In the cloud-native world, security means changing together

Skills development, planning and engagement are all key to the transition

From AI to cloud-native – is your organisation future-ready?
Getty Images

The shift to cloud-native applications has been accelerated by the COVID-19 pandemic, with companies of all sizes embracing cloud technologies to build and maintain their business applications at scale.

For financial service institutions facing pressure to maintain continuity in the face of massive change last year – including not only the movement of thousands of workers to work-from-home, but the architectural challenges of continuing to maintain and upgrade complex and mission-critical services – cloud-native applications represented a new level of functionality and agility.

Early wins have driven even more investment in cloud-native architectures, according to security executives at a cross-section of Asia-Pacific financial service companies, who joined CSO and Red Hat for a lively roundtable discussion about their own successes, challenges, and plans for the future.

Although some firms were still in the early days of their cloud migration, a number of them were already well advanced with their cloud migrations: one participant, from a major industrial conglomerate, noted that around 70% of the organisation’s workloads are already on the cloud and that technologies such as Red Hat OpenStack were in wide use.

“Security has been a crucial part of the whole thing,” he said, “and over the next three years we will be going on a journey to decommission on-premise systems and move to the cloud.”

Another participant, from a major regional bank, said the organisation was in the middle of its cloud migration, and had accelerated the move during 2020 due to the pandemic’s disruption.

“Internal clients are wanting to delve into a hybrid, if not a multi-cloud, posture,” she said, noting that this had involved constantly shifting priorities between cloud access security broker (CASB), working profiles, data protection and other issues.

“We’re building the roadmap and changing the tires while it’s driving down the road,” she said while laughing.

Another participant faced similar dramatic changes during the pandemic, doubling down on cloud services as a way of ensuring that his relatively small business could stay operational.

Running an all-cloud environment helped the company retain access to compliance and security tools that helped satisfy national compliance regulations “that used to consume massive amounts of resources and time” he said. It was also easier to introduce security capabilities such as a zero-trust architecture, a shared-responsibility security model, and more.

“What surprised me, coming from my previous role in a big bank, was how you could adopt many enterprise grade solutions now: even a relatively small business has the potential to scale up to a big enterprise.”

“There are different challenges, but I don’t worry now about things like patch management, vulnerability scanning, and software obsolescence.”

Managing workforce change

The transition to the cloud was about more than technology for the roundtable participants. With many technical architectures fundamentally changing and tasks like integration very different, one participant said, “there is a lot of benefit in moving to cloud but it changes the dynamic of how we are providing security today.”

“It’s important that as we move the technology, we also move or improve the skill set of our teams,” she said, “so we are upskilling and moving up as quickly as possible.”

Security isn’t the only area where the cloud-native migration may test many companies’ skill sets: moving from on-premise architectures to cloud-based stacks based on containers often requires some adjustments, re-training, and additional certifications.

Many customers “just offload their security operations,” Red Hat’s Director, Security Global Strategy and Evangelism, Lucy Kerner said, noting that many companies offloaded “the majority of their internal security operations to managed security service providers.”

One roundtable participant noted that over the past seven years, his company had been working closely with its service provider in the runup to a cloud migration: “we do due diligence on them and we do a lot of planning,” he said, “and by sharing the plans in a very concise manner with the providers, we monitor and supervise its execution.”

“We are increasingly looking at how service providers are complying, and that works well for us as well.”

Ongoing conversations with developers were crucial to ensure that DevOps architectures are able to accommodate cloud-native technologies, such as containers, especially as their use increases.

“It’s very important to have these constant conversations with the developer community,” said one participant who noted that “a lot of security implementations need to be done by developers themselves now.”

That realisation had forced the company, which has made an extensive transition to cloud-native operations, to “inculcate those values and awareness into the developers,” he said.

“We needed to go on that journey to inculcate that with them. But beyond the developers, from whatever you were doing on-premise and in the cloud, the security principles don’t change that much; it’s how you implement them that changes.”

Complexity and velocity

Maintaining security in a container-based environment requires attention to two key issues – complexity and velocity – noted Vincent Caldeira, chief technologist for FSI with Red Hat.

“The moment you start to look at the complexity of a modern cloud-native application you are looking at service-level security,” he said. “It, and the controls around it, can be extremely granular and difficult to understand.”

Velocity manifests as a challenge, particularly in relation to information security challenges and compliance practices. “They change,” Caldeira said, “because you are not doing an application change every 6 months as banks used to do – but now you are doing one every two weeks.”

That accelerated pace of development and activity meant that security needed to be integrated into “every part of the governance process,” one roundtable member pointed out, noting that in his company “no application goes live without security sign-off.”

Yet in the cloud-native world, compliance doesn’t stop when the application goes live; particularly in the highly regulated financial services and insurance sector. The continually looming presence of auditors has added yet another element to the cloud-native conversation.

One organisation has been having these conversations but “it is still baby steps,” an attendee reported, noting that auditors point out risks that must be addressed and also highlight failures of business or technological processes.

“There is a lot of work on the development side to go to the cloud, but we haven’t had the appetite to move any core customer and production workloads to the cloud yet,” he said. “There are conversations around what standards we should follow, and everyone recognises that access and control are critical from a resource point of view.”

Another attendee said, “Ultimately, the transition to cloud-native architecture will be driven not by the business but by the expectations of customers that have become accustomed to working in an agile digital world.”

“It’s not about your appetite, but about your customers’ appetite,” he explained. “It’s about moving all things together, it’s about continuous engagement and education, and it’s even more about getting people into ownership of the process.”

Ultimately, accommodating the changes of the cloud-native world requires early wins and the appointment of ‘champions’ of change.

“As this mindset changes on all levels,” he said, “you are all working together and the business will start to ask what customers are asking: is the bank still interested in working with us in the old-fashioned way, or are we going to go with someone who can talk about speed?”

Copyright © 2021 IDG Communications, Inc.