Cloud Native Security
In the cloud, cloud native apps are made and made. On a higher level, “cloud native” is a new way to design and build applications that takes advantage of the cloud’s built-in features (e.g., auto-scaling, continuous deployment, and auto-management). Using IaaS (like AWS, Microsoft Azure, and Google Cloud) as a platform, open source software can be used to make new tools and services that are more responsive in the age of the customer. Developers see cloud native as a way to get things out quickly and often without sacrificing reliability. Cloud native means that everything is done automatically, and it saves a lot of money by not having to use a lot of resources.
Cloud-based applications are usually built with a microservices or container-based approach and run on Linux. These apps are made to be lightweight, flexible, and focused on a single task. As a whole, they’re like small building blocks that are put together to achieve speed, scalability, and efficiency savings that you can’t get with a monolithic architecture.
“Cloud Native” is how you say it.
- Microservice centric: A cloud-native application must be built on microservices today. This is how it works. Traditionally, monolithic applications don’t work well with continuous deployment, continuous updates, and automatic scaling, which are some of the main things that make the cloud so great for people.
- Cloud-native: This means that your apps should not be tied to a single cloud platform. It’s easier to communicate between application parts in a cloud-native environment because the service APIs are the same for each service. There are open source or common functions that can run on different clouds for tasks like deployment, monitoring, and workload management. These functions can be used to run on different clouds.
- Managed automatically: Tasks like deploying, updating, monitoring, and scaling are all done by the system itself, so they don’t have to be done manually. Manual tasks, such as security analysis or setting up, are the exception rather than the rule.
Not at all: Cloud Native is not also Cloud Native.
You should not think that just because you moved some parts of your application environment to run in some EC2 instances, that makes you a cloud native.
In order to make your monolithic applications cloud-ready, you need to package them with APIs. This does not make them cloud-ready. You must change the way your applications are built so that they are distributed, service-driven, and on-demand. Data and workload management services are also affected by this, as well.
Understanding the Cloud Native World
What does the Cloud Native Landscape look like in the present day?
More than half of new applications will be run in containers at least once during the application lifecycle by 2018. It’s already been used by more than 90% of the Fortune 500 companies in the world today. Change is happening quickly, and it’s changing industries. Cloud native is a new way to do things, but it’s already changing a lot.
The current landscape of the cloud natives is made up of three big trends:
With IaaS capabilities already in place, this means integrating workloads on AWS, Microsoft Azure, and Google Cloud platforms to only run when they need to.
It can be hard to understand how microservices work if you don’t look at companies like Google and Netflix that have already used them. Microservices break down a single application into smaller parts that each do a specific job. This reduces a lot of the time and money that goes into making, deploying, and managing applications.
- Making event-driven computing: Event-driven computing, also known as serverless, lets you run code without having to set up servers first. It makes it easier to manage computing resources and boosts productivity because it separates software development from the administration of the servers. Services like AWS Lambda, Azure Functions, and Google Cloud Functions help make this change possible.
How a Cloud Native Architecture can help you
A cloud native architecture allows for speed, business efficiency, almost limitless computing power, and a level of scalability and efficiency gains that can’t be achieved with the traditional on-premises IT model, or by simply moving the “old way of doing IT” to a public cloud vendor like AWS, which is what most people do. It not only requires a major change in how applications are built and deployed, but it also has a big impact on the way teams and organizations work together and how your business responds to changes in the market.
Organizations that used a cloud-first architecture saw more flexibility and a better ability to support continuous deployment. Elasticity and continuous deployment are two of the most important features in the cloud native era because they allow for unlimited growth and business agility.
But there’s a problem with Cloud Native Security: It doesn’t work well with other things.
Cloud-native is a new and exciting way to design and build applications. This, on the other hand, brings up a whole new set of security issues. There are a lot more steps when you move to a microservice model, like end-to-end visibility, monitoring, or detection. Similarly, there isn’t yet a way to protect the entire Linux stack, even though most microservices applications run on Linux. Also, the security industry isn’t used to operating and making security decisions at the “service” level, so this is a new area for them.
As a result, some of the security assumptions we used to make may not be true anymore. These include the presence of an agent, a network perimeter, and full visibility from start to finish. Our old security tools, like server monitoring, may not work well in the cloud.
