Enterprises are rapidly adopting cloud-native architectures and design patterns to help deliver business values faster, improve user experience, maintain a faster pace of innovation, and ensure high availability and scalability of their products. Cloud-native applications leverage modern practices like microservices architecture, containerization, DevOps, infrastructure-as-code, and automated CI/CD processes.  

Cloud-native application security is a cloud-first approach used to deploy applications securely at scale by embedding security into the software development lifecycle to detect vulnerabilities earlier. This Refcard will walk through the critical challenges of cloud-native application security, demonstrate how to build security into the CI/CD pipeline, and introduce the core patterns and anti-patterns of cloud-native security. 

Cloud-native architectures bring in challenges related to application and infrastructure security. Let us look at a few of the most prominent challenges organizations face related to cloud-native security. 

Traditional Security vs. Cloud-Native Security: A Paradigm Shift 

Traditional security tooling is built for static environments and is ineffective in the dynamic and rapidly changing cloud-native landscape. Furthermore, with the advent of microservices, containers, service meshes, and multi-cloud environments, it has become increasingly difficult for organizations to track software vulnerabilities. As a result, there is an increased dependency on automation and continuous monitoring throughout the application lifecycle. 

Lack of Security Mindset 

When development teams build products, their primary focus areas are functionality and usability. Faster release cycles make it difficult to inspect and resolve security vulnerabilities correctly. In addition, development teams do not always have the required skillset to identify security issues and, at the same time, do not want to be slowed down by unknown security concerns. As a result, security often takes a back seat. However, it would be best to consider security an integral part of the DevOps pipeline amidst the need to deliver high-quality software in a cloud-native landscape. 

People and Change

One of the biggest challenges with enterprise transformations is not the underlying technology but the non-technical aspects of handling the change. Some common barriers to cloud adoption are the changes in people, operating models, governance, business practices, and the fast pace of innovation. Organizations need a structured approach to cloud adoption that includes aligning leaders, mobilizing teams, and engaging the entire organization. There needs to be alignment between IT and business leaders to lead the organizational journey and drive cultural change — as well as a focus on developing and creating a learning plan to upskill people. 

Software Dependency Problem 

By adding reusable external dependencies in the codebase, developers can leverage complex functionalities without developing and maintaining them. However, open-source libraries are susceptible to being compromised, causing security issues in your application. Therefore, you must do your due diligence to ensure that software dependencies are inspected for malware and vulnerabilities. 

Selecting the Right Real-Time Visibility Tools 

Security in the cloud brings a new set of challenges that your organization might not be trained to handle. Hence, it is imperative that you evaluate and finalize the right tools to secure your applications in a cloud-native world. With containers spinning up and down within seconds, you need tools to provide real-time visibility into your containerized environments. The attack surface in the cloud is rapidly increasing, and there are numerous cases of data breaches, compliance issues, and compromised APIs. From a security standpoint, having complete observability of your workloads by leveraging the right tools for logging, metrics, traces, and alerting is critical.   

Enforcing Consistent Security Policies and Guardrails

Today, enterprises leverage third-party security tooling and managed services provided by their public cloud provider to build their cloud security posture. However, it is challenging to develop centralized policies and guardrails that apply across your cloud-native environments. This requires your development teams to work closely with the security team. As a best practice, you should have guardrails in place, which can disallow actions that lead to policy violations. 

Lack of Automated Compliance Checks and Enforcement

Enterprises need a framework of controls to meet their compliance needs and manage risks effectively. There are several security standards and compliance certifications like HIPAA, FedRAMP, NIST 800-171, and PCI that customers need to satisfy their requirements. While architecting and deploying workloads in the cloud, you must ensure compliance with each workload and consider the unique requirements from a  security standpoint. You also want to validate that the services operate securely in a production environment. Finally, you need to continuously monitor and assess the security controls to ensure strict adherence to compliance regimes. 

Automation and Prioritization of Alerts 

Amidst the increasing number of breaches and cyber threats, you must ensure that your alarms are fine-tuned. Having to deal with redundant alarms can cause alert fatigue. In addition, if you get an overwhelming number of alerts with false positives, there is a high chance of missing out on critical alerts. Therefore, while designing cloud-native applications, it is crucial that you have automation in place to similarly aggregate alerts and visualize the severity of such alerts. 

Having DevOps processes in place improves efficiency, reduces failures, implements faster deployment cycles, enhances application performance, and provides better customer experience. Taking a step further, DevSecOps can be defined as a practice to deliver secure software through a continuous delivery model. Therefore, security should be considered an integral part of your CI/CD pipeline, as seen in Figure 1. Teams need to ensure that it is built into the application lifecycle phases in an iterative and automated manner. 

