Cloud-native applications are built purposefully for deployment and operation in a cloud environment. They consist of small, independent microservices, such as serverless functions and containers, and utilize services that cloud providers and third-party partners provide via API, all while leveraging the cloud for automated stability, scaling, and recovery. Building cloud-native applications enable development teams to focus on implementing architectures that are optimized for how the cloud scales.
Cloud-native applications have a new, distinct structure that affects how attackers approach these applications, which shifts the threat landscape. As attackers change their approach and move towards Gen VI attacks, security practitioners and developers must adjust accordingly how they defend cloud-native applications.
They need to allocate more time and resources to these new threats in order to best prevent them for their organization. Resources must be allocated strategically, but one must first understand which threats are most likely in this new threat landscape.
Compute services in cloud-native applications are designed to be ephemeral and tend to have short lifespans. This is one of many attributes that makes cloud native applications inherently more secure. Attackers are unable to easily achieve long-term presence in your system and must, therefore, shift tactics. One resulting strategy is the Groundhog Day Attack in which an attacker crafts a much shorter attack that steals, for example, just a few credit card numbers, and then repeats. Attackers leverage the automatic scaling of the cloud native application to get by the ephemerality of it.
Another approach is the Upstream attack, or Poisoning the Well in which attackers aim to gain more long-term persistence in your application. Cloud-native applications tend to comprise many modules and libraries. A single serverless function could include tens of thousands of lines of code from a variety of sources other than the work of your developers. Attackers work to include malicious code in common projects. Then, after poisoning the well, the malicious code in your cloud applications can call home, get instructions, and wreak havoc.
Fortunately, cloud native applications tend to be harder to attack. But as a new type of architecture, they present new security challenges and developers must act to mitigate risk. The following are some best practices to secure cloud-native applications:
In addition to ensuring your Web API and Application Protection (WAAP) services are advanced to address next generation requirements, another cloud native security best practice is to apply perimeter security at the function level as well. Pay particular attention to functions that are triggered by a different source type.
When you do IAM at the granularity of functions, IAM becomes an AppSec tool. Spend time crafting suitable, minimal roles for each of your functions. Additionally, ensure that each of your functions executes with the smallest viable set of privileges, so the damage from any holes that slip through is minimal.
This has been talked about for several years and it’s not going away anytime soon. It’s a big problem that enterprises must address and it’s going to take years to get there as it’s a generational shift in philosophy.”
It is important for teams to bridge the gaps early, even if it feels against the normal behavior of the company DNA as cloud native requires a different approach in how organizations manage security and development. This creates a real opportunity for departments to facilitate this change and make a true impact.
Ops must create pipelines that let developers work at the speed of serverless and still deploy applications in a realistic and secure way.
These are just a few of the many items regarding security, one must think about when migrating to cloud native applications and microservervices. There are new tools designed every day to help optimize this transition and create greater visibility, observability, security, and threat prevention. For more information on how to address cloud native security, refer to the Cloud Security Solutions guide from Check Point Software.