DevOps and Security in a Cloud-Native World

DevOps teams have naturally embraced microservices and modern application delivery workflows. But, they may get pushback from risk-averse leadership or feel slowed by security teams who struggle to keep pace. Development teams that play a greater role in guiding their organization’s cloud transformations will ultimately come out ahead.

These are some of the takeaways from the largest and most globally expansive market research dataset on cloud-native security to date, the “State of Cloud Native Security Report 2020,” from Palo Alto Networks.

Analyzing the data with a DevOps point of view may help your organization navigate its own transitions.

Cloud Native Architectures and Security: What it Means for DevOps

Organizations estimated that, on average, 46% of all workloads are already in the cloud and 95% of respondents expect that number to increase over the next 24 months. This likely means more resources and deployments for DevOps teams, but also means that security needs to meet the needs of these cloud workloads.

Change is constant in cloud infrastructure

Most survey respondents (80%) said their company’s cloud infrastructure is constantly evolving. This consistent change stems from companies experimenting and evaluating new cloud offerings, finding best practices and exploring new services.

But this constant change impacts security teams and their tooling. Both in how they can continuously audit and protect cloud native applications today, as well as how they need to strategize on any anticipated change in the future—75% of respondents worried that cloud threats already outpace security.

Multi-cloud is the industry standard

DevOps teams have more options than ever before for running cloud-native apps. Nearly every organization surveyed—90%—confirmed they use more than one cloud platform. And respondents are using a combination of compute architectures: VMs account for 30% of workloads on average, with containers at 24%, CaaS at 21% and PaaS at 22%.

As DevOps teams take advantage of increasing platform/compute permutations, security teams need both wider and deeper visibility across cloud infrastructure. For some security teams, this has meant more tooling—57% of teams reported using more than five security tools and some up to 11 or more—which may mean a proliferation of workflows, policy engines and dashboards.

DevOps and security aren’t concerned with any single threat

They have many that they prioritize differently. When asked for the No. 1 threat, no single answer stood out. Instead, 10 ranked about equally in frequency:

• Data exposure (13.2%)
• Malware (12.8%)
• Application vulnerabilities (10.9%)
• Weak and broken authentication (10%)
• Insider threats (9.7%)
• Credential leakage (9.1%)
• Insecure APIs (9%)
• Infrastructure misconfigurations (9%)
• Application misconfigurations (8.7%)
• Over-permissioned access and misconfigurations (7.7%)

This means that DevOps and security teams may sometimes clash about what needs to be the highest priority and how to ensure they are meeting a high level of security.

While many organizations feel that the diversity of cloud and the speed at which it changes can cause gaps in security, it also suggests there are ways to successfully minimize risks.

Embedding Security Across the Application Life Cycle

The survey analyzed the types of actions companies take in their cloud security, then created a ranking based on responses. (Details are available in the report.) Companies with the highest-level preparedness ranking were found to have many of the same habits.

Many highly prepared organizations (45%) embed security into their DevOps processes and almost as many (41%) integrate security in at least four stages of the development life cycle.

In addition to shifting security left, these organizations automate many security practices such as configuration monitoring and vulnