BACK TO BLOG

Embrace the Future by Unraveling the Secrets of Cloud Native Security

Published Date

January 17, 2024

Read

6 minutes

Written By

Nitinkumar Ambulgekar

Modern, cloud-native architecture utilizes cutting edge technologies to empower enterprises to deploy their applications securely and at scale, emphasizing a cloud-first infrastructure.

Cloud-native security applies the same paradigm to securing these applications: a modern, pragmatic approach that includes concepts like DevSecOps, API security, platform security, zero-trust access, and a secure software supply chain. These elements are essential for safeguarding applications and their data.

What is Cloud Native Security?

With the rise in security risks every year, protecting applications against cyberattacks and other security breaches has never been more critical, especially for applications deployed over edge or in public clouds.

Organizations need to ensure security of cloud-native applications by protecting against infrastructure and platform vulnerabilities and ensuring the security of the entire software delivery system. It includes container images, application dependencies, CI/CD pipelines, and the application itself.

How to Build Secure Applications with Security Concepts?

The following cloud-native security concepts are crucial for organizations aiming to build and operate secure cloud-native applications:

DevSecOps

Instead of implementing security in application code, DevSecOps integrates security into every aspect of the cloud native software development process.

Secure Software Supply Chain

A secure software supply chain ensures compliance and establishes trust in software releases. It also ensures that regular scans are in place to identify and report vulnerabilities.

API Security

APIs are an integral part of all modern cloud-native applications, which increase attacks against them. API security encompasses the strategies and methods to protect APIs from significant security risks, malicious attacks, and data breaches.

Kubernetes security

Kubernetes provides various cloud-native security tools, such as API security controls, resource limiting, and container isolation, to enforce security within the cluster. Implementing network policies can restrict access to only trusted sources.

The 4 Cs of Cloud-Native Security

The 4 Cs of cloud-native security constitute a security model for Kubernetes, offering a layered approach that complements the defense-in-depth computing strategy. This strategy is known as a best practice for securing cloud applications.

It provides an organized way of thinking about the expansive cloud-native environment and delineates the responsibilities among platform engineering, IT, developers, and security teams.

The 4Cs are: Cloud, Cluster, Container, and Code.

Cloud-Native Security

Cloud Security with Kubernetes

Kubernetes is adaptable to public and private cloud environments; however, each cloud provider offers security recommendations tailored to their platform. Securing the base cloud layer is imperative, as it directly impacts the security of applications layered on top. Ensure cloud layer security by:

  • Adhering to CSP-specific guidelines for user and permission management
  • Limiting control plane access to API servers and nodes through TLS and implementing storage encryption at rest, such as etcd encryption
  • Streamlining updates to applications and platforms through automation.

Cluster

We need to secure the workloads running in Kubernetes at cluster layer. The main areas of concern are:

  • Kubernetes cluster components that are configurable
    • Encrypt API communications with TLS
    • Authenticate all API clients
    • Enable role-based access control (RBAC) for API authorization.
  • Containerized workloads running in a k8s cluster
    • Implement API authentication and RBAC authorization
    • Encrypt data at rest in etcd
    • Ensure QoS
    • Apply appropriate network policies
    • Ensure defined pod security standards

Containers

Containers offer a standardized method for deploying and managing applications across various environments. Cloud-native security ensures security throughout the entire lifecycle, from the build process to deployment and runtime. This layer can be fortified by:

  • Scanning of container base images regularly for known vulnerabilities.
  • Using images from trusted container registry which are signed and verified during build. 
  • Assign least privileges inside container based on system operations.
  • Network policies or a service mesh to isolate applications.
  • Use container runtime classes such as runc or kata runtime for stronger isolation.

Code

The application code represents the primary attack surface where we exert the most control. Ensure the following to secure this layer:

  • As part of secure software supply chain scanning for insecure code to ensure that your code and its dependencies are trustworthy, compliant, and updated 
  • Regular scans to detect and eliminate vulnerabilities
  • Limiting access over TLS. Encrypt data during transit and network traffic between different services and provide least permissions that applications need to operate
  • Use of hardware security module (HSM) such as Intel SGX (Software Guard Extensions) to run critical part of applications in encrypted memory
  • Analyzing source code using tools that can audit software and identify code dependencies that may have otherwise been missed

Threats to Enterprise Cloud Application Security

APIs constitute the most vulnerable aspect of cloud-native security due to the escalating risks associated with ransomware attacks, phishing, and vulnerabilities in containers and the supply chain. Below are key findings from the recent Global Incident Response Threat Report for 2022:

  • More than half (57%) of respondents experienced a ransomware attack in 2022. And at least 25% of all ransomware attacks included double-extortion
  • Zero-day exploits were encountered by 62% of respondents. Gartner predicts that by 2025, attacks on software supply chains will triple, affecting 45% of organizations worldwide
  • Exploits of container vulnerabilities, such as unhardened images from third-party registries, were encountered by 75% percent of respondents
  • Almost a quarter (23%) of all attacks in 2022 compromised API security

Cloud-Native Security at ACL Digital

ACL Digital’s Cloud-Native Platform Services integrate well-known cloud-native services and tools, encompassing application and platform security. The platform supports multi-cloud environments and operates on any API-conformant Kubernetes distribution.

The platform includes:

Zero Trust Access 

  • Secure workload identities with HSM-based zero-trust access
  • Support for SSO, Strong authentication (OAuth2), user management, and identity federation
  • Support for granular RBAC access to clusters and containerized workloads
  • Real-time drift analysis to eliminate misconfigurations and vulnerabilities

Secure Service Mesh

  • Istio based enhanced service mesh with HSM-based mTLS communication
  • Integration with Intel SGX-based external CA
  • Interoperability Proven solution with commercial 5G stack
  • Protect access to your API gateways and ingress/egress proxies
  • Secured mTLS architecture across core, edge and Hybrid Clouds

Confidential computing

  • Intel SGX-based platform attestation and key provisioning for Edge applications.
  • Critical 5G core, Edge, and other Telecom applications that run on the cloud are secure with SGX hardware-based security.
  • Gramine-based containers run the whole application inside HSM without source-code modification/recompilation.
  • CNF execution in SGX enclave for most minor attack surfaces

Conclusion

In an era defined by digital evolution, prioritizing cloud-native security is non-negotiable. As organizations navigate the complexities of the cloud, embracing robust strategies becomes paramount. Secure your digital future with resilience and confidence, ensuring a safeguarded journey in the ever-expanding realm of cloud-native applications.

Further Reading

https://www.acldigital.com/blogs/how-project-sylva-accelerating-cloud-native-telco-transformation
 

About the Author

Nitinkumar Ambulgekar Senior Technical Lead

Nitinkumar Ambulgekar is a Senior Technical Lead with over 13 years of experience in the Telecom domain. He has Expertise in NFVI, VNF Orchestration of Ericsson LTE products on OpenStack cloud, and Kubernetes-based deployment of 5G CNFs. At ACL Digital, he's responsible for POCs on 5G security with Intel SGX-based Service Mesh, Confidential computing, Service Mesh solutions, 5G Core deployments on Kubernetes/Openshift platform, and exploration of different CNCF products for cloud-native solutions.