How to Secure the Cloud
We are now in a technology revolution. It is hard to see, in the same way the workings of a factory are hard to see unless you are on the inside. But like many industries, the IT factory is undergoing a radical transformation. The software factory floor is no longer the exclusive domain of skilled workers. Robots and automation have taken over manual tasks. Data centres and computing equipment are now virtual. Welcome to the Cloud.
There is a disconnect between the speed of change driven by the Cloud revolution and the pace of improvements to our cyber security. Traditional security tools and processes are largely focused on preventing unauthorised access to data and systems. Identity and access management, firewalls, VPNs, server room locks, certificates and keys are primarily designed to keep hackers out. Much of the software and gear used to protect the physical data centre has now transformed into virtual appliances on the Cloud, but simply repurposing physical gear into a virtual appliance only solves an old problem. It does not solve the new security vulnerabilities and problems introduced by Cloud Native technology.
Traditionally, developers would design and develop an entire business application at once with software systems built as monolithic applications. This approach gave way to service-oriented architectures, which helped to reduce the many problems with legacy apps. Today the evolution has proceeded further to microservice-oriented software architecture, and this approach to designing software is now well-matched with the recent technologies we group together under the term “Cloud Native.”
Software architecture and design is going through a revolution to take advantage of the benefits offered by Cloud Native. Business applications are split out into interconnected services, assembled from components that provide simple solutions to simple problems at a micro level. These microservices are architected for rapid change and deployment, not as an entire mission critical system, but as a single micro component. Modern Cloud Native applications are designed for rapid change and deployment of a swarm of microservices. There are significant benefits gained from this new approach to software delivery, but Cloud Native also requires a change in approach to cyber security.
Shift Left with Zero-Trust
Protecting the perimeter is not enough. The basic problem is the time it would take to security test the entire Cloud Native application and its virtual infrastructure with every update to one of the many microservices. Cloud Native software is designed to be updated continuously, with hundreds of updates to the app every day. Taking time to re-test the entire app with every deployment of a change to one of its services would significantly reduce the benefit of rapid and continuous change that is at the heart of the Cloud Native revolution. To secure the cloud, we need to secure each microservice independently. Every computing appliance must protect itself and not depend on perimeter defences alone. This is what we call zero-trust.
Security cannot be left to a test phase of the integrated application at the end of the development pipeline. Each service must be designed and tested independently for compliance to zero-trust. The security of Cloud Native microservices shifts to the far left of the secure software development lifecycle. The potential security threats to the service are modelled and mitigated during design, the code is scanned for vulnerabilities at every check-in, the microservice is interrogated for security at every build. And to do this at speed, with a high volume of changes, the modern software factory requires testing to be fully automated and visible to an overall DevSecOps control system.
Building complex, modern, microservice and API connected systems that provide an exceptional user experience and are resilient to security breaches, can only be done if security considerations are brought front and centre from inception. The shift-left also requires developers to be trained in their new role of ensuring that security is built into each and every service, every time it is deployed.
Any software development business serious about developing secure Cloud Native apps will require a security framework to help them train their engineers and build the software factory automation required. This is new territory for most engineering teams.
The security framework must set the standards and policies that the engineering team will work to in establishing their DevSecOps approach. A solid security framework will provide the following:
- Toolkit: The security processes and tooling built into the Cloud Native app design, build and operate processes
- Training: Required training on the security policies, regulation, process and tools for engineering teams
- Code: Code libraries and microservices for secure features to be re-used or verified-as-secure open source
- Compliance: Clear information security policies, standards and regulatory requirements. Includes delivery audits to ensure engineering teams follow the best practices of the security framework
Training to ensure a thorough and robust understanding of how the security framework supports Cloud Native application security is a priority. A programmer needs to know more than just how to write elegant, functional code; they need to be trained in how to write secure code. Training in company security policy that ensures engineers understand the company’s security standards and priorities is essential, as is a compliance function to ensure that the standards of the framework are adhered to.
A security framework enables the entire DevSecOps team to work in harmony across the disparate processes and services managed by the team.
The rapid adoption of Cloud Native apps and infrastructure present significant security challenges to engineering teams. There is no room for a trial and error approach where vulnerabilities are discovered and fixed over time. Zero-trust must be designed in from the start. A security framework that combines DevSecOps automation and tooling, information security policies, and a comprehensive security training program hugely mitigates the risk of security breaches. All companies embarked on the exciting journey into Cloud Native must have such a framework in place to pin down the cloud and make it secure.