What is cloud-native security?

What is cloud-native security?

Cloud-native security refers to security practices and technologies that are designed for the unique security challenges of the cloud. Cloud resources are ephemeral, configurable, scalable, and integrated with each other in many different ways. Many cloud services also shift responsibility for security from customers to the cloud providers. While generally cloud usage reduces the traditional security risks associated with on-premises infrastructure, there are many new risks associated with cloud that need to be managed using cloud-native security.

Cloud-native security contrasts with security built for protecting on-premises infrastructure. It is designed to safeguard cloud-based application infrastructure while supporting data compliance and governance, even as the functions, services, APIs, and (potentially) underlying hardware of a cloud application shift.

Why is cloud-native security important?

Cloud applications change constantly. Cloud-based software abstracts away hardware, so protecting a given server, computer, data center, or local network is irrelevant for keeping cloud applications safe.

Think of a home security system: A security-conscious homeowner will set up sensors on their home's doors and windows to prevent unauthorized entry. But if the homeowner renovates their home and suddenly adds more windows and moves doors around, the security system has to be reconfigured.

Cloud applications are like a house that is constantly being renovated: An old-fashioned security system that assumes a static and unchanging architecture is not likely to be very effective, and will require constant manual reconfiguration. But cloud-native security is not built on the assumption that everything is always in the same place. Instead it focuses on securing workloads and identities, and on continually monitoring traffic and events in the cloud.

What are cloud-native applications?

Cloud-native applications are designed for and deployed in the cloud. They tend to have flexible and highly scalable architectures and run across multiple locations, so perimeter-based approaches to security are often not very effective; hence the need for cloud-native security.

A number of different architectures may be used for cloud-based applications, either alone or in combination with each other. They may be constructed of microservices, serverless functions, container-based backends, or a combination of all of them.

What is common to all of these architectures are frequent changes and expansions, as well as on-demand computing. The functions that comprise a serverless backend, for example, run and scale up as they are needed, instead of running constantly on a set amount of compute power.

Applications that are not designed for the cloud are often "monolithic." Such applications are one standalone stack, and updates apply to the entire application. Cloud-native applications, in contrast, are composed of multiple parts, often connected via APIs. These parts can be moved, changed, updated, or expanded separately from each other.

Because cloud-native applications are several abstraction layers removed from on-premises, localized hardware and networks, there is no "network perimeter" to defend. Traditional security measures focus on keeping threats out of a clearly defined network. Sometimes these security measures are adopted for defending the cloud, but the fit is often awkward and fails to scale flexibly. Cloud-native security is instead constructed specifically for cloud-based architectures.

What are the main cloud-native application security risks?

Infrastructure that expands and changes rapidly can broaden an application's attack surface. Some of the major threats include the following:

• API security risks: The functions, containers, and microservices that comprise cloud-native applications connect to each other via APIs. API security vulnerabilities can expose data, give attackers access, or put cloud-native applications at risk in a number of other ways.
• Misconfigurations: Setup errors in cloud deployments — known as misconfigurations — are a major risk to data in the cloud. Cloud deployments can be left accidentally exposed to the public Internet or otherwise misconfigured, leading to major data breaches.
• Insider threats: Insiders with access to cloud data can accidentally or maliciously edit, copy, or delete data.
• Data exfiltration: The cloud offers a large amount of attack vectors for the unauthorized transfer of sensitive data, due to the vast number of cloud services embedded in most cloud-based applications and the multi-tenant nature of cloud infrastructure.
• Lack of visibility: Cloud-based applications are constructed on infrastructure owned and operated by external parties. The advantage of this is that cloud-native development has much less overhead, but the disadvantage is the lack of visibility into where data is, where workloads are running, and where data is going. In addition, shadow IT deployments — the use of unauthorized services or applications — are a major concern since they are not monitored.
• Compliance risks: In the cloud, due to that lack of visibility, it can be hard to control where data goes and how it is accessed, which makes compliance with regional data regulations a challenge.

What are the components of cloud-native security?

• Identity and access management (IAM): These capabilities verify who or what an entity is and what it is allowed to do. IAM in the cloud should verify the identity of users, applications, servers, and APIs alike. And access for all these entities should be tightly controlled and monitored. If one user or service is compromised and has too much access, that can lead to a major breach. The principle of least privilege can help ensure no person, service, or device has too much access.
• Workload security: One truism of modern-day security is that threats can just as easily be present within an application as outside of it. Workload security is the practice of looking for threats inside of cloud workloads (a workload is a program or application that uses some amount of computing power). Workloads run at different abstraction layers in the cloud, from running in containers to running on virtual machines to running as serverless functions. Workload security (such as that provided by CWPP) looks for malicious code and known vulnerabilities across all these different environments.
• Web application and API protection (WAAP): Cloud-native applications need to be secured against application-layer attacks, from injection attacks to distributed denial-of-service (DDoS) attacks. APIs, which are integrated into almost all modern applications, require protection as well, since APIs are vulnerable to a number of attacks.
• Network security: Cloud-native security also analyzes all network traffic to identify and mitigate malicious traffic and prevent sensitive data from leaving secured environments.
• Infrastructure-as-code (IaC) scanning: Infrastructure-as-code (IaC) is an approach for managing and configuring cloud infrastructure using code — scripts — instead of manual processes. IaC scanning looks for threats and vulnerabilities within these scripts.
• Cloud security posture management (CSPM): CSPM is an automated tool that scans cloud infrastructure for security misconfigurations, possible compliance violations, and vulnerabilities.
• Data protection: As a step towards keeping data secure and maintaining compliance, organizations should identify all data stored by a cloud-native application, discover where that data is located, and ensure it is protected.
• Continuous monitoring and reporting: Cloud applications and infrastructure should be continuously monitored and logged to detect anomalies that may indicate a breach or a vulnerability. Monitoring can also detect security misconfigurations.

What is a CNAPP?

A cloud-native application protection platform (CNAPP) is a type of security solution that provides all-in-one cloud security and compliance for applications. CNAPPs can help developers and security teams identify threats and flaws as early in the development cycle as possible, instead of only discovering problems after deployment.

How does Cloudflare secure cloud-native applications?

With cloud access security broker (CASB) and WAAP services, Cloudflare provides deep visibility into SaaS and cloud applications, detects misconfigurations, blocks attacks, and helps prevent data exposure for cloud applications and infrastructure. Learn how Cloudflare protects applications, APIs, and data across hybrid and multi-cloud environments.