Twistlock CTO John Morello on What Makes Distributed Security ‘Cloud-Native’

Why Cloud-Native Architectures Are Inherently More Secure
One of the most touted virtues of cloud-native application deployment is that it aims to free the software developer from having to worry about the state of their infrastructure. “Both the developer and the consumer rely on us,” wrote Chef Director of Product Marketing Michael Ducy in The New Stack last October, “to hide operational complexity and maintain freedom of choice.”
So one might get the impression that something that calls itself “cloud-native security” is a service provided on behalf of the maintainer of the cloud-native development space, who in more and more enterprises these days is not someone in operations. In recent months, Twistlock has been positioning itself less and less around just securing containers, even though that was clearly the company’s focus at this time last year. Twistlock’s take on cloud-native security, as CTO John Morello explained in its most recent appearance in The New Stack Makers, is that the development space occupied by the components of the CNCF stack (we all know what the “CN” stands for) deserves particular attention from the perspective of security.
Serverless functions do alleviate much of the burden for developers, Morello acknowledged, including for security. However, “you’re probably not going to be running an application that you’ve ported over from three dozen architectures, that’s been in your organization for a dozen years… into a function or set of functions.
“One of the reasons functions are able to simplify things for people,” the CTO continued, “is you give up a lot of capability. You’re going to trade off some of the ability to interact with things at a lower level of the host, and to really have some of the capabilities you might have if you were running in a container or a virtual machine. The tradeoff for that is you don’t have to worry about the underlying infrastructure. But that also means that some applications, or parts of applications, may not really be well suited for running in serverless functions.”
Since there will essentially always be a class of application that will run using models other than the newest ones on the block — for example, applications ported from older systems — organizations will continue to choose more comprehensive security services, Morello contends, that treat all aspects of the application environment equally. Therefore, it makes sense from Twistlock’s standpoint to have a security system that learns the behavior of all applications, and stage that system on a cloud platform alongside cloud-native apps.
Learn more about Morello’s and Twistlock’s evolved stance on security in the container, and beyond the container, in this latest edition of The New Stack Makers podcast, published in conjunction with the upcoming e-book on “Kubernetes Deployment & Security Patterns.”
Featured image of Fort Gorazda, Montenegro, built on high ground around 1884, by Wanus, released under Creative Commons 2.0.