With hybrid or multi-clouds, companies can work much more flexibly, react faster, and set up new business models. The downside is that it makes the job of the IT departments more complex at the cost of less transparency. Why companies need to rethink and embrace cloud native security if they want to guarantee the necessary security and meet compliance requirements – and why DevOps teams also benefit.
Companies are becoming increasingly agile, as the management and technology consultancy BearingPoint recently found out. This is good news. The pandemic has recently shown how important a higher degree of flexibility is for business success. If you think you can hear a faint "but", you are on the right track. In fact, I'm afraid that people are currently losing sight of the issue of security in many places. I can understand, because many companies simply lack transparency with respect to their multi-cloud landscapes. The management relies on conventional tools to prepare for threats from the network. Anyone who wants to become more agile with infrastructure as a service, containers, or virtual machines needs modern vulnerability management and cloud native security – i.e. a security concept that was developed for cloud computing. Modern cloud architectures and DevOps are turning traditional concepts for security, governance and compliance on their head. The goal must, therefore, be automated, managed security.
According to a study by Palo Alto Networks, the cloud infrastructure is constantly changing in 80 percent of the companies surveyed. The private cloud was followed by the public cloud, hybrid and multi cloud are the next stages. This also means that the dangers in the virtual space are diverse and are increasing continuously, and manual processes are no longer keeping pace with this development. This can be easily illustrated with a (not exhaustive) list of threats that companies face in the cloud:
• Malware
• application vulnerabilities
• weak or non-functioning authentication
• insider threats
• insecure APIs
• misconfigurations
No wonder that the workload of IT departments has been steadily growing in recent years. Cloud native security can now support teams. In several ways. Such solutions respond automatically to malware and threats and maintain an overview of all assets, workloads, and data. With their analyses, they ensure that the company is adhering to all compliance and governance guidelines. This is contingent on companies including the development departments in their security concept.
Anyone who wants to be agile on the move needs to offer a flexible infrastructure to their DevOps teams. And needs to implement new security awareness: security first must apply to the development of new software and then to the entire life cycle. This means that companies must ensure the appropriate protective measures are automatically matched to the infrastructures and tools used. Only when security tests run automatically at every stage of the development process can vulnerabilities be eliminated at an early stage and new cloud technologies integrated quickly and securely. This helps to avoid unpleasant surprises – i.e. security and compliance risks – from the outset. Believe me, with this security approach, the atmosphere between your security and DevOps teams will also automatically improve. When choosing your cloud native security solution, make sure that it works according to the "shift left" principle. It will then automatically fix security vulnerabilities and misconfigurations that can be a source of frustration even for the most experienced developers. This minimizes the risks – without disrupting the agility of the teams.
According to the study by Palo Alto Networks, 57 percent of the companies surveyed use six or more security solutions. Many would rather have a single solution that covers everything. What are the criteria which a cloud native offering actually has to meet?
• Do not design your cloud native security just for the public cloud, because the future is multi-cloud.
• When choosing your security solution, make sure that it offers visibility into all of your cloud resources.
• Clarify whether the system is up to date in terms of security, governance, and compliance.
• Your solution should report in detail on all risks – including user assignment and the resources involved.
• Vulnerability management and application level security are mandatory.
• The system must be capable of detecting anomalies in the network.
• The offering must include identity and access management (IAM).
A modern security solution should always support you in two ways: Thanks to cloud security posture management (CSPM), you know which resources are located where in your clouds. It protects your data, and provides automated protection for governance and compliance. However, make sure that threat detection and automated response are also included. Your security solution should also secure your cloud-based workloads and operating system data, and protect your containers, serverless functions, and virtual machines. This is referred to by experts as a cloud work protection platform (CWPP).
We know that our customers need consistent security across all clouds. We call this security first and it should apply across the board – irrespective of how many security and cloud specialists the company employs. To keep you one step ahead in terms of security, T-Systems offers a managed security and compliance service for the entire technology stack and for all your cloud applications.
