Cloud Native Network Security: Who’s Responsible?
In ever-evolving cloud native environments, the importance of network security cannot be overstated. In non-cloud native environments, network security duties are shared by several teams, with network and security teams taking the lead. But, given the nature of cloud native environments, the platform team should be responsible for the network security of their platforms.
I’ll look at the platform team’s role in network security, including challenges faced in securing the network, what it needs to think about to establish and maintain robust network security, and why it is the best team for the job.
Transitioning Responsibilities to the Platform Team
Unlike traditional setups, where separate teams manage infrastructure and network security, a cloud native environment requires a different approach. In this dynamic environment characterized by continuous deployment, automated infrastructure provisioning and microservice communication, a perimeter-based approach to security and silos of responsibility will not work. Instead, the platform team must take responsibility for network security, which must be dynamic, distributed and ephemeral. Why?
Just like the platform, network security must be automated, scale with the platform and be configured as code so that it can be updated in real time. Given their skill sets, members of the platform team are most suited to oversee this.
Cloud native environments do necessitate a departure from traditional perimeter-based security measures. However, there are strong principles that have been formulated, refined and perfected in the world of traditional network security that platform teams should adapt for cloud native applications.
Learning from Traditional Network Security
While the cloud native environment presents unique challenges, traditional network security principles provide valuable insights gained over several decades. Concepts such as zero trust, network segmentation and traffic filtering are time-tested practices that can be adapted to fit the cloud native context:
- Zero trust: By adopting a zero trust approach, where every request is treated as potentially malicious, organizations can enhance their network security posture.
- Network segmentation: Network segmentation helps isolate workloads and restrict lateral movement, limiting the impact of potential breaches.
- Traffic filtering: Traffic filtering enables organizations to control and monitor network traffic, ensuring only authorized communication occurs.
Additional useful concepts include application isolation to limit lateral movement, deep packet inspection of suspicious traffic to identify indicators of attack and using threat intelligence feeds to block connection attempts to or from known bad actors.
The Platform Team’s Role in Securing the Network
Platform teams play a crucial role in securing the network and achieving compliance in cloud native environments. They need to proactively identify vulnerabilities and malware early in the CI/CD lifecycle, integrating security practices seamlessly into development and deployment processes. By building strict security into infrastructure automation, a platform team applies security measures consistently across the entire environment. This approach not only enhances security but also enables scalability and automation.
Platform teams are also responsible for configuring the security posture of the platform and workloads. By implementing trust no one, default deny and similar practices, organizations can prevent data exfiltration and allow only authorized egress. Because several different types of services share a platform, apps and services must be isolated to prevent threats of lateral movement and ensure multitenancy. The platform team must continuously monitor and update security configurations to adapt to evolving threats and maintain a robust security posture.
Network Security Challenges
The main challenges the platform team faces with network security in cloud native environments stem from handling the environments’ automated and elastic infrastructure, needing to secure both egress and internal traffic and detect and block attacks, and enabling network security to help with risk mitigation.
- Building scalable network security for the cloud: Because the infrastructure of cloud native provisioning is automated, elastic and distributed across hybrid cloud environments, new nodes and containers are constantly being spawned in various locations. The platform team needs to make sure network security can scale along with the infrastructure.
- Approaching network security from multiple angles: Network security needs to simultaneously secure egress traffic and traffic within the cluster because that traffic also communicates over the network.
- Detecting and blocking attacks: Network security must be able to detect and block attacks from known attackers as well as zero-day attacks.
- Setting up network security for risk mitigation: Network security plays an important role in risk mitigation. In the event of a breach, network security should be able to mitigate the risk of exposure and provide forensics so that proper steps can be taken to avoid a recurrence.
Achieving Compliance and Multitenancy
In a cloud native environment, compliance extends beyond traditional perimeter-based controls. Platform teams are best positioned to configure and demonstrate compliance, given their skill set and responsibilities. They must work closely with compliance teams to understand and implement the necessary controls and policies. By leveraging automation and security-as-code practices, the platform team can help meet compliance requirements consistently.
Multitenancy, whether driven by compliance or economies of scale, is a common aspect of cloud native environments. The platform team must design and implement effective multitenancy strategies to isolate and help secure tenant resources. This includes implementing strong access controls, network segmentation and encryption mechanisms to protect sensitive data and prevent unauthorized access.
Network security in a cloud native environment requires a proactive and adaptable approach. The platform team plays a pivotal role in ensuring robust network security. By leveraging insights from traditional network security, configuring Security as Code, and focusing on compliance and multitenancy, organizations can navigate challenges and protect their cloud native platforms effectively. With continuous monitoring, regular updates and collaboration with other teams, the platform team can stay ahead of emerging threats and help maintain a secure network environment.
To learn more about new cloud native approaches for establishing security and observability for containers and Kubernetes, check out this O’Reilly eBook, authored by Tigera.