Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by Guilherme (Gui) Alvarenga
How GitHub Uses GitHub to Be Productive and Secure
May 31st 2023 10:30am, by Loraine Lawson
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by Guilherme (Gui) Alvarenga
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Chainguard Improves Security for Its Container Image Registry
May 31st 2023 6:30am, by Steven J. Vaughan-Nichols
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How to Containerize a Python Application with Paketo Buildpacks
May 29th 2023 5:00am, by Sylvain Kalache
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by Jason Myers
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by Chris J. Preimesberger
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by Susan Hall
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
WithSecure Pours Energy into Making Software More Efficient
Jun 1st 2023 7:14am, by Joe Fay
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
The Architect’s Guide to Storage for AI
Jun 1st 2023 7:44am, by Keith Pijanowski
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by Jennifer Riggins
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by Doug Flora
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by Rick Houlihan
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by Casey Samulski
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
LangChain: The Trendiest Web Framework of 2023, Thanks to AI
Jun 1st 2023 10:57am, by
30 Non-Trivial Ways for Developers to Use GPT-4
Jun 1st 2023 9:39am, by
Bluesky vs. Nostr — Which Should Developers Care About More?
May 30th 2023 7:51am, by
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by
Where Does Trace-Based Testing Fit in the Testing Pyramid?
Jun 5th 2023 7:52am, by
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by
Python and WebAssembly: Elevating Performance for Web Apps
Jun 5th 2023 3:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by
New Image Trends Frontend Developers Should Support
May 25th 2023 6:00am, by
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
Bringing AI to the Data Center 
Jun 1st 2023 6:13am, by
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by
MongoDB vs. PostgreSQL vs. ScyllaDB: Tractian’s Experience
May 31st 2023 6:10am, by and
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
Meta-Semi Is an AI Algorithm That 'Learns How to Learn Better'
Jun 6th 2023 3:00am, by
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by
Maker Builds a ChatGPT DOS Client for a 1984 Computer
May 31st 2023 11:04am, by
Google’s Generative AI Stack: An In-Depth Analysis
May 31st 2023 7:59am, by
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by
Compiled Python Code Used in a New PyPI Attack
Jun 2nd 2023 6:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
PyPI Strives to Pull Itself Out of Trouble
Jun 1st 2023 11:43am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
How to Host Your Own Platform as a Product Workshop
May 31st 2023 9:09am, by Jennifer Riggins
Take a Platform Engineering Deep Dive at PlatformCon 2023
May 26th 2023 10:00am, by Carrie Tang
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by B. Cameron Gain
The Cedar Programming Language: Authorization Simplified
Jun 2nd 2023 6:07am, by Alex Williams
How to Improve Operational Maturity in an Economic Downturn
May 31st 2023 8:30am, by Jonathan Rende
MongoDB vs. PostgreSQL vs. ScyllaDB: Tractian’s Experience
May 31st 2023 6:10am, by Joao Pedro Voltani and Joao Granzotti
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by David Cassel
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by David Eastman
Defend Open Source from Trolls: Oppose Patent Rule Changes
Jun 2nd 2023 6:49am, by Michael Dolan
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
Maker Builds a ChatGPT DOS Client for a 1984 Computer
May 31st 2023 11:04am, by David Cassel
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
Open Source Jira Alternative, Plane, Lands
Jun 2nd 2023 9:00am, by Darryl K. Taft
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
My Further Adventures (and More Success) with Rancher
Jun 3rd 2023 7:00am, by Jack Wallen
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
Cloud Native Ecosystem / Security

CNCF Security Whitepaper Shows the Complexity of Securing Cloud Native Operations

In November of 2020, the Cloud Native Computing Foundation released a whitepaper that focused on the security of cloud native applications.
Jan 12th, 2021 6:00am by
Featued image for: CNCF Security Whitepaper Shows the Complexity of Securing Cloud Native Operations

In November, the Cloud Native Computing Foundation released a whitepaper that focused on the security of cloud native applications. It was large in scope, covering everything from cloud native layers, to the full lifecycle of development, to compliance (and everything in between). This white paper should not only serve as a guiding light for any and all cloud native developers and admins (and the companies that hire them) but as a warning about the complex nature of security surrounding cloud native.

Why?

Because developing and administering in and for the cloud brings with it several layers of complexity not found when working with standard applications. And everyone involved in the relationship between the cloud and the company is affected.

Let’s dig into this whitepaper and highlight some of the more important bits, from the perspective of an administrator. So put on your admin hat and let’s go.

What Makes Cloud Native So Complex?

Right out of the gate, the CNCF paper discusses the complexity of cloud native operations. And anyone who has developed within this arena will not disagree with their assessment. The first point the paper makes is the focus on rapid deployment and development in conjunction with the impracticality of traditional “perimeter-based security.”

This is a big problem for many developers coming from a traditional background, if they assume the methods of securing a traditional application apply.

They do not.

In fact, as CNCF clearly indicates:

“This complexity requires a paradigm shift to protect applications by migrating from a perimeter based approach to one where security moves closer to dynamic workloads that are identified based on attributes and metadata.”

