Cloud-Native Security: A Comprehensive Guide to Securing Your Technology Stack
Friday, June 24, 2022
What does cloud-native mean?
Depending on the method they were built upon, we have three categories of applications that make use of cloud technology:
A cloud-native application is developed and deployed in the cloud in its entirety.
This type of application is containerized, for example in Docker or Kubernetes, to ensure isolated, dependency-free environments, and most of the time uses microservices to divide tasks and provide granularity.
Cloud-based applications are built and run outside the cloud but have certain features integrated into the cloud.
A cloud-enabled or non-native application is originally meant for an on-premises environment. It is built outside the cloud and later transferred into one, in order to enjoy some of its benefits.
Advantages of going cloud-native
To better understand the differences between cloud-native and on-premises applications that do not use cloud, we will look at the former’s advantages and disadvantages over the latter’s.
Native applications are easier and faster to build and deploy than on-premises ones because no sophisticated software or hardware requirements need to be fulfilled. Moreover, updates are also implemented faster and require no downtime.
The cost of using cloud-native technology depends on the application but is generally lower since it does not require the purchase of expensive hardware. Typically, cloud-native applications only require software licenses or subscriptions.
Since native applications do not require hardware upgrades, they are scalable and adaptable to business requirements.
The cloud is known for its resiliency against natural disasters, power outages and other incidents that may disrupt a cloud-enabled application. Native cloud workloads are therefore more resilient.
A serverless model
Cloud-native applications may work on a serverless model by leaving the provisioning and maintaining tasks to the cloud provider. This model simplifies the deployment steps and eases the developer's work, increasing productivity.
Moreover, using this model, cloud-native applications can be launched only when needed, the code responding to triggers and consuming resources when necessary. An advantage is that costs are reduced for applications.
How to secure your cloud-native application
According to Kubernetes, cloud-native security can be approached in 4 layers, called the 4 C’s:
The inner layer of security refers to the code; it is the part the application’s developer has the most control over, yet it can be one of a hacker's most appealing attack surfaces.
Application code security is usually an underrated security mechanism and neglecting it can lead to disastrous outcomes. Here are a few recommendations about securing code:
Sanitize input. This can go a long way and prevent vulnerabilities such as SQL injection, cross-site scripting, and others.
Use encryption. Data at rest and data in transit should always be encrypted. Make sure you’re sending application data encrypted through TLS.
Ensure modern cryptography. Even if you’re using encryption and hashing, make sure that:
- You’re not using deprecated algorithms, such as DES for encryption and MD5 for hashing, Instead, use AES and SHA-256 or newer, which are the current standards.
- You’re storing cryptographic keys safely (and not in the source code).
- You’re rotating keys regularly to safeguard against brute-force attacks on them.
Only open the ports you’re using. Don’t forget open ports, especially on internet-facing applications. This is one of the ways attackers can gain access to the cloud infrastructure.
The next layer of security for native cloud is controlled at the container level.
Containers are virtualization tools which allow you to run applications in isolated environments, separated from the hardware.
If your application uses various technologies, you can install any needed packages and resolve dependencies in the container instead of on the host operating system.
Another useful feature of containers is that you can create image templates and replicate environments without having to re-install tools and technologies.
The most known containerization services are Docker and Kubernetes.
Docker is a platform that enables developers to deploy applications in a containerized environment. Docker runs over a single node (machine), while Kubernetes is a container orchestration service.
Docker and Kubernetes are usually seen as competitors, but they work very well together; Kubernetes can help manage multiple Docker containers simultaneously.
However, there are a few security issues that need to be addressed regarding containers:
- Do not run containers as root. Developers find it easier to run containers as root because they don't have to provide their password when executing an action that requires root privileges. However, this opens up a wide palette of vulnerabilities; any attacker that would gain access to the container would have root privileges and, therefore, the highest level of permissions.
- Reduce the attack surface. If an attacker gains access to the container, make sure they cannot escalate their privileges or escape the container; eliminate the use of UNIX binaries that can be used to bypass rules, such as "sed" and "awk".
- Implement a strong network policy—for example, filter traffic to and from the container and use firewalls to ensure robust security.
The third layer for cloud-native security is managed in clusters.
A cluster is a set of nodes (machines) that run applications in containers. It comprises the nodes and a control plane, which is responsible for the maintenance of the nodes, determining for example which application is running in which container.
The nodes that are part of a cluster run the applications.
Let’s understand how to secure clusters:
- Implement Authentication. This step requires the user to prove they are who they claim to be. The authentication process may be different from service to service, but it can require credentials like passwords, client certificates, tokens, and others.
- Implement Authorization. Role-based access control (RBAC) establishes authorization by assigning roles to users and managing their privileges at role level.
- Control what privileges containers run with. Establish permissions by using security contexts. These are settings that can be applied to a container or a set of containers inside a cluster that define privileges and access control.
The outer layer of a cloud-native application refers to cloud infrastructure and configuration. Let’s see how to fix the most common cloud misconfigurations and secure your cloud-native application against attackers.
- Restrict inbound and outbound traffic. Make sure to close or restrict ports that are not necessary. Use access lists to blacklist ranges of IPs and ports.
- Ensure compliance with the Least Privilege Principle. Make sure no user has more privileges than required to carry out their tasks and eliminate all administrator/root accounts that are not strictly necessary.
- Implement strong encryption and use industry-recommended cryptographic algorithms with strong keys. Ensure that no one can read databases, files, and other resources if they gain access to your company's cloud.
You can identify misconfigurations in the cloud and remediate them effectively using Cyscale.
Cyscale offers a CSPM (Cloud Security Posture Management) tool that:
- checks for a wide variety of vulnerabilities,
- provides integration with the most important cloud vendors like AWS, GCP, Azure, Alibaba,
- sends relevant alerts,
- provides remediation steps to secure your cloud environment effectively, and others.