GovLoop

How Cloud-Native Disrupts Traditional Security Practices

There is a big difference between securing traditional applications with dedicated infrastructure and securing dynamic cloud-native apps based on containers and running in a microservices architecture. Traditional security practices simply aren’t designed for this environment, and they won’t protect cloud-native apps effectively. Here’s why:

Solution: A Risk-Based Approach

When it comes to cloud-native applications, security can’t be an afterthought. Instead of relying on bolted-on solutions and approaches, security must be integrated into the continuous integration and continuous development (CI/CD) pipeline.

It starts by taking a risk-based approach to cloud-native development, which allows DevOps teams to detect, evaluate and fix vulnerabilities in the artifact pipeline as an integrated component of the development process and maintain ongoing monitoring of how containers behave once deployed.

“Everybody runs tens or hundreds of thousands of vulnerabilities at any given moment, and the risk-based approach allows you to prioritize,” explained Rani Osnat, Vice President of Strategy at Aqua. “By using a risk-based approach that includes scoring to assess how dangerous each vulnerability is, you can understand which poses the biggest risk and should be handled first.”

A comprehensive risk-based approach includes:

Adopting a risk-based approach is critical, but it’s not the complete solution. It’s much better when combined with layers of security that move beyond detection and assessment to remediation or mitigation. For example, in cases where you can’t or don’t want to remediate, you might choose to create a runtime control that detects, prevents and tracks the exploit for specific vulnerabilities.

Together, these steps create a full lifecycle approach to security starting with development and continuing through deployment to runtime. It ensures that nothing too risky flows through, while allowing organizations to prioritize and remediate what they can, accept or mitigate what they can’t, and once running, easily detect and stop events.

This article is an excerpt from GovLoop’s recent report, “Navigating the Security Challenges of Cloud-Native Operations.” Download the full report here.

Exit mobile version