What is a “mindset of cloud-native security”? 🤔 That’s a great question. That’s why Justin McCarthy, CTO and co-founder of strongDM, recently sat down with Mike Vizard at Container Journal and a panel of technology experts to discuss just that—and how to implement it without creating friction.
The full panel included:
- Girish Bhat—VP, Sumo Logic
- Shiri Arad Ivtsan—Product Manager, WhiteSourse
- Scott Gerlach—Co-founder and CSO, StackHawk
- John Sanda—Lead Engineer, Datastax
- Marina Segal—Director of Product Management, Sysdig Secure
So, what makes cloud-native security different? Here’s the recap:
Developers Don’t Want to be Security Experts
Security has become a moving target, especially at a time when developers have gained the power to implement, scale, and change infrastructure at will. And as applications and services have become more distributed, visibility has become a challenge as well.
That’s why cloud-native security is a mindset problem. How do you blend security awareness into the development process? Security must shift from the old-school method of ultimate control to empowering teams to make security-informed choices.
Before the cloud, there was a clear separation between the person who wrote the code and the person who worked on the network. That specialization of skills forced a necessary conversation about “should we versus could we” when it comes to development and security. But with the cloud, those conversations are no longer built in and can no longer be assumed. On top of that, developers don’t want to be security experts.
The result? The security professional’s role has evolved, and now must integrate actionable security steps into the developers’ workflow in a way that doesn’t bog them down.
Mo’ Technologies, Mo’ Problems
“It's hard for us to learn because our job is hard.” -Scott Gerlach, co-founder and CSO, StackHawk
One of the hardest challenges for security teams is the perpetual cycle of new technologies being added, which can leave them trailing behind. In a world with Kubernetes, containers, and serverless computing, where new frameworks emerge all the time, how can security keep up?
Since this speed of growth is inevitable, learning to partner with DevOps has become critical, and security professionals must learn to be comfortable being uncomfortable. Again, it comes down to mindset. You’ve got to spread security tasks into the organization. Developers need tools to help them make better security decisions—without slowing them down.
Analysis Paralysis and Acceptable Risk
“You want to feel productive with your work. And one thing that can feel pretty unproductive is interminable analysis paralysis … At some point, you need a way to halt the debate and say, we’ve made some decisions … let's move forward.” -Justin McCarthy, CTO and co-founder, strongDM
How do you determine acceptable risk when cloud-native environments present so many new challenges? The panel considered:
- Aren’t containers magically secure?
- Why are attacks against containers so hard to spot?
- How are serverless computing frameworks vulnerable?
- Is cryptojacking more than a nuisance crime?
- Are we facing a software supply chain crisis?
- How do we proceed when authentication authorization is disabled by default?
DevOps teams want to move fast. Security wants to protect business assets without creating a bottleneck. And it’s not a “us vs. you”—it’s a balance.
Finding the Balance
Security and DevOps are on the same team, and have the same goal. Both are just trying to do what’s best for the organization. So how do teams avoid resentment, with security grumbling about misconfigurations, and developers begrudging requests to scan their code?
“Partner with those engineering teams. Spend time understanding what they're working on. What are their pain points? Help them do their thing better so that they also want to partner with you.” -Scott Gerlach
Finding that balance comes down to shifting left with security—moving security earlier in the development process. And there are three core things that security teams must do:
- Sit with DevOps and understand their needs. Embedding security teams with DevOps can help make engineers and developers more security aware. It can also help security figure out what DevOps is doing, the technologies they’re trying to use, and the problems they’re trying to solve. Working as a team can help everyone move faster.
- Communicate the value of security. Security teams should ensure that developers are only dealing with security issues that actually matter for the business. Set clear priorities, and don’t bombard them with unnecessary tasks.
Empower DevOps to be more security-aware. Figure out ways to simplify how DevOps can incorporate security earlier in the process. Integrate security tools within the pipeline to scan automatically. Help them choose better open-source components before they start writing code. Simplify their lives by making security an incremental process.
Observability & Security
Observability plays an important part of a DevOps workflow, and can be extended to security as well. Girish Bhatt defines “security observability as a continuum of what we traditionally used to call monitoring and troubleshooting.”
Security observability serves two purposes: improving business outcomes and delivering products in a secure and timely way. In order to meet these challenges, security teams must:
- Pare down and centralize observability tools.
- Synthesize generated events into actionable intelligence.
- Simplify irregular signals into human readable language.
- Create an enriched record for SIEM tools.
“How do you standardize … an event across [all the signals, tools, and infrastructure]? That’s definitely some undiscovered country.” -Justin McCarthy
The panelists wrapped up with advice to anyone working in cloud security: form a partnership with developers, offer simple incremental improvements, and most importantly … try to make it fun.
Did you miss the panel? You can check out the replay here. And don’t forget - if you need modern tech to help you manage all things cloud and infrastructure access, strongDM has a great demo for you.