People who are cloud-native have a very different way of making apps, deploying them, and managing their infrastructure. Cloud-native applications need new security ideas, or we risk taking away from the benefits of cloud computing. This is true for both security and cloud computing.
Cloud native security: what are the things to think about?
There are still a lot of questions about how to manage and secure cloud-based applications in the real world. As more businesses start to use cloud-based applications, this isn’t as clear.
It’s not clear if security is different in a cloud-based environment than in a more “traditional” one. Then, how will that change your security strategies and controls? A few of the top concerns for cloud-based environments:
- Continuous software delivery and deployments require constant security. Microservices and containers are replacing monolithic and traditional multi-tiered applications in cloud-native environments. This means that software delivery and deployments are becoming more and more frequent. Companies like Amazon and Target are putting in hundreds of new systems every day. People who work in these kinds of places need security checks that are light, continuous, and built into the deployment tool chains, or they could be skipped.
- Protecting server workloads is very important: Traditional enterprise security is about securing the endpoints, dividing the network, and protecting the outside of the company. People in a cloud-first world may not be able to rely on fixed routes, gateways, network perimeters, or even the presence of an agent. The main threat is now at your data center. Your server workloads are more vulnerable to attack now than they were before, and this is a good thing. As a result, it is important to pay more attention to protecting the data center and server workloads.
- Running-time detection at speed and scale: In a microservices model, end-to-end visibility and monitoring become more difficult and time-consuming, especially when deployment and upgrades happen all the time. This is especially true when there are a lot of changes. An attack detection system can’t rely too much on static “signatures.” It also needs to grow quickly in real-time, but it can’t slow down or break down the performance or stability of the production environment.
- Some microservices applications run in containers on a virtual machine, while others run on bare metal Linux. This protects both types of applications. But today, the security functions that protect the host, the VM layer, the container, and the applications are often separate and don’t work together. This method adds a lot of unnecessary complexity and makes it hard to do real-time security response and actions. For example, would you put a mission-critical container on a VM that needs to be patched? How would you know that you need to patch the VM if you don’t also have VM-level visibility? In this hybrid stack made up of the Linux host, VM, containers, and finally the application and its services, there is an urgent need to make these things work together.
It should look like this:
Before businesses plan a security strategy that will help them move to the cloud, they need to think about these other things:
- A lot of automation in security: It’s impossible for traditional security operations that are based on alerts to keep up with cloud native systems that are almost infinite in size and dynamic. As a result, manual workflows are out of the question. Cloud-based security needs to be able to detect and respond to threats automatically at a large scale.
- Design with “Chaos” in mind: In a microservice architecture, any function can be made up of many software parts that are put together at runtime. From a security point of view, this means that detection logic and controls can’t rely on knowing the operational state and security health before they are put in place. Instead, cloud native security should use chaos engineering principles. This means that it should try things out early, test often, and fix things quickly.
When you write a cloud-based app, you must be able to quickly detect problems, contain them locally, and quickly recover from them. In this kind of situation, it’s often not possible to make global security decisions quickly. If you want to be able to quickly detect, recover, and contain damage before system-wide, malicious behavior starts, you should put those actions first. Even if your security decision isn’t 100% correct (they rarely are), acting locally and quickly will make your system more resilient in the long run.
Finally, what should your cloud-based security solution have? For this post, I’m only talking about things that happen at the time of writing. Features that I think are the most important:
With the cloud native data center, you need to have visibility and decision support across the hybrid stack, even if your applications are spread out and your services are dynamic. Even if your containers are short-lived, you still need to be able to see what’s going on. In order to make decisions quickly, the information from these different layers should go into an engine that can make them now.
- Quick detection and response functions that keep the “blast radius” small: Your security solution must make sure that if there was a security breach, the fallout is kept to a small area. These smart controls stop the bad behavior before it causes irreversible damage. This logic leads to quick decisions and smart controls that stop the bad behavior before it does any harm. In a cloud-first world, it’s possible that a smart detection system could be able to tell when an attack is starting and change the controls in the area where it happens.
- Cloud-native workloads can be hard to investigate because there are so many different parts and API services. Monitoring and security investigation must be done in a way that doesn’t slow down performance or demand for storage. This means that a monitoring and investigation architecture must be distributed, have no system bottlenecks, and be able to grow with the workloads.
