In 2011, Netscape founder Marc Andreessen set off a wave by declaring that "software is eating the world". Seven years ago, JonathanBryce, founder of the OpenStack foundation, added the attributive: "everything in the world comes from open source"; As cloud computing becomes clear and widely used, "cloud native" becomes the biggest opportunity.
Now, cloud native has also entered deep practice, and in the digital era has not shown the new value.
Undoubtedly, cloud native is considered as the most important development direction of cloud computing. It is not only the wrestling point of cloud service providers in technology, but also the only way for enterprises to digitally transform and go to the cloud.
Looking at the present, from "upper cloud" to "cloud native" evolution, the world is deeply involved in and witness a cloud native technology change.
Cloud native brings epoch-making change
As cloud computing enters the mature stage of development, cloud native, as an important technology for new infrastructure to support digital transformation, gradually emerges in AI, big data, edge computing, 5G and other fields and becomes a powerful engine for data-driven business scenarios.
IDC predicts that by 2022, 90% of new enterprise applications will use cloud-native application development processes, agile methodologies, and API-driven architectures.
According to a survey report, there are approximately 6.5 million active cloud native developers worldwide, and approximately 4 million developers using serverless architectures and cloud approaches. 92% of organizations now use containers in production environments. Cloud native has brought three major changes to the industry.
First, cloud native technology evolved from a single container technology to a large group of cloud native technologies. Cloud native arose because of containers, and then, driven by three core technologies of containers, microservices and DevOps, it rapidly developed toward full-stack technology system. Secondly, cloud native industry applications from the Internet to the development of thousands of lines. In the early market of cloud native technology, Internet enterprises are the main force of cloud native technology application.
In recent years, users of traditional industries such as government, finance and manufacturing have obviously accelerated the pace of using cloud native, and cloud native has begun to blossom in various major industries. Third, cloud native thinking has developed from single point technology thinking to systematic industrial thinking. At the beginning of its birth, cloud native was based on container technology and optimized the idea of application delivery in microservice governance, DevOps, CI/CD and other directions. Its core purpose is to make application development, deployment, operation and maintenance easier.
Now, with cloud native in-depth application in various industry business scenarios, cloud native way of thinking is consensus, that is, from previous single point technology thinking, thinking to the systematic development of industry of cloud native started trying to universal coverage business infrastructure, applications, data, security and other aspects, in order to satisfy the demands of the digital transformation of customers in the industry.
Cloud native architecture introduces new risks
While the benefits are clear, the cloud native architecture also introduces a variety of new security risks and potential sources of vulnerabilities. Existing approaches to application security are not designed for new paradigms.
Instead, DevOps teams need a new approach to help them better identify potential risks and enable them to integrate vulnerability management into their development and delivery processes.
Early on, software development was considered a linear process, but the rise of cloud native architectures has led to highly dynamic application environments.
Here, change is the only constant. According to the study, 61 percent of organizations believe their environment changes every minute or less.
The dynamic nature of cloud-native, container-based environments, and the need to keep up with agile development speeds, makes it more difficult to detect vulnerabilities and manage application security.
According to a survey report, during the first half of 2020, there were 160 attacks on honeypots every day.
Ninety-five percent of these attacks were aimed at hijacking resources, while five percent were aimed at launching denial-of-service attacks.
The study also showed that microservices, containers, and Kubernetes created application security blind spots for 89% of CISO.
How is cloud native security different?
So how does cloud native security differ from traditional security? Actually, cloud native security is not unique, the traditional problem of security in a cloud environment still exist, such as unauthorized, data leakage, DOS attack, internal data tampering, vulnerabilities, etc., but as a result of cloud native architecture multi-tenancy, virtualization, fast, flexible expansion and other characteristics, puts forward new challenge on certain aspects of the traditional security.
If you have to sum up the difference between traditional security and cloud native security in one sentence, it can be summarized as follows: traditional security attaches more importance to border protection, while cloud native security attaches more importance to continuous security.
