Reimagining cloud-native security for developers and platform owners
Even with ‘traditional’ configuration of resources in the cloud - and Kubernetes becomes a more extreme example of this – what is crystal clear is that security cannot stay outside of the development and DevOps teams."
“Most people that move to the cloud and start adopting cloud-native architectures do so with multiple goals in mind. Top of the list tends to be a desire to innovate at a faster pace and flexibly scale. For CISOs and security teams this quickly evolves into ‘how do I have visibility into what risks I have in the cloud?’ ‘What do I have in the cloud in the first place?”
Sysdig CEO Suresh Vasudeven, speaking with The Stack, noted that for security leaders this rapidly also becomes a question of ‘how do I balance the risk of operating in the cloud without slowing down innovation; without inundating developers and DevOps teams with security demands?’ Automation and tool consolidation, he emphasised, are key…
Saxo Bank’s Chief Cloud Architect Jinhong Brejnholt – detailing the investment bank’s cloud journey to a heavily “Kubernetified” landscape that includes Kubernetes clusters running in Azure and on-premises – added during a recent event hosted by The Stack that the bank’s shift to cloud-native and containerised applications had sped up delivery models and offered “stronger isolation for each individual workloads.”
She added in conversation with Suresh that this had come with challenges around security management and workflow auditing that had been addressed in part using tools like Sysdig Secure.
"Running the platform and dealing with security exceptions is actually now the platform engineers’ work.”
This was a common trend, added Sysdig’s CEO in the June event.
“Even with ‘traditional’ configuration of resources in the cloud… if you’re running EC2 machines or VMs in the cloud, and you're worried about how to deal with vulnerabilities on your hosts – and Kubernetes becomes a more extreme example of this – what is crystal clear is that security cannot stay outside of the development and DevOps teams. You really want to build best practices and secure development from end-to-end, meaning all the way through to monitoring production workloads,” he said.
“I'm seeing security teams increasingly made up of security engineers that come from a DevOps background and are embedded as part of the application teams,” he added. These teams need to think about developer experience and avoid introducing excessive friction to their workflows.
See also: Novel cloud attack pivoted from K8s to Lambda, pulled IAM keys from Terraform
Saxo Bank’s Brejnholt agreed: “We outline to our DevOps engineers and our platform engineers that our customers are developers. Our job is to serve them and make sure that they have the best toolings, in the best environment, to deliver the value where our customer needs. What we do to support them, she added, is “offer platforms and internal tooling: For example, we harden all the base images, so they don't need to think about which image they should choose with the least vulnerabilities or with the lightest weight. We also provide tools from Sysdig which can scan their images, validate their code – and give runtime visibility too.”
With the emergence of heterogeneous blends of on-premises applications (“traditional” and containerised) and public cloud, organisations are being forced to reimagine vulnerability management, Sysdig’s Vasudevan added.
“How do I reimagine configuration posture management? How do I make sure that my entitlements are appropriate? No matter how much energy you spend on prevention, there will always be zero day vulnerabilities, there will always be insider threats and so on,” he added.
“Complementing threat prevention with detection and response empowered by runtime visibility that lets you understand an anomaly is taking place in your clusters; to detect it and respond to it in real time is an important complement to some of what we talked about as well.”