This post was first published at https://tfir.io/modernizing-security-modern-security-for-modern-apps/
Cloud native technologies have paved the path to modernizing applications. Containers provide standard packaging, and Kubernetes provides the orchestration. However, security practices have not evolved in order to account for the new reality of cloud first and recent studies show a sharp increase in the number, severity, and complexity of attacks. In this article, I will discuss how the same cloud native technologies we use for modernizing applications, also provide a great solution for modernizing security.
Cloud Native Technologies
The Cloud Native Computing Foundation (CNCF) states that cloud native technologies allow engineers to make high-impact changes frequently and predictably with minimal toil. In practice this means that being cloud native allows businesses to move faster and deliver more value to their customers, in less time.
With modern applications, container images are built in delivery pipelines and automatically deployed across clusters. Kubernetes resource manifests, typically written in YAML, are declarative configuration specifications that describe how workloads and components should be executed on the underlying infrastructure. Changes are managed via updates to these manifests, which trigger controllers running in Kubernetes to perform actions required to make the system or application’s current state match the desired state. Managing all of this “as-code” allows for applying software development best practices such as versioning, reviews, testing, and automation.
Security Challenges and Solutions
Cloud native applications patterns are inherently more complex and security attacks are evolving to take advantage of the distributed nature and operation of the ecosystem.
Kubernetes clusters and workloads are dynamic, and things can change quickly. Due to the extensible and composable nature of Kubernetes, along with the large and rapidly growing cloud native ecosystem, clusters also tend to vary significantly across organizations.
These factors make it impossible to secure Kubernetes and its workloads using traditional approaches which rely on the “scan-analyze-report” security loop. This traditional, and generally not cloud friendly, approach to security also does not allow for self-service from the extensive array of personas which can consume a cloud native workload, and thus hinders agility within organizations.
The good news is that containers and Kubernetes provide all the tools necessary to secure clusters and workloads. In fact, done right, containerized applications can be more secure than traditional applications.
The problem is not that secure configurations and processes do not exist, but that they are often not applied properly to the underlying systems. This is not because the responsible parties do not care, but more often due to complexity, lack of knowledge, or lack of alignment across teams in an organization.
The cloud native community has an answer for this, and it’s called platform engineering!
Not too long ago, developers were not allowed any interaction with production environments, and separate system administration teams deployed and managed applications after they were built and tested. The DevOps movement changed and improved on that relationship blurring the lines across roles. It makes complete sense for developers to take on some of the operational responsibilities at the application layer, and for operators to adopt software development best practices for managing infrastructure services, in the process birthing the new shift toward “everything-as-code”. However, in organizations that have successfully adopted DevOps and its various process improvements, each role still has to operate with autonomy and maintain strong alignment using common systems of record, usually using Git.
With DevSecOps, there was an attempt to bring security into the mix but that never really caught on beyond buzzwords. Proper governance, compliance and auditability still remained as something to be done at later stages, and central teams remained responsible for maintaining proper security posture while utilizing tooling that did not fit neatly into the DevOps landscape.
With the rise of cloud, containers, and Kubernetes, platforms have become essential to the proper delivery of new functionality at scale. However, like cloud-provider managed environments, Kubernetes also has a shared responsibility model where developers only care about a subset of its interfaces. This created a need for platform engineering teams that take care of core concerns, such as security, and enable faster delivery of products and services.
A key differentiator of this approach is the “platform as product” mindset, which several large organizations have successfully adopted to scale and shorten software delivery cycles.
Platform engineering teams leverage Kubernetes as the primary building block for platforms,with the CNCF OSS projects and the broader ecosystem providing the array of tools needed to create a composable system . For example, a platform engineering team can deliver each application type as a catalog of blueprints or templates that cover configuration, deployment, observability, and other concerns.
Developers can now focus on what they do best, with the platform teams providing “golden paths” for secure self-service.
So where does security fit in? Savvy platform engineering teams will “own” security and leverage Kubernetes’ declarative configuration management to ensure that secure defaults are automated and verified across the application delivery lifecycle. Google describes this as “shift-down security” – where the platform enforces security vs a “shift-left” approach where every developer is also expected to become a security expert!
However, for cloud native platform teams to embrace and bake in security requires a different approach to securing systems.
There are three cloud native best practices required: Codify, Automate, Collaborate!
To allow scaling and developer adoption, security policies and best practices need to be managed “as code”. Kubernetes native policies, where policies are managed as Kubernetes resources by CNCF projects like Kyverno and OPA/Gatekeeper, enable a Policy as Code approach.
This approach to security brings the discipline and value of software engineering enabling collaboration across multiple teams, versioning, code reviews, testing, automation, and audit trails.
Policies, when managed as code, become a digital contract across development, operations, and security providing the necessary infrastructure for frictionless delivery and operation.
Once governance, policy and security are Codified , the platform engineering team can leverage practices like GitOps to ensure secure defaults, both in the CI/CD pipelines and at runtime, leveraging Kubernetes admission controls.
Policies are not just for validating and reporting, they can now be extended to dynamically mutate and generate resources enabling secure self-service. For example, when a development team deploys a workload, Kyverno’s generate policy rules can be dynamically triggered in order to apply secure defaults, generate fine grained permissions or ensure compliance with standards such as NIST 800-*, PCI, etc.
Using Kubernetes, reporting of violations and incidents can also be automated and normalized across tools. The CNCF Policy Working Group is standardizing a Policy Report API that allows any scanner or policy engine to report findings in a structured manner, thus further solidifying Kubernetes as the primary building block of new platforms. This pluggable and extensible architecture is important as it allows adding and removing individual tools without changing the overall system architecture.
With declarative configurations, remediation can now also be automated. Typically, a best practice is to apply it in an upstream Git repository. However as a last resort, mutate policy rules can also be used.
CNCF policy engines also enable software supply chain security, and the automation of image signing and verification, as well as checking for attestations for compliance to emerging standards such as SLSA (Supply-chain Levels for Software Artifacts).
With the rise in frequency and complexity of attacks, security teams are often overburdened and have unrealistic expectations placed on them. Cloud native best practices offer a solution that allows security teams to scale, by enabling visibility and collaboration.
To achieve this open and composable systems become a hard requirement, along with integration of tools that developer and operations teams already consume.
Just as Kubernetes has become a standard for deploying and managing containerized workloads, native Policy as Code will become a standard for managing security, compliance, governance and overall stronger end-to-end platform solution.
Securing the future
Applications are rapidly being modernized in order to bring them into the cloud first world. As they evolve, security also needs to evolve and leverage the same cloud native best practices.
Platform engineering teams need to adopt a secure-first approach and extend beyond self-service to “secure & compliant self-service”.
Security and operations teams need to be enabled with the proper tooling so they can foster security best practices into internal developer platforms. Security teams will still own and manage the overall posture and compliance, but this “shift-down” approach allows platform engineering teams to help offload complex securing challenges for dynamic systems like Kubernetes.
Cloud Native Policy as Code solutions provide organizations with a scalable and open approach to Codifying, Automating, and Collaborating to ensure a secure end-to-end delivery and consumption of both applications and systems. This approach to security prevents incidents early, transforms processes, further enabling agility without compromises.
To get started with cloud native security, check out CNCF Policy as Code projects like Kyverno.
To fast-track your journey, contact us for a demo of Nirmata’s cloud native policy and governance solution powered by Kyverno! https://nirmata.com/contact-us/