CloudNativeSecurityCon: Shifting Left into Security Trouble

SEATTLE: At the first CloudNativeSecurityCon here, the good news is that cloud native computing has made creating and delivering software faster than ever. The bad news is the security problems are coming just as fast.
In the first keynote, Priyanka Sharma, the Cloud Native Computing Foundation (CNCF) Executive Director, said that even as containers, microservices, and Kubernetes have enabled us via continuous integration/continuous delivery (CI/CD) to build and deploy programs at record-setting paces by shifting work left But, simultaneously, it’s leading to “more exposed edges and nodes with attack surfaces and ultimately less control.”
What to Do?
What to do? Sharma suggests we use our same new-age, cloud native tools to fix our security problems. It’s not like we have much choice in the matter. After all, “security is not a one-and-done task. And no person is an island when it comes to security. It’s an ongoing conversation because things are very dire right now. The cost of us not doing anything is very high.”
How much? Sharma said, “the average cost of a breach on an organization is $3.8 million. And you look into the private cloud, that number goes up to $4.2 million. And then with public clouds, it’s over $5 million. And this is just the average cost. Not a good thing, especially in the times we face today.”
To combat this, we must address our poor training and lack of collaboration between teams. “Siloed teams often working in separate countries with multiple time zones using different tools, and policy frameworks” is a recipe for your security breach.” Sharma continued, “We believe that security is people power,” which means getting all the people on the same security page.
In addition, “We all benefit when we collaborate as a knowledgeable vendor-neutral community to develop the tools and processes that will defend our systems,” Shama noted. That means, “Practitioners and developers should share their development and deployment expertise. We’re in a position to teach each other. We’re all a global team of doers. And when we work together, we cover far more ground than any single organization,” she said. If that sounds familiar, it should. It’s the fundamental principle of open source development.
Of course, it’s harder now than it once was. As Sharma pointed out, “security truly is a multi-dimensional problem today.” But, if we work together and support community security efforts and industry collaboration, we can secure our projects. But it can be done. And efforts such as CloudNativeSecurityCon bringing together 700-odd developers and security experts was a good stepping stone forward.