Today’s New DevSecOps Challenge: Integrating Cloud-Native Security Across Multi-Cloud Networks

cloud computing system abstract technology background picture id961655982
iStock

In today’s rapidly evolving, digitally-driven economy, the window of opportunity that businesses have to capitalize on shifting markets and consumer demands is continually getting shorter. To keep up, application developers and IT teams need to also perpetually shorten the development lifecycle of systems and applications, while at the same time continuing to deliver features, fixes, and updates that align with business objectives. Because of the speed and resources needed to make these happen, much of this development can only really be done effectively, and at scale, in a cloud environment.

The cloud is transforming how we develop applications

The allure of flexibility, scalability, performance, and reduced cost are some of the primary drivers behind the shift to the cloud and a fundamental component of today’s digital transformation. However, one of the first mistakes many organizations make when they transition to the cloud is to try and shift their old on-premise applications and application development strategies there as well. Unfortunately, this approach doesn’t allow them to take advantage of fundamental cloud-native features.

Instead, the cloud offers new development capabilities that allow organizations to get out ahead of the demands of the digital business model that organizations need to adopt today. These include:

  • Minimum viable product development– the development of a product with just enough features to satisfy early customers and provide feedback for future development is ideally supported by the flexible set of tools in the cloud combined with the ability to rapidly iterate changes.
  • Agile development– the separation of application functionality into microservices using different technologies (VMs, PaaS, Containers, FaaS) to enable the autonomous creation and updating of features to speed development and updates
  • Multivariate testing– because applications are made of combinations of changeable elements, this testing process—which is easily enabled in the cloud—helps determine which combination of variations performs the best
  • Rapid iteration– applying changes to an application as soon as a problem is identified, rather than waiting for sufficient issues to be collected to warrant a general update, is a an important by-product of all of the above

These processes require creating an underlying infrastructure that can quickly adapt as development requirements shift. Developing that underlying cloud environment requires application developers and IT operations to work closely together as a DevOps team to ensure that development parameters and infrastructure resources are tightly and continuously integrated.

The cloud also requires that we transform our security

In the DevOps “infrastructure as code” world, everything is software-defined, including servers (mostly VMs), containers, application stacks, networks, and access models. The challenge, however, is that open models like these are also vulnerable to attack. There have been a number of recent incidents, for example, where unprotected cloud storage buckets were left exposed, leaving confidential business and customer data publicly available on the Internet.

The reality is that traditional on-premise security cannot be uplifted into the cloud any easier, or with any better results, than legacy applications. Security must adopt the same development strategy, which means that DevOps needs to expand to become DevSecOps so that organizations can integrate security throughout the software development and delivery pipeline. The idea behind DevSecOps is to enable the building and deployment of software with security woven into every step of the app development lifecycle. If development teams build applications with built-in security controls, operations teams can deploy them faster and with peace of mind.

The power of cloud-native security

As with agile development strategies, the allocation of security resources to inspect traffic or respond to a threat needs to be instantaneous. Unfortunately, many of the security tools that available in cloud environments have not been fully optimized to take advantage of the functionality of the cloud, which can cause threat detection and response to be delayed or incomplete. In many respects, this is the same mistake that organizations made when they tried to extend their on-premise applications to the cloud.

Fortunately, cloud-native security is fueling a significant change to this process. “Cloud-native” refers to an approach for building and running applications that takes advantage of the cloud computing delivery model and capabilities. Such applications are specifically designed to run in the same elastic and distributed way that cloud applications run, and that modern cloud computing platforms require—which is very different from traditional security tools.

Cloud-native securityalso enables the full integration of a meta-data based security policy across the infrastructure, so development and operations teams can operate as autonomously and securely as possible. Unlike traditional networks, where IT and Security teams often operate with very high dependence on each other, implementing a consistent security policy that secures the ongoing development of applications and services across the entire stack requires security, development, and operations teams to define guidelines that will let them work autonomously.

The advantages of a cloud-native strategy include:

  • Higher Performance— Cloud-native applications that are built based on public cloud services can potentially deliver much better performance than non-native solutions.
  • Broader Scalability— Because a cloud-native security application leverages cloud services for delivery and cloud APIs for control, the security infrastructure can be applied at scale without the need to also re-architect for scale.
  • Greater EfficiencyA cloud-native security applications’ access to cloud-native features and APIs also provides more efficient use of the cloud’s underlying resources, which translates to performance aligned with costs – no need to overprovision security.

Extending cloud-native functionality across a multi-cloud environment

Of course, once an organization has migrated applications to the cloud, the cloud environment becomes an extension of the traditional on-premise network, with highly sensitive corporate data flowing across both. This requires you to visualize and manage policies across both environments consistently and cohesively, through a single pane of glass, to ensure security and compliance requirements continue to be met regardless of where data exists or transactions occur.

This challenge becomes even more complicated as organizations adopt a multi-cloud strategy. Underlying cloud infrastructures provided by different vendors are fundamentally different from each other, which means that cloud-native solutions may not always function the same. So the challenge that organizations face as they move workloads to multiple public cloud platforms is to protect them as they run across and between different cloud environments just as effectively as if they were running on a single system. This requires processes and tools that are not only effective, but that have identical functionality and controls in every context.

One option is to avoid security architectures that rely on silos of controls, point solutions, or narrow cloud-native options. Instead, security teams should consider flexible and extensible security solutions that have been designed to operate and interoperate seamlessly across physical, private cloud, and multi-cloud environments. Cross-platform connectors are one way to tie every security iteration to a centralized management console. This enables unified policy creation, distribution, orchestration, enforcement, and management across the entire distributed environment, without losing any of the advantages of cloud-native applications.

Conclusion

In today's networked environments, the only certainty is change. It is imperative, therefore, that solutions are selected and designed with that in mind. DevSecOps teams not only need to consider how they can take advantage of the cloud environment they have in place today, or how to build solutions with enough flexibility to take advantage of platform functionalities they haven't even imagined yet, but to also consider a strategy that can seamlessly span across any number of platforms.

Cloud is just the tip of the iceberg. Tomorrow's networks will include things like temporary micro-clouds, autonomous decision-making at the expanding edge, and complex physical/cyber environments.  Rather than developing a new security strategy from scratch for each of these, we need to consider now how to prepare to weave them into the fabric of our existing security architecture—because the first organizations that can securely take advantage of tomorrow’s opportunities will reap the largest rewards.

Read more about how Fortinet secures multi-cloud environments with our Security Fabric.

Related:

Copyright © 2019 IDG Communications, Inc.