflix, eBay, and Twitter, who are early adopters of this model. Microservices deconstruct a single application and break it down into smaller functional components. This greatly reduces overhead, while fundamentally changing the way applications are developed, deployed, and managed.
  • Developing event-driven computing: Event-driven computing, also known as serverless, allows you to run code without provisioning servers first. It provides easy management of computing resources and a much-needed productivity boost because it decouples software development from server administration. Services like AWS Lambda, Azure Functions, and Google Cloud Functions enable this transition.

The Benefits of a Cloud Native Architecture

At this point, the business benefits of the cloud native approach are fairly clear: a cloud native architecture enables speed, business efficiency, nearly limitless computing power, and a level of scalability and efficiency gains that can’t otherwise be achieved with the traditional on-premises IT model, or by simply migrating the “old way of doing IT” to a public cloud vendor like AWS. It not only requires a fundamental shift in the way applications are designed and deployed, but also engenders far-reaching impact on team and organization culture and fundamentally changes the way your business responds to the shifting demands of the marketplace.

Organizations that embrace a cloud native architecture saw increased elasticity and a better ability to support continuous deployment. Elasticity and continuous deployment are some of the most critical functionality in the cloud native era because they enable limitless scalability and business agility.

But There’s a Catch: Cloud Native Security

Cloud native is a fundamentally new and exciting approach to designing and building applications. This, however, also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. Similarly, there is currently no solution focused on protecting the entire Linux stack –  despite the fact that most microservices applications run on Linux. Also, conducting security operations and making security decisions at the “service” level is an unfamiliar territory for the security industry.

This means that traditional security assumptions, such as the presence of an agent, a network perimeter, and end to end visibility, may not be valid anymore. Many of the security capabilities that we learned to depend upon, such as server instrumentation, may also be ill-suited for the cloud-native environment.   

Being cloud-native leads to a radically different approach to application development, deployment, and to infrastructure management. The same is true for security — a reimagining of security must take place for cloud-native applications, or we risk cannibalizing the benefits of cloud computing.  

Stay tuned for Part 2 of this three part blog series covering the fundamental security considerations for cloud native environments.

Dr. Chenxi Wang is vice Chair, OWASP vice chair as well as founder and general partner, Rain Capital. Dr. Wang is also on Capsule8’s Advisory Board.