Figure 1: Building security into the DevOps pipeline 

Shift-Left Security Strategy 

The velocity and frequency of feature deployment has increased tremendously in this cloud-native world. A single security team in an organization cannot be entirely responsible for the security of all your applications in the cloud. Bridging the gap between development, operations, and security teams is critical to deploying secure applications. Building security controls into all your pipeline stages would be best to shift security left. Fixing security issues in production is expensive, and hence, incorporating security practices during the development phase is highly recommended. Shifting left requires collaboration and engagement between teams during the early stages of your development cycle. 

A shift-left strategy provides the foundation to build security from the ground up with necessary automation. It helps you to incorporate security into every phase of the software pipeline. Security is one of the key pillars of a well-architected framework, and you should adhere to the cloud security design principles.  

To scale your security and compliance operations, automation is critical. It would be best to apply security at all layers and automate security best practices: 

• Treat your infrastructure as code 
• Apply security guardrails to your environments 
• Gain in-depth visibility into your logs and metrics 
• Establish a scalable incident response system 
• Develop the ability to self-heal to a known good state 

Automated Testing

Hardening security requirements during the initial design and development phases is essential. It is best to encourage development teams to keep security in mind while writing unit, integration, and end-to-end tests. As a best practice, do not just focus on happy-path workflows but have effective coverage on negative workflows, boundary conditions, and edge cases. Always test the error handling scenarios’ authentication workflows and maintain extensive coverage for high-risk and frequently used code. Since testing is built into the CI/CD process, you cannot release code to production without passing tests. 

Static Code Analysis 

Static code analysis tools have many security-related rules covering well-established security standards such as OWASP Top 10 and CWE. You can also add custom rules to identify security issues. Security injection rules like cross-site scripting, SQL injection, denial of service, and code injection indicate problems at the application level that need to be addressed by developers who follow coding standards.  

Security hotspots are sensitive pieces of code to be reviewed during the code review process. However, when a security vulnerability is detected, it might have a broader impact on your application and need to be fixed immediately. As part of the CI/CD pipeline, every code change will get scanned by these security rules and flagged if there are outliers. You can fail your quality gates, as seen in Figure 2, when the security standards are not met. 

Figure 2: SonarQube Quality Gate 

Code Review

Peer code reviews are a common practice among development teams. You can implement mandatory code reviews to promote secure code writing by catching common mistakes and vulnerabilities committed to source control. When a pull request gets created for a particular functionality, ensure a security focus while reviewing the changes. Look out for secure practices like sanitizing outputs, proper secret management, no hardcoding of sensitive data, authentication workflows, session management, logging, and exception handling. 

Most of these steps can be automated by combining SAST (static application security testing) and DAST (dynamic application security testing) tools. SAST analyzes the source code without executing the application, whereas DAST finds vulnerabilities by analyzing a running application. Both of these testing techniques complement each other and help test security vulnerabilities throughout the software lifecycle. 

You can use tools to visualize vulnerability data in real time and recommend actions to improve the overall security posture in your organization. While running cloud-native applications, securing both the application and infrastructure layer is critical. Traditional security tools have limitations in a dynamic cloud environment. As security threats become more sophisticated, the importance of runtime protection and the ability to stop runtime attacks becomes of the utmost importance. You can minimize the impact of threats by having runtime security in place — continuous scanning of environments, having an incident management process, and auditing for security threats in real time. 

The cloud-native architecture enables organizations to build and run scalable applications in a dynamic environment. However, it does come with several challenges — security, cost, governance, observability, and more. Let us look at some of the best practices every development team working in the cloud-native space needs to embrace to secure their applications. 

Zero-Trust Architecture

Zero trust is a strategic approach to rebuild and modernize security by enforcing strict access controls to protect data, applications, and networks. By inspecting and monitoring network traffic to catch any malicious activity, the zero-trust architecture helps reduce the blast radius in case of a compromise. In a cloud-native architecture that uses a combination of microservices and containers, service mesh helps reduce the surface area of attack and implement the zero-trust security model. 

Identity and Access Management 

IAM is a core component of the security management posture within an organization that enables the proper entities to access the right resources. IAM protects against compromised access, safeguards resources within the network, and provides comprehensive security against phishing and ransomware attacks.  

Principle of Least Privilege

The least-privilege policy grants permissions to only the resources required to perform the task; no other access gets assigned. Having overprivileged users and roles in an organization increases the risk factor. With an increasing number of security breaches caused by privileged credentials, it is best to always validate policies and adopt the least-privilege principle by default. 

