Cloud-native adds risk to application development

Gordon Bailey-McEwan, Prisma Cloud solutions architect at Palo Alto Networks.

---

Mitigating risk in cloud-native applications is very different from mitigating risk on-premises, requiring different approaches and toolsets.

This is according to Gordon Bailey-McEwan, Prisma Cloud solutions architect at Palo Alto Networks, who was addressing a webinar on the top cloud-native risks last week.

Bailey-McEwan said: “There is tremendous productivity and agility to be gained from the cloud, but that comes at a cost, and we have to ensure we are securing our cloud workloads properly. The problem isn’t just identifying vulnerabilities, but also fixing them quickly.”

Most people are familiar with using tools to identify vulnerabilities, and vulnerability management has been around for some time, he said. "But managing vulnerabilities of applications on-premise is different from managing vulnerabilities in the cloud. In the cloud, you must consider identities and infrastructure vulnerabilities too.”

He highlighted a recent report by Techstrong Research, commissioned by Prisma Cloud, which found that 70% of organisations now host more than half of their workloads in the public cloud.

However, he said: “Gartner says over 50% lack internal knowledge of how cloud native security works. With cloud innovation comes security challenges such as insecure configurations, vulnerable defaults, host vulnerabilities and compliance risks. 42% of CloudFormation templates are insecure, 51% of exposed docker containers use insecure defaults, 24% of exposed cloud hosts have known vulnerabilities, and 43% of cloud databases are not encrypted.”

The Techstrong Research revealed that the top five cloud-native risks are application vulnerabilities, infrastructure misconfigurations, malware, overprovisioned Access and insecure APIs.

Bailey-McEwan said: “The report highlighted that the top security risk area is application development. The longer it is ignored, the greater the risk. In addition, the way we introduce these applications into the cloud introduces further risks. 96% of third party applications deployed in cloud infrastructure have known vulnerabilities and 91% contain at least one ‘critical’ or ‘high’ vulnerability in the images. To mitigate the risk, Prisma cloud workload protection and code security shows vulnerabilities in the estate.”

He said infrastructure misconfigurations leave the door open for network attacks and exploits, with the most common being leaving ports open. Misconfigurations can be addressed with workload protection or cloud security posture management tools to scan the environment.

On the risk of malware, he said: “In the cloud, it has become an area of focus because it can be highly lucrative and is evolving at breakneck speed. To address malware in the cloud, organisations should use cloud workload protection and in addition, they could look at data stored at rest and scan it for malware.”

Overprovisioned access opens the organisation to major security threats, he said, with one recent global study finding that 99% of cloud users, roles, services and resources were granted excessive permissions.

“When we consider the user’s access, we have to consider his group, organisational SEP, resource and other permissions. To address this, organisations need to apply cloud infrastructure entitlement management (CIEM),” Bailey-McEwan said.

On insecure APIs, he noted: “Most APIs today are web APIs with no GUI. They are the lifeblood of cloud-native and app-based economies, and they need to be protected. So you need to find out who is using them, are they being regularly updated and has the organisation formalised the way it evaluates API security? To mitigate risk, use a good web application firewall and analyse APIs, scanning the API definition files for vulnerabilities.”

In addition to technology tools, approaches to risk mitigation had to change, Bailey-McEwan said.

“Tools are only half the solution. It’s also about the team using the tooling. This is where the report highlights how the organisational culture must change. You need to treat security as a team sport. Shifting security left requires a culture change, with architects, engineers and other cyber security professionals involved in the entire cloud native life cycle. Developers themselves need visibility into some of the security issues, so as the developer is coding and adding dependencies, we can flag them and say: did you know this is insecure?”

Consolidation is also important, he said. “What you really want is to reduce the number of tools you use. 83% of those who were successful in DevSecOps in rapid cloud expansion used five or fewer vendors. The idea is to use a more platform-centric tooling, and a tool like Prisma Cloud helps with the collaborative approach.

“You want to use tooling actually built for cloud-native development, which is aware of issues like infrastructure as code and containers. You should also automate security in the cloud-native environment to automatically remediate potential vulnerabilities. Finally, you need unified management to gain visibility into all of your cloud-native workloads and data, regardless of vendor."

Join senior leaders from Palo Alto Networks and industry visionaries to learn strategies for delivering secure cloud-native applications with greater efficiency. We’ll explore proprietary cloud threat research and real security transformation experiences that underpin the need to push the cloud-native security agenda forward.

Attendees will also see recent innovations from Prisma Cloud and learn how taking a consolidated, code-to-cloud approach to security pays for itself in less than six months with a 276% overall return on investment.

To register and join live on 16 November, or on demand, follow this link.