The growth of software as a service (SaaS) application usage has been one of the biggest trends in technology over the past couple of decades. Just consider the popularity of Microsoft Office 365 for productivity, Salesforce for customer relationship management and ServiceNow for workflow management. The pandemic pushed even more organizations to embrace the cloud for its massive scalability and ability to support work from anywhere. However, with that scale comes an expanded threat surface that requires deep scrutiny when securing IT infrastructure and its data.
When software applications are built to operate on cloud platforms, the inherently disaggregated nature of the architecture presents challenges for DevOps and cybersecurity stakeholders. Striking a balance between application innovation and security can often become tricky for enterprises. What is required is a framework that ensures security is woven into the development process from start to finish. I want to share my insights about what cloud-native application security must address and what comprises a complete solution.
What cloud-native application security must address
At a high level, cloud-native application security must achieve two things. First, it must integrate and automate effective cybersecurity into a single platform. Second, and even more importantly, it must provide robust security over the complete lifecycle of a cloud-native application. Both of these elements must be present across the phases of development, testing, deployment and ongoing management.
The origin of cloud-native application security can be traced back to the desire to consolidate disparate tools that facilitate different aspects of cloud security, including monitoring, alerting, and control as well as the prevention of breaches and their mitigation if they do occur. The virtual, and often short-lived nature of container instances and microservices also presents challenges that are difficult, if not impossible, to solve with traditional on-premises security tools.
What comprises a complete solution?
In my research on cloud-native application security, a handful of critical considerations have emerged that I believe must be met. First, security must span any microservices architecture as well as containers and serverless deployment. Second, cloud workload protection must be a foundational element, and it needs to be coupled with cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM).
CSPM identifies and addresses risks when applying automation to observability and resulting threats. On the other hand, CIEM aims to provide real-time analysis of alerts generated by cloud-native applications and the underlying hardware. Together, CSPM and CIEM provide a powerful capability to identify security gaps and mitigate the potential blast radius of exploitation.
Finally, as touched on above, cloud-native application security must span the entire lifecycle of an application from development through testing and all the way into production. In doing so, a complete solution ideally identifies vulnerabilities early in the development cycle and continuously monitors run-time environments for vulnerabilities or misconfigurations. I also recently published an explainer tied to Cisco’s approach to cloud-native application security that goes into further depth.
Wrapping up
Today, cloud-native application security solutions are available from a growing list of infrastructure providers. Leading options include Cisco Panoptica, CrowdStrike Falcon, Microsoft Azure Defender for Cloud, Palo Alto Networks Prisma Cloud, and there are more where those came from.
With the rush to the cloud over the past few years, hastened by the need to support hybrid work, many enterprises are revisiting their security postures for cloud-native application development and deployment. Given the expanded threat surface now faced by enterprises across multiple domains, this is a necessary endeavor.
Implemented correctly, cloud-native application security simplifies management, provides deeper visibility and ensures resiliency while including deep integrations that span the entire lifecycle of these applications. All of these are compelling considerations, given the growing threats presented by bad actors who continually find new ways to exploit vulnerabilities and harm organizations.
Moor Insights & Strategy provides or has provided paid services to technology companies like all research and tech industry analyst firms. These services include research, analysis, advising, consulting, benchmarking, acquisition matchmaking, and video and speaking sponsorships. The company has had or currently has paid business relationships with 8×8, Accenture, A10 Networks, Advanced Micro Devices, Amazon, Amazon Web Services, Ambient Scientific, Ampere Computing, Anuta Networks, Applied Brain Research, Applied Micro, Apstra, Arm, Aruba Networks (now HPE), Atom Computing, AT&T, Aura, Automation Anywhere, AWS, A-10 Strategies, Bitfusion, Blaize, Box, Broadcom, C3.AI, Calix, Cadence Systems, Campfire, Cisco Systems, Clear Software, Cloudera, Clumio, Cohesity, Cognitive Systems, CompuCom, Cradlepoint, CyberArk, Dell, Dell EMC, Dell Technologies, Diablo Technologies, Dialogue Group, Digital Optics, Dreamium Labs, D-Wave, Echelon, Ericsson, Extreme Networks, Five9, Flex, Foundries.io, Foxconn, Frame (now VMware), Fujitsu, Gen Z Consortium, Glue Networks, GlobalFoundries, Revolve (now Google), Google Cloud, Graphcore, Groq, Hiregenics, Hotwire Global, HP Inc., Hewlett Packard Enterprise, Honeywell, Huawei Technologies, HYCU, IBM, Infinidat, Infoblox, Infosys, Inseego, IonQ, IonVR, Inseego, Infosys, Infiot, Intel, Interdigital, Jabil Circuit, Juniper Networks, Keysight, Konica Minolta, Lattice Semiconductor, Lenovo, Linux Foundation, Lightbits Labs, LogicMonitor, LoRa Alliance, Luminar, MapBox, Marvell Technology, Mavenir, Marseille Inc, Mayfair Equity, Meraki (Cisco), Merck KGaA, Mesophere, Micron Technology, Microsoft, MiTEL, Mojo Networks, MongoDB, Multefire Alliance, National Instruments, Neat, NetApp, Nightwatch, NOKIA, Nortek, Novumind, NVIDIA, Nutanix, Nuvia (now Qualcomm), NXP, onsemi, ONUG, OpenStack Foundation, Oracle, Palo Alto Networks, Panasas, Peraso, Pexip, Pixelworks, Plume Design, PlusAI, Poly (formerly Plantronics), Portworx, Pure Storage, Qualcomm, Quantinuum, Rackspace, Rambus, Rayvolt E-Bikes, Red Hat, Renesas, Residio, Samsung Electronics, Samsung Semi, SAP, SAS, Scale Computing, Schneider Electric, SiFive, Silver Peak (now Aruba-HPE), SkyWorks, SONY Optical Storage, Splunk, Springpath (now Cisco), Spirent, Splunk, Sprint (now T-Mobile), Stratus Technologies, Symantec, Synaptics, Syniverse, Synopsys, Tanium, Telesign,TE Connectivity, TensTorrent, Tobii Technology, Teradata,T-Mobile, Treasure Data, Twitter, Unity Technologies, UiPath, Verizon Communications, VAST Data, Ventana Micro Systems, Vidyo, VMware, Wave Computing, Wellsmith, Xilinx, Zayo, Zebra, Zededa, Zendesk, Zoho, Zoom, and Zscaler. Moor Insights & Strategy founder, CEO, and Chief Analyst Patrick Moorhead is an investor in dMY Technology Group Inc. VI, Fivestone Partners, Frore Systems, Groq, MemryX, Movandi, and Ventana Micro., MemryX, Movandi, and Ventana Micro.
Read the full article here
