Cloud adoption and cloud-native development is soaring worldwide, bringing complexity and additional risk to organisations. This is according to Palo Alto Networks cloud security experts who were addressing a webinar on security from code to cloud recently..
Frans de Waal, Prisma Cloud sales specialist at Palo Alto Networks, outlined the findings of the Palo Alto State of Cloud-Native Security Report 2023, which found that the application lifecycle had gained momentum, cloud adoption had increased, and complexity is threatening the security of cloud environments.
De Waal said 69% of organisations host more than half of their workloads in the cloud, up from 31% two years ago. “This indicates that we aren’t at the ceiling point yet in terms of cloud adoption, with massive year on year growth still taking place,” he said.
A poll of webinar participants found that 10% have all of their workloads hosted in the cloud, while 35% have more than half their workloads in the cloud, 20% have about half hosted in the cloud, and 35% have less than half in the cloud. Most currently have less than half of their resources managed by infrastructure as code.
“The initial view of cloud was very much a lift and shift view, but year on year the amount of virtual machine infrastructure and containers as a service has declined, while we see an increase in platform as a service and serverless computing. Application modernisation is the number one driver of cloud adoption, followed by maintaining competitiveness in the market, reducing infrastructure overheads, and regulatory compliance,” de Waal said.
“Because of the operational cadence of development teams, security is being inundated with alerts.” 77% of respondent organisations deploy new or updated code weekly and 38% do so daily.
“There’s a lot to consider – you aren’t only concerned with the running environment, but also the supply chain,” he said.
Gordon Bailey-McEwan, Prisma Cloud solutions architect at Palo Alto Networks, noted that in modern applications, much like the modern way of making cars – things are assembled rather than built, using parts from various suppliers.
“Gone are the days in which you built the entire application from start to finish yourself. You can have various components, libraries and dependencies to use for the application code. But that code must live somewhere, which is why we have infrastructure as code, which defines the infrastructure we will spin up in the cloud. You might also have an orchestration layer.”
“Gone are the days of the waterfall approach with monolithic code, we are far more agile now, using things like DevOps pipelines releasing multiple updates to our applications. Using open source components and DevOps pipelines allows us to move quickly and stay ahead of competitors. Unfortunately, the speed of these new approaches results in some risks and security is often an afterthought,” he said.
Bailey-McEwan cited cloud application security risks such as modules or templates related to infrastructure as code: 64% of Terraform module downloads result in at least one high or critical insecure configuration. In open source packages, 81% of apps contained vulnerabilities. In container images, 91% of images contain at least one critical of high severity vulnerability, he said.
“Developers need to be aware of the risks and the company needs to have a strategy for reducing the risk. For example, infrastructure as code misconfiguration can result in security amplification – if I use an insecure template and reuse it and it gets deployed 100 times, it could result in thousands of security alerts in production. Attackers know this too, and they know analysts are suffering from alert fatigue. In fact, 90% of organisations cannot detect, contain and resolve cyber threats within an hour. We need some way to mitigate this risk.”
De Waal highlighted key recommendations for addressing these risks, including reducing friction, shifting security left, focusing on automation, and consolidating security vendors.
He said: “We’re seeing organisations making security a team sport and nominating champions in development teams and letting them evangelise security within the application development teams. DevSecOps supports the velocity organisations are trying to achieve with application delivery. Old style ‘ClickOps’ reactive, manual remediation doesn’t scale and is error prone. A new-style ‘GitOps’ approach is proactive, automated remediation that scales.”
Another recommendation was to focus on a high level of automation, de Waal said. “We’re talking automation of not only the infrastructure, but also the security practices around it. We also need to implement automation and remediation within running environments."
On simplifying and consolidating vendors, he said: “Over 83% of organisations that were successful in their cloud adoption were using consolidated tools from a smaller number of vendors for ease of deployment, best of breed capabilities, impact on performance, familiarity of the vendor and tool, and competitive pricing. The problem with defence in depth from multiple vendors is it creates complexity, a lot of alerts, and the need for more skills. The Palo Alto cloud-native Prisma Cloud platform is the answer to this problem.”
Share