Skip to main content
banner image
venafi logo

Traditional Security Won’t Cut It for Secure Cloud-Native Applications: Here’s Why

Traditional Security Won’t Cut It for Secure Cloud-Native Applications: Here’s Why

cloud-native-security-kubernetes
August 10, 2022 | Anastasios Arampatzis

Cloud-native has arrived. But there is a significant difference between gearing your environment to handle cloud applications and making your entire ecosystem run on the cloud. The same differences exist for securing it.

The cloud-native workload is based on several elements: microservices, containerization and the DevOps methodology. New approaches are needed to secure this new development paradigm that runs on virtual machines, containers, and largely, Kubernetes.

Machine identity is essential for security. Find out how Venafi can help.
">
The risks of securing cloud-native with traditional security measures

Traditional security methods such as firewalls, VPNs, and other perimeter-bound approaches were built for monolithic architectures and have not scaled well with virtualization. There are several problems in these approaches.

They lack visibility - in an environment with multiple platforms, integrations, vendors, and technologies, a lot can fall through the cracks. Scanning the network is more complex than it used to be, and technologies that work across one solution may not work across another, resulting in Shadow IT, missed malware and blind spots.

With the physical perimeter obsolete, the security solution needs to be as agile as the environment itself, or it becomes useless. Traditional solutions were not built to follow millions of microservices and virtual machines around an enterprise as DevOps-driven, dynamic applications are built to do. And this is to say nothing of the expensive nature of traditional security protocols, their difficulty scaling or their dependency on large IT teams that are often in short supply.

Therefore, a data-centric, operation-centric or identity-centric approach is needed to fully secure applications at scale in the cloud. For such, we may look to methods like Modern Authentication, data encryption, throughput security, MFA and machine identity protection.

Requirements of a cloud-native security approach

To remedy these issues, new capabilities must be sewn into our existing security architecture, or the architecture must be overhauled and rebuilt completely. However, you get from point A to point B, your cloud-native security solution should be able to do the following, as suggested by IBM:

  • Authenticate personnel. Anyone who accesses your cloud resources, from developers to administrators, must be authenticated and authorized securely. Although the classic perimeter no longer exists, identity could be said to be a frontier of the new perimeter, and must be defended as such.
  • Authenticate applications at the microservices level. Applications must be authorized and authenticated wholesale as well as on the microservices level.
  • Isolate and protect cloud deployments. This solution should be able to provide network isolation and secure connectivity for your cloud solutions.
  • Protect against DDoS attacks and other vulnerabilities. To protect against vulnerabilities, a complete asset inventory (and therefore complete asset visibility) is required. Expired certificates present a persistent and easily exploitable threat.
  • Isolate and separate critical components at the memory, process and application level.
  • Provide gapless data protection. Data should be protected (and that can mean encrypted) at rest and in transit. Provisions should be made so that while not encrypted, cloud-based data is still protected in use.
  • Automate vulnerability scans. Considering cloud-based architecture carries myriad microservices, containers and VMs, there will certainly be at least as many machine identities. Your solution should automatically scan for vulnerabilities such as expired or unaccounted for certificates, as well as patches, updates and new releases.
  • Log API calls. Have a way to gather, store and access all cloud API calls for the purposes of compliance and audits.
  • Provide one central management dashboard. A “single pane of glass” is becoming less luxury and more necessity as cloud applications proliferate and expand the attack surface. Multiple dashboards for multiple areas of your enterprise not only slow down response time but fail to provide a full view of your security posture in context.
Machine Identity Protection for Kubernetes

As microservices, containers and virtual machines expand in the cloud, so does the number of TLS certificates and the need to manage them to maintain security. Jetstack Secure is a solution built for Kubernetes and OpenStack environments that utilizes cert-manager to manage this influx of certificates.

Developed by the Jetstack team at Venafi, cert-manger provides full visibility into each cluster, allowing you to detect poorly implemented security configurations and monitor for ingress. Instead of waiting for threats to come through the perimeter, you can proactively hunt for them within your cluster.

As TLS certificates are found everywhere within Kubernetes, not simply at entry and exit, an effective certificate management tool is necessary to keep your cloud-based applications safe maintain a zero trust environment in the cloud. Learn more about securing Kubernetes in the cloud here.

Related Posts

Like this blog? We think you will love this.
zero-trust-machine-identities
Featured Blog

Zero Trust Is (also) About Protecting Machine Identities

Move towards an identity-based Zero Trust cybers

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more