Time to Secure Cloud-Native Apps Is Now

The news headlines are full of breaches and data exposures that are the result of unsecured cloud-native applications and application programming interfaces (APIs) — how, for example, third-party data logging application TeslaMate retrieves information about Tesla cars via the Tesla API, and users with misconfigured TeslaMate instances exposed information, such as real-time location and whether the driver was present in the car. Or how unauthorized access to Sumo Logic’s Amazon Web Services account exposed API access keys, third-party credentials stored with Sumo Logic, and customer passwords for Sumo Logic accounts.

These incidents, and others, illustrate why organizations need to refocus on cybersecurity basics, such as securing cloud-native applications by default, managing decentralized and disparate security toolsets, and addressing misconfigurations and credential misuse.

Dark Reading's newreport on securing cloud-native environments and development pipelines highlights novel attacks targeting these environments and how attackers evade detection. Adversaries are manipulating cloud-native resources and applications to improve lateral movement and gain elevated privileges. Cloud-native capabilities generally implies a high degree of self-service for users, which introduces new vulnerabilities and risks as a result of misdelivery, misconfiguration, and publishing errors.

"These risks are becoming a greater focus for security leaders," says Rich Marcus, vice president of information security at governance provider AuditBoard.

State of Cloud Native Enterprise

Despite security challenges, the benefits of cloud-native environments will keep enterprises moving toward the cloud. Cloud-native architectures enable organizations to leverage the full promises of cloud computing, such as availability, elasticity, and scalability. The risk equation has also shifted, since cloud providers have solved many of the challenges that were present with on-premises environments, says Matt Shelton, head of threat research and analysis at Google Cloud.

"When you move to the cloud, you no longer have to worry about the network, such as a DDoS attack," Shelton says. "You don't have to worry about vulnerability management at the operating system level. With containers, you no longer have to worry about the operating system. The cloud has shifted the risk to the cloud provider here."

Misconfigurations and credential abuse remain the most significant challenges for cloud-native environments, so organizations must focus on persistent misconfigurations, credential management, and the decentralized nature of cloud-native environments to ensure the security of their systems. Security teams need to implement the right security controls and processes within cloud-native environments to secure their systems. This includes regular security training for all members of the security team, as well as the implementation of automated policy enforcement to address the challenges of cloud-native development.

Read more in "The Keys to Successfully Securing Cloud-Native Environments" report.