Secrets Management 

Cloud secrets management refers to tools and methods to securely manage secrets — passwords, certificates, SSH keys, encryption keys, and API tokens. You should have a strategy to rotate your passwords periodically. Public cloud providers offer managed services to handle secrets and their management. 

Incident Response 

Building incident response and triaging strategies are challenging when you have microservices running in a Kubernetes cluster in a cloud-native landscape. When you treat your workloads running in containers as cattle and not pets, performing post-mortem analysis and gathering audit trail events become difficult.  

Containers spin up and down frequently, and so, responding to security threats in a transient environment requires a different strategy. Incident response is critical to resolving security issues efficiently and spreading awareness within your organization about operational duties.  

Data Protection

Cloud-native microservices support polyglot persistence, and therefore, development teams have flexibility in choosing the appropriate database technology, as seen in Figure 3, for developing their services. These datastores can store both structured and unstructured data to support a variety of functions like search, reporting, time-series, caching, transactional, etc.  

Figure 3: Polyglot persistence in cloud-native applications  

Container Image Security 

Many organizations are running containerized workloads in production. Containers make it easy to package, deploy and run your code, thereby increasing the speed and portability of your application. It is necessary to secure the container image to secure your environment.  

Organizations can leverage open-source tools to detect anomalous behavior of applications running inside containers and send timely alerts. A continuous and automated monitoring strategy is necessary to address the increasing security risks associated with container environments. As a best practice, ensure that the images don’t contain any known vulnerabilities, do not have passwords and sensitive data included, do not contain misconfigurations, and are downloaded from trusted providers. Regularly scanning container registries in your organization is recommended to boost the quality of containerized deployments. 

Threat Modeling 

Developing services in the public cloud can trigger new security threats like malware and ransomware. You can leverage managed services provided by cloud providers or third-party vendors that use machine learning and artificial intelligence to identify security threats and vulnerabilities across your organization. 

Using Infrastructure as Code

Cloud-native architectures leverage the principle of immutability to manage infrastructure resources. If you need to make any configuration changes, you don’t modify the server; instead, build a new server with the updated configuration. IaC ensures consistency between environments and enables better DevOps practices by deploying infrastructure code in an automated and repeatable manner.  

Runtime Visibility

With enterprises growing their workloads rapidly and adapting multi-cluster/multi-cloud environments, it becomes crucial to have a centralized view of your systems. Furthermore, to have a sound observability strategy, you need to continuously profile your applications and collect a considerable volume of data round the clock.  

Security is a shared responsibility between the cloud service provider and its customers in the public cloud. The shared model helps to reduce the operational burden on customers, as the cloud provider protects the entire infrastructure containing the service deployments.  

At the same time, customers are responsible for securing the application code, data, identity and access, containers, and workloads running in the cloud that contain business logic. Once you have clarity on these shared responsibilities, development teams can focus on building business features and not worry about the day-to-day operational issues in the infrastructure layer.  

To summarize, the cloud provider is responsible for the security "of" the cloud, whereas the customer is responsible for the security "in" the cloud.   

Figure 4 below illustrates Microsoft’s shared responsibility model in the cloud and the various responsibilities between Microsoft and its customers.  

Figure 4: Microsoft’s shared responsibility model 

Image Source: "Shared responsibility in the cloud"

OWASP Top 10 is a set of development techniques that helps developers improve their web applications' security and enables teams to shift security earlier into the design and coding phases. It encourages guidelines like integrating security into the CI/CD pipeline, parameterizing queries, validating all inputs, implementing error handling, improving logging strategy, leveraging the benefits of security frameworks, protecting data at rest and encryption, reducing sensitive data exposure, implementing secure access controls, and more. 

Figure 5: OWASP Top 10 web application security risks 

Cloud-native architectures have seen rapid adoption in recent years. However, there are numerous security challenges due to this complex and dynamic landscape. Users have faced multiple security risks like data breaches, data loss, denial of service, insecure APIs, account hijacking, vulnerabilities, and identity and access management challenges. Enterprises need to continuously adapt security best practices to handle these issues, as were outlined in this Refcard.  

These core security concepts cannot be isolated and must be consistently integrated into the development lifecycle. Enterprises have been able to find ways to balance security and the speed of delivery by embracing automation, continuous delivery, and, most importantly, building a DevOps culture. 

It is highly recommended that Refcard readers also study the CNCF Cloud Native Security Whitepaper that focuses on key challenges of cloud-native application security, providing guidance to architects and developers.