Cloud Native Security Hasn’t Solved Compliance Challenges

Modern, cloud-based, distributed networks may lack a defined perimeter to protect, but they still need network security. And nearly all organizations know that: 98% of those surveyed in an April report by Tigera said they need network security to keep their cloud native applications safe.

Unfortunately, it is difficult to provide auditable proof that security is being provided. That’s why 84% of the study participants said they found it challenging to meet compliance regulations for cloud native applications.

Tigera, a cloud native security company, commissioned a survey of 304 people with both security and container-related responsibilities at companies with at least 10 employees. Seventy-nine percent said their containers need access to internal applications, like databases, and 63% need the same access for third-party, cloud-based services.

The results showed how network security requirements reflect the specific needs of cloud native application security:

• Sixty-nine percent of survey participants said they need container-level firewalls
• Fifty-nine percent said they need workload-access control, to police what goes in and out of clusters.

However, requirements more likely to be associated with traditional network security, such as microsegmentation and infrastructure entitlement management, were less likely to be mentioned by the survey participants.

Some people involved with cloud and application security dismiss firewalls and VPNs as legacy tech, but companies like Tailscale are proving there is a demand for new virtual networks too. In fact, the very nature of cloud native applications means that network security approaches and terminology have newfound meaning.

The Tigera study revealed that respondents are making distinctions between “cloud native” and “containerized” applications. When respondents to the Tigera survey were asked about the network security of “containerized applications”—only a slight tweak on the question they were asked previously about “cloud native applications” — segmentation jumped in importance, though controlling access to workloads continued to be a top need.

What’s the difference between containerized and cloud native applications? The presence of an actual container, but users have other, less defined ways they view the subject.

Challenges in Reporting Container Activity

When asked about cloud native challenges more broadly, container security was deemed challenging for 68% of respondents’ companies, followed by network security (60%), compliance (57%), and observability (39%).

Survey participants expect runtime security and workload assurance as container-security capabilities, but realize that image scanning is something that is better left for CI/CD tools.

Although observability was not revealed to be a top pain point, the ability to report on container activity is directly related to some of the biggest security challenges. When asked about their observability challenges, 51% of survey participants complained about a lack of actionable insights, while the next most common problems dealt with tracking specific types of information.

The last round of observability tooling wasn’t aimed at compliance use cases. That’s one reason why 77% of respondents said finding and correlating all relevant data is challenging as their organization tries to meet container-level compliance requirements. The extra time and effort to put together the necessary reports are also burdensome, they reported.

It is these auditable reports that may turn out to be the biggest problem of them all. Regulators require proof and data about the traffic to and from cloud native applications. A track record has to be provided about endpoints and identities managed.

Even if there are existing policy-as-code solutions, have they been engineered to meet these types of use cases? If not, then there is a screaming need waiting to be fulfilled.

Zero Trust and CNAPPs

Complying with regulations won’t be a simple fix because of the very nature of companies’ new technology strategies.

“With traditional security solutions designed for a monolithic application, the focus is on preventing application access by building a wall around the application,” Utpal Bhatt, Tigera’s chief marketing officer told The New Stack. “That approach doesn’t work in a Kubernetes environment, as the internal network is extensively used by workloads to communicate.”

That’s why cloud native systems demand a zero trust security strategy, and Tigera has used the approach before it was cool and mainstream. The company is marketing itself as a Cloud Native Application Protection Platform (CNAPP).

A recent Gartner report noted that there is a blurring distinction between this category and Cloud Workload Protection Platforms (CWPP), Cloud Security Posture Management (CSPM) and Cloud Identity Entitlement Management (CIEM).

Cloud native applications are complex, but the basics of cybersecurity haven’t changed. End-user training is essential, and beyond that it seems like the five pillars of zero trust are remarkably similar to what was taught in cybersecurity classes:

1. Network.
2. Application workload.
3. Identities.
4.  Data.
5.  Devices (physical security).

If you combine network access and identity with zero trust, you get Zero Trust Network Access Network (ZTNA). ZTNA security solutions remotely connect organizations based on defined control policies that clearly communicate who has access to what, and for how long that access is granted.

Most readers of The New Stack really don’t care what a vendor calls itself, but all the acronyms get quite confusing. Container firewalls are needed by 69% of this survey. The nuances between network, application and container firewalls really don’t matter. Just keep us safe.