If you’re in a cloud-first environment, you might use Kubernetes, Openshift, Amazon ECS or Google GKE to run your container workloads. There are other ways to make deployments happen automatically, such as using Chef, Puppet, or Ansible to do it. Seamless integration with these other parts means that the security tool can be installed automatically with the work that it is protecting, which is important in a cloud-based environment.
In the future, containers and event-driven computing will replace physical servers and first-generation virtual machines. Security must find the right place in this new setting to gain visibility and mitigate risks, while allowing new ideas and adapting to the complexities of continuous delivery in a cloud-native world.
In the old days, people used to do a lot of physical work.
It takes a lot of work to find out what happened in a traditional SOC. People look into alerts and event logs to figure out what happened. There are a lot of security devices that make logs and alerts. A typical SOC sees thousands of alerts and terabytes of log files every day when there are a lot of security devices around.
So, a SOC analyst might have to deal with hundreds or thousands of alerts a day to keep up with the amount. There are too many analysts, and SOCs are still behind when it comes to alert handling and identifying threats.
In addition, many SOCs don’t use effective metrics to measure how well or how well their operations work. When a SOC looks at how many alerts each analyst can handle per hour, it’s running on human fuel. The only way to grow is to add more people to keep the fire going. There is no doubt about how that strategy will work out for us.
Modern Detection is as much about engineering as it is about making sure things stay safe.
Today, detection is less about humans looking through event logs. There are a lot of tools, programs, and automated workflows that help you quickly find interesting events and threats even when there is a lot of data.
A very different way to deal with the detection problem is to use engineering principles to build logics and tools that not only automate detection, but also keep adding new detection and response logics and tools.
Detection programs use a lot of different logics. For example, one of them is that alerts are automatically contextualized by pulling information from endpoints, network logs, Active Directory information, and so on. Executing this logic will cut down on the amount of time a human analyst has to look at different devices and use different tools just to get some background on the alerts.
Another example might be a rule that automatically starts a second-factor authentication process or forces a password reset if there is a risky event.
Applying the principles of software engineering to detecting threats
So, which software engineering principles should be used to find out about threats? You can see a list of things that have been done before and how they work with modern detection engineering below.
Every time you make a new detection rule, you need to do a lot of unit tests to make sure it works. Scripts or simulations can be written so that you can attack the detection rules or the assumptions that they are made on.
Integration test detection workflows: Detection workflows are often complicated and may affect many teams and the infrastructure of the whole company. You should use integration testing principles to make sure that detection workflows are both good and safe. In the same way that you would test a build pipeline or an automated configuration management process, more teams should be testing detection tasks.
The tool that is used in the most common situations: Software developers package well-understood tasks into “subroutines,” and detection tasks and workflows can be codified into automated tools or programs to cut down on manual work and speed up the process.
Make sure there is always a way for you to get feedback and make changes to your detection system. The first thing to do is set up feedback loops with infrastructure components, security devices, and even different teams and users to make sure they know what is going on. This feedback loop will help you make sure that your detection programs are better and more accurate.
Keep track of the repository and accountability: Like a well-run software engineering company, you should keep detection rules and codified workflows in a centrally managed repository. Efficacy metrics for rules and detectors should be kept track of so that they can be improved over time.
Engineering for detection in a Cloud Native system
To do detection engineering in a cloud-based system, security tools must at least be able to do this:
detection technology must be able to work with cloud-based components like containers, serverless, and microservices in order for it to work well with them. At the same time, it must work well with detection technology for virtual machines, physical servers, and networks that are still used today.
Effectively reduce and normalize security alerts: Cloud-based jobs are often short-lived, so alert volumes may be higher than in a traditional system and can overwhelm even the most sophisticated detection tools. To make sense of security alerts in a cloud-based system, you need to reduce and normalize them into signals that can be used.
• A “scaling factor”: When you move from manually handling alerts to using detectors and logics, a lot of the alerts that are covered by the detectors are either thrown away or taken care of without being looked at. One place where this scaling factor is more important than in any other setting is in a cloud-first environment, because of the sheer size and speed of these systems.
Modern detection engineering requires that security analysis be done with engineering principles in mind. In a cloud-based system, this practice is very important because without it, security detection will be impossible.