How to Secure Cloud-Native Applications

Step Zero

Running applications in the cloud brings many advantages like scale, ease of management, and lower costs. However, all of these benefits are moot if the applications you run in the cloud are not secure. Security is the first concern for cloud-native applications. At Contino, we have a security-first perspective for all work that we do, which puts security as step zero for every process we put in place.

Moving from DevOps to DevSecOps

Security is the first concern of organizations; thus, it can’t be an afterthought for DevOps teams. To bring this idea into focus, the concept of ‘DevSecOps’ aims to put security first and responsibly build and deploy software at every step of the app development journey. It starts by assessing the structure of a team or organization, and putting in place processes that reflect that structure. Breaking silos between teams, and ensuring everyone is responsible for security is the first step. If applications are built by development teams with security in mind, Ops can deploy them faster and with peace of mind knowing that Dev understands how important reliability and security is.

Further, processes need to be in place to automatically enforce security checks. When auditing software, system logs to show who changed something, what they changed, and when it happened are invaluable. Tools like Fluentd are designed especially to log distributed applications and ingest logs from multiple sources. These logs can be analyzed with specialized log analysis tools like Sumo Logic or even the open source ELK stack, but you need to ensure you’re capturing logs end-to-end.

The best way to stay secure is to ensure your systems are always running the latest versions of software. Security patches should be quick and automated—and not take months to complete. Similarly, when designing APIs and new features, it should be done with an eye on future releases so you don’t end up with technical debt and are unable to patch your system for fear of breaking something.

As you build cloud-native apps, there isn’t one single security tool that can secure your applications. You need to adopt a multi-pronged approach to secure your application infrastructure in the cloud. You need to employ various tactics to secure your containers. And finally, you need to adopt the DevSecOps approach to put security where it rightly belongs in your list of priorities—right up top.

In order to ensure comprehensive cybersecurity at scale, in the enterprise, we focus on five DevSecOps pillars:

1. Secure and Compliant Deployment Pipelines - Analyze DevSecOps and Cloud Native Development tooling, pipeline integrations and how compliance and auditing fit into the pipelines.
2. Secure and Compliant Cloud Platforms - Review of identity and access management, detective controls, infrastructure protection, data protection and incident response.
3. Compliance as Code - Create a compliance as code framework to ensure governance, compliance and all risk mitigation concerns are addressed in the software development process.
4. Secrets Management - Manage secrets, keys and certifications in a cloud native way across a hybrid cloud operating model.
5. Container Security - How containers fit into the security strategy, how security threats are associated with containers, and review container operating models and controls.

The pillars are vertical focus areas that allow us to ensure that enterprise-grade security is applied consistently and completely and is auditable for compliance. Additionally, we spread “horizontal governance” across all pillars in order to provide a cross-cutting view of each pillar’s implementation. These governance models are applied to each pillar and ensure that the pillars are working in a complementary and symbiotic manner.

1. Safe Delivery: Ensure the security, compliance and safe delivery of a given Application Platform and the supporting Cloud Infrastructure
2. Security Models: Create a security posture and threat model to support wide scale customer adoption
3. Information Protection: Ensure the protection of customer data from internal employees as well as external actors
4. Risk Analysis: Provide a Gap Analysis of and application’s current architecture, container strategy, and cloud infrastructure
5. Technology Roadmap: Build an ordered, tactical execution backlog wherein the delivery of engineering outcomes drives a 3-6 month roadmap and strategic implementation plan

Additionally, there are robust solutions for cloud applications available today that help you add the crucial element of security to your cloud deployments. Let’s take a look at the most important ones.

Security tools from cloud vendors

Cloud computing operates on a shared responsibility model. This means that the cloud vendor is responsible for the security of their cloud platform, but you, as a customer, are responsible for the security of your data in their cloud platform. To this end, cloud vendors like AWS provide security tools like Identity and Access Management (IAM), which allow you to configure access and permissions for the resources in your AWS account, or even across multiple AWS accounts within your organization. Having security policies in place that can be scaled across your organization goes a long way in securing cloud-native applications.

Additionally, to secure your data at rest, you can leverage an encryption solution like Key Management Service (KMS). It lets you secure the data stored in AWS using access keys. These access keys are shared with other users or applications to allow them to access the data. The best part is that these access keys can be used to secure data at any level—whole databases, individual tables, rows, or even individual objects. By using keys at different levels, you can set different access levels for each type of user. For example, you can give some users the access key to an entire table, but encrypt just a single column that contains sensitive information. This further enhances permissions over and above what IAM provides.

In today’s age of artificial intelligence, cloud vendors are investing in AI tools to enable security that doesn’t require human intervention. AWS Macie, for example, is a security tool based on machine learning. It analyzes the data being ingested into S3, and is able to spot personally identifiable information (PII) and automatically encrypts this information. It can compare the behaviour of one user against that of all users cumulatively and make highly accurate predictions on which activity is suspicious, and which is normal. With the amount of information to be analyzed today, machine learning is essential to implement scalable security in the cloud.

Container security best practices

Cloud-native applications rely on containers and are shifting away from VMs for packaging and deploying their code and dependencies. This being the case, DevOps teams need to be aware of the key security options for containers.

The most important container security features are namespaces and cgroups. Namespaces restrict what a container can see, and cgroups limit what a container can do. These two security features ensure a compromised or malfunctioning container doesn’t affect neighbouring containers. [Read more here]

Apart from namespaces and cgroups, there are many Docker security best practices. You could follow the CIS benchmark for Docker to check your system for various potential vulnerabilities. Rather than using a public container registry, you could use a private registry like AWS’ EC2 Container Registry (ECR), or Quay. These registries ensure only verified and safe container images are downloaded to your system, and they scan every image for common known vulnerabilities.

Other container image best practices include keeping your images small and lightweight, and not keeping the same containers in use for longer than a week. Additionally, you should never store secrets in containers. Both Docker and Kubernetes provide secrets management for just this purpose. Alternatively, there’s dynamic secrets creation and injection possible with Hashicorp Vault.

If this is all too much to implement manually, you can leverage a container security platform like Twistlock, Aporeto, StackRox, or AquaSec which have numerous checks and balances in place to ensure your container system is safe. They even leverage machine learning to provide proactive security that adapts to modern threats on distributed systems.

Want to learn more? Check out this free webinar:Cybersecurity as Code: Build a Secure-by-Default Cloud.