Mitigating Risks in Cloud Native Applications
Two decades ago, security was an afterthought; it was often “bolted on” to existing applications that left businesses with a reactive approach to threat visibility and enforcement. But with the proliferation of cloud native applications and businesses employing a work-from-anywhere model, the traditional approach to security is being reimagined to play an integral role from development through operations. From identifying, assessing, prioritizing, and adapting to risk across the applications, organizations are moving to a full view of their risk posture by employing security across the entire lifecycle.
In this episode of The New Stack Makers podcast, Ratan Tipirneni, president and CEO, Tigera discusses how organizations can take an active approach to security by bringing zero-trust principles to reduce the application’s attack surface, harness machine learning to combat runtime security risks and enable continuous compliance while mitigating risks from vulnerabilities and attacks through security policy changes.
Alex Williams, founder and publisher of The New Stack hosted this podcast.
According to a 451 Research report, 40% of organizations globally experienced a cloud-based data breach in the past 12 months. “The number of software components and the number of vulnerabilities and malware in zero-day attacks is going through the roof,” said Tipirneni. “There’s an unbounded number of threats coming in that are both known and unknown. But if you were to do everything right, you’re still going to end up with some breaches and need to automatically mitigate risk inside your environment to keep your applications running,” Tipirneni said.
As the cloud native landscape evolves, addressing these new challenges requires new “architectural building blocks for cloud native application security,” Tipirneni said. An approach that continuously monitors compliance, searches for vulnerabilities, reduces attack surfaces from development through production requires “a security strategy on a foundation of zero trust so you can minimize your attack surface,” Tipirneni added.
And as the shift to the work-from-anywhere model becomes mainstream and cloud applications continue to surge, it is redefining new developments like “security and observability is converging,” said Tipirneni. While DevOps and IT security have traditionally been treated as separate disciplines, their roles and responsibilities are increasingly moving toward the DevSecOps trend. “Solving the security problem and observability problem is your ability to instrument everything that is happening in the system at a very fine-grained level — from gathering the data and really making sense of the data,” said Tipirneni. “Developers try to work around security controls that are complex but bringing those two together puts the power in the developers’ hands” he added.
Information security and development teams have traditionally managed Tigera’s solutions like Calico and Envoy, but for cloud-first companies who do not have legacy applications “DevOps, Cloud Ops engineers are pretty much responsible end to end,” said Tipirneni. From deploying applications to troubleshooting and managing compliance and security, “the challenge they have is that there’s just way too much on their plate to do,” Tipirneni added.
Tigera has approached this “giving different teams different levels of permission to participate in the design and management of security and observability with the right level of permission so that the developer can set security permissions and rules,” he added.
A key challenge remains: the “volume of data is just overwhelming,” Tipirneni said. Tigera has worked to get “real time data about how workloads are behaving at the process level, the file system access, the system calls and the network behavior.” By looking for deviations at each of those levels, “indicators of compromise can be identified. And this is where more of the company’s investment and innovation is targeted next,” Tipirneni added.