It also makes traditional security practices ill-suited to this environment. In fact, cloud native architectures fundamentally undermine application security.
Traditional vulnerability management approaches cannot keep up with these dynamic environments because they can only provide a static view of a single moment in time, making them increasingly inefficient and prone to blind spots.
How to protect cloud native applications?
Security cannot be an afterthought when it comes to cloud-native applications.
Security must be integrated into continuous integration and continuous development processes, not dependent on fixed solutions and methodologies.
Adopting a risk-based approach is critical, but it is not the complete solution. A complete solution combines this with a variety of other layers of security that go beyond detection and assessment to remediation or mitigation.
These measures include security left shift, application of border security, implementation of minimum role and authority, security sharing, etc.
Security shift to the left
Many enterprises still use existing tools, but cannot handle the speed, scale, and dynamic networks of cloud native application environments.
Adding serverless functionality to the mix makes the whole infrastructure more abstract, making the problem worse.
Cyber attackers look for vulnerabilities in container and serverless code, as well as misconfiguration in cloud infrastructure, to gain access to entities that contain sensitive information and then use them to promote privileges and attack other entities.
Another problem is that companies are constantly developing, testing, and releasing applications with CI/CD tools.
When deploying cloud-native applications using containers, developers will obtain images from local or public libraries, but will not generally check whether these images contain security risks. One solution is to provide security teams with tools to prevent untrusted mirrors from entering CI/CD pipes and to enable mechanisms to prevent untrusted mirrors from causing security problems before they go into production. By scanning images early in the development process for vulnerabilities, malware components, and so on, developers can enforce security standards.
Application boundary security
One important way to do this is to use apis and application security tools made for cloud native environments. In addition, a common practice is to use boundary security at the function level -- to identify whether the function is being triggered by a different source than usual, and then monitor for anomalies in the event trigger. In a containerized environment, it is important to implement security at different levels -- choreography control panels, physical hosts, PODS, and containers.
Some of the best security practices choreographed include node isolation, limiting and monitoring traffic between containers, and using third-party authentication mechanisms for API servers.
Minimum role and minimum permission
There is a lot of frequent interaction between cloud native resources. If you can configure some unique licenses for each serverless or easy feature, you have a high probability of improving security.
Access control can be enhanced by using IAM on a per function basis, or by licensing containers for granularity. Take the time to create minimal roles, or create a series of permissions for each function or container.
This ensures that if a single point in the cloud's native structure is lost, the damage is minimal.
Build a close relationship between developers, DevOps, and the security team. Developers are not security experts, but they can be educated about security practices to ensure that they can write code safely.
The security team should know how applications are developed, tested, and deployed, and what tools are used in the processes so that the security team can effectively incorporate security elements into those processes. At the same time, there are also domestic cloud computing vendors like Tencent Cloud to create more targeted solutions based on cloud native security needs.
Recently, Tencent Cloud officially released the cloud host security flagship version, which complies with the current new demand for cloud native security protection and helps enterprises efficiently deal with new challenges on cloud security, including security compliance, advanced threats, multi-cloud management and emergency response.
Tencent security builds the host security protection system from the four stages of "prevention → defense → detection → response" based on the core needs of users.
At the same time, the cloud host security flagship edition relies on seven core engines, millions of terminal protection, ten billion threat data, to help enterprises real-time protection of core asset security, to meet the requirements of compliance, asset risk management and intrusion prevention. Problems often contain the opportunity, both traditional safety and security of cloud, emphasize the ability of dealing with safety risk, but as a new scene, cloud cloud native safe way to solve the problem of cloud segmentation scenario, display space than traditional tradition will be bigger, it does not exist the inherent thinking of traditional security defense, also more can innovation Angle. With the advent of the digital era, more and more security vendors are changing their role from "firefighter" to "designer" of security architecture.
They evolve the traditional attack and defense solutions into a three-dimensional security architecture that can be attacked and defended, and open up the separated security products into a coordinated security system to escort the sustainable security of enterprises.