Cloud-Native Security Challenges and Opportunities

Cloud computing is often the cornerstone of digital transformation efforts, and with the growth of cloud computing platforms like Amazon Web Services and Google Cloud Platform, cloud services are increasingly accessible. The move to cloud-native applications (also known as just cloud-native) is accelerating and already the default for over 60% of companies when they design, build and deploy their applications. However, the ability for companies to gain threat visibility and deploy effective security measures within production environments remains a visible gap.

Evidence of this gap surfaced in a recent survey co-sponsored by Signal Sciences, Duo and Capsule8, “The State of Cloud Native Security.” The report surveyed 486 IT leaders with a goal to better understand the security challenges and opportunities of the shift toward cloud-native applications in production environments.  

This post covers the high-level findings from the survey within the context of the security challenges facing organizations that want to build cloud-native applications to drive digital transformation within their organizations. 

Primary Drivers to the Cloud

Three primary drivers lead organizations down the path to cloud-native apps:

1. Modernizing operations to sustain the business
2. Enabling faster time to market 
3. Increasing operational efficiencies

While the motivations varied across companies by size and industry, they all share similar end goals.

Security Risks of Cloud-Native

Regardless of business objectives, the results of the survey responses underscore that security risks pose significant challenges to organizations that want to deploy cloud-native applications.

• Organizations struggle to balance security with the efficient deployment of production applications. 40 percent of respondents’ organizations do not currently have a DevOps function in place. The cause? Half said the lack of appropriate skills on their security teams was the primary obstacle to forming a DevOps practice.
• False positives continue to plague IT and security organizations.  46 percent of those surveyed said that more than half of production environment security alerts were false positives.
• Poor analytics is the number one cause of false positives. Nearly half of respondents reported this as a primary issue.
• Organizations have limited real-time visibility into attacks. 73 percent say they lack actionable, fine-grain, real-time insight into threats and ongoing attacks.

Meeting Cloud-Native Security Challenges

The majority of enterprises today rely on web application firewalls (WAF) to secure their production environments. But the very largest enterprises studied – those with more than $20 billion in annual revenue – use RASP, or runtime application self-protection.

RASP, another web application security technology, attracted the attention of DevOps and security practitioners because it embeds directly within the application and collects telemetry at runtime. Signal Sciences next-gen WAF and RASP technology eliminates legacy WAF dependency on rules tuning while leveraging the code-layer instrumentation of RASP to gain detailed request and response data. For a more detailed explanation of the nuances of RASP approaches, check out our video: The Pros and Cons of RASP in 8 Minutes.

Worth mentioning is that both legacy WAFs and some RASP approaches are limited in their ability to protect against anything beyond core OWASP attacks. Yet the attack surface has grown, as have the techniques, making it important to gain visibility over unique application abuse and misuse cases like discount code abuse, fraudulent transactions, content scraping, and many other use cases. Signal Sciences can do so automatically with Power Rules — while maintaining performance at scale.

Budget Sources for a WAF Investment

Automated attack coverage sounds great, but organizations that recognize the need for adding a web application security technology to their security infrastructure must find the funds for the investment.

Budget sources to fund a WAF purchase differ by company, but the majority fund a purchase either from their network security or application security line items in their overall IT budget.  Regardless of the funding source, organizations are increasing their investments in strategic areas such as application and data security. By 2019, Gartner predicts that organizations will have increased their combined spend on application and data security tools by 61 percent.

The survey responses revealed that the larger the organization, the more likely its management team will leverage application security budget for WAF investments.

The Strategic Necessity of Application Security

In an era where both CISOs and security staff know their number one goal is to stop data breaches, application security is not only vital but a strategic necessity. But preventing a breach requires the ability to identify attacks in the first place. While 80 percent of respondents think that the rate of attacks on their production environments has increased by at least double over the last year, many are still not able to detect attacks effectively. More striking, when asked what percentage of attacks they can detect in their production systems, over a third said “less than 50 percent.” Clearly, these organizations need effective tools that will provide their not only attack visibility but the means to stop those attacks.

We invite you to learn more in-depth about how your peers are navigating the security challenges of the journey to cloud-native and how Signal Sciences can help you meet those challenges with our patented technology that automates web application security.