With cloud native applications, workload is key. Considering one of the primary benefits of cloud native is the ability to scale at will, the workload of an application takes center stage. Developers know this, so they give this functionality an almost singular focus. When the need to scale takes precedence over security, those deployed applications run the risk of compromise. In order to meet the needs of scale, while addressing the crucial security requirements of an application in constant flux, a paradigm shift is necessary.

For that, the CNCF states that cloud native development must be modeled into four distinct lifecycle phases: Develop, Distribute, Deploy, and Runtime.  Let’s take a look at those phases.

Develop

With cloud native development, security should be introduced early in the application lifecycle, and security testing should immediately identify compliance violations and misconfigurations. By doing this, it is possible to create short and actionable feedback cycles, which opens the door for continuous improvement such that security failures are addressed in the same way as all other workflows are resolved before moving software from one phase to the next.

The CNCF also makes it clear the security lifecycle of modern cloud native development must revolve around code that adheres to recommended design patterns, such as the 12 Factor App, which breaks down development into these points:

  1. Codebase: one codebase tracked in revision code with many deployments.
  2. Dependencies: explicitly declared and isolated.
  3. Config: configurations are stored within the environment.
  4. Backing services: are treated as attached resources.
  5. Build, release, run: these three stages are strictly separated.
  6. Processes: apps are executed as one or more stateless processes.
  7. Port binding: services are exported via port binding.
  8. Concurrency: applications are scaled out via the processes model.
  9. Disposability: fast startups and graceful shutdowns.
  10. Dev/prod parity: development, staging, and production should be kept as similar as possible.
  11. Logs: should be treated as event streams.
  12. Admin processes: admin/management tasks should be run as one-off processes.

By using a recommended design pattern, you can ensure the integrity of a workload is delivered. And with cloud native development tied to Infrastructure as Code, such practices are meant to ensure all controls operate as intended and include early security check integrations to identify misconfigurations and implement best practices.

Distribute

The software supply chain is one of the most crucial aspects of the lifecycle. Why? Because within the world of cloud native development, iteration is much faster than it is within standard development. This is especially true when dealing with CI/CD. And with cloud native, you need to include methods for verifying the integrity of the workload, the process for workload creation, and the means of operation. This is made even more complex by the use of open source software and third-party runtime images.

Remember, you are deploying containers, which depend on images. Those images can be the weakest link in the chain, as your developers might have pulled down an image containing malware. Those images need constant scanning for vulnerabilities, malware, and insecure coding practices, otherwise the cloud native applications built from those images would risk opening your network (and the data contained within) to attack.

Deploy

The deployment of your cloud native applications needs to be accompanied by real-time validation of candidate workload attributes. You must make sure:

  • Signed artifacts are verified.
  • Container images adhere to security policies.
  • Host suitability can be validated.

Another key aspect of cloud native apps is the ability to deploy with secure workload observability capabilities that allow for logs and metrics to be monitored with a very high level of trust. Such a high level of transparent observability, will serve to complement the already integrated security of your cloud native applications.

Think of observability as a new type of monitoring, geared specifically for cloud native deployments, and is built upon three pillars:

  • Metrics: show you when you have a problem
  • Tracing: points you to the problem
  • Logs: help you find the root of the problem.

Runtime

Finally, we have runtime. Your cloud native environments are required to provide strict policy enforcement and resource-restrictive capabilities. With cloud native applications, you have runtime resource constraints like Linux kernel cgroup isolation, which limits, isolates, and measures resource usage of a group of processes. Cgroup isolation is an example of restrictive/observability primitives which must be integrated into the higher levels of your cloud native application lifecycle.

One key high level component, within cloud native applications, is the runtime. Do not mistake this runtime with the runtime environment. This is runtime with regard to software and instructions that are executed while an application is running. Many times, the runtime will include instructions you did not explicitly write, but were programmed by a third party. Because of that fact, it is key that you work with best practices to secure all of these interconnected components, such that:

  • Only sanctioned processes are allowed to operate within a container namespace.
  • You prevent unauthorized resource access.
  • Network monitoring is used to detect hostile tooling activity.

Conclusion

The security of cloud native applications must, at all times, be applied to each of these components to ensure the same conditions, diligence, integrity, trust, and threat prevention is applied throughout the entire lifecycle. Because cloud native development is exponentially more complex than traditional development, every layer must be approached with an eye for protection from unauthorized access. Your organization, your administrators, and your developers must adopt specific methodologies that shift security and give a renewed importance to DevOps, so you can ensure the security of your cloud native apps through the lifecycle of development, distribution, deployment, and runtime.

Feature image by John Barkiple on Unsplash.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
Why Upgrade to Observability from Application Monitoring? KubeCon Panel Offers Cloud Cost Cutting Advice OpenTelemetry Gaining Traction from Companies and Vendors Bobsled Offers Platform-Neutral Data Sharing Service 4 Core Principles of GitOps
RELATED STORIES
A Boring Kubernetes Release Rafay Backstage Plugins Simplify Kubernetes Deployments Ease Kubernetes Deployments with Cloud Foundry’s Korifi Mirantis Updates k0s Lightweight Kubernetes Distro KubeCon Panel Offers Cloud Cost Cutting Advice
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.