The layered capabilities should be implemented using a cloud-native mindset. Duplicating on-premises enterprise security design patterns into public cloud IaaS/PaaS will result in an inefficient and ineffective deployment. The patterns and their associated tools are poorly suited for the dynamic, ephemeral nature of the public cloud and are likely to frustrate the needs of developers and business units adopting public cloud. Security and risk management leaders responsible for cloud security must be open to adopting new approaches, patterns, best practices and vendors when adopting public cloud.
8 Best Practice to Adopt Cloud Native Maturity Model
1. Use the Built-in Cloud-Native Capabilities
Leading cloud providers have developed substantial built-in security and compliance capabilities but with significant differences in their capabilities and maturities. Organizations with mature cloud programs have reduced reliance on legacy security vendors because those vendors’ products overlap native cloud security provider security functionality, but offer no meaningful additional risk reduction. In cases where the cloud-provider’s capabilities lag that of commercial offerings, favor cloud-native security startup vendors that embrace and understand scale-out, software-based architectures with usage-based licensing models that account for the ephemeral and elastic nature of cloud computing.
2. Embrace the Principles of DevSecOps and Shift Security and Compliance into Development
In the world of digital business transformation, developers rule. Information security must shift its focus from solely looking at runtime security enforcement to integrating security policy enforcement throughout the continuous integration/continuous delivery (CI/CD) pipeline (a discipline referred to as “DevSecOps). Security and compliance testing and remediation must integrate transparently into the developer’s toolchain. Information security policies and inspection must become guide rails, not gates.
3. Require All Security Infrastructure to be Programmable
Public clouds are built on programmable infrastructure. To support integrating into this infrastructure and to support the integration into the CI/CD pipeline described above requires that security infrastructure itself must become programmable. Security infrastructure providers must be fully API-enabled to enable their use by scripts and automation tools.
4. Embrace Immutable Infrastructure Concepts
With immutable infrastructure, all changes to the environment are driven through automation using DevSecOps-style workflows. Out-of-date workloads are simply replaced with newer images in an automated, systematic way. Immutable infrastructure is now an established best practice by leading-edge organizations that mainstream enterprises should move toward adopting, especially for newer cloud-native applications.
5. Plan for Hybrid Multi-cloud
A Gartner survey shows several clients expect remnants of enterprise data centers to remain for many years to come. Further, surveys show that about 70% of enterprises are adopting multiple IaaS/PaaS providers by design. Information security should provide consistent security policy management, configuration and compliance across a hybrid, multi-cloud environment. For CSPM and CWPP tools discussed earlier, this may require third-party tools.
6. Architect to Support Cloud-native Applications
Cloud-native applications are characterized by the use of microservices-based architectures often based on containers, Kubernetes and serverless PaaS, along with integration to legacy VMs. Information security should architect to consistently set, view, manage and monitor security and compliance end to end for cloud-native applications regardless of the location or form factor (VM, container, serverless) of the workloads.
7. Be Open to Switching Vendors
Multiple market-leading security vendors have been slow to address the protection needs of cloud-native applications or their capabilities overlap with cloud providers. Established business models favor selling on-premises hardware or simply providing their legacy hardware capability in a software-based virtual appliance without rearchitecting to be cloud-native or providing native integration to the underlying cloud provider’s security capabilities.
8. Embrace and Adopt a Zero Trust Security Architecture
Zero trust networking is a concept for secure network connectivity where the initial security posture has no implicit trust between different entities, regardless of whether they are inside or outside of the enterprise perimeter. Risk-optimized access to networked capabilities is dynamically extended only after an assessment of the identity of the entity, the system and the context. This applies to both user-based external access to cloud-based applications and east-west segmentation within the cloud provider.
10 Best Practices on How to Use Cloud IaaS More Securely Than a Data Center?
Cloud native is a critical concept today because many organizations using cloud have not fully realized the benefits they expected from cloud. For example, if a traditional non cloud application is migrated to cloud using a lift-and-shift approach, then the application is unlikely to leverage cloud characteristics and deliver the full benefits of cloud.
Gartner recommends engaging certified cloud partners early on in your cloud planning process, to ensure that loopholes are identified early and plugged in before it turns out to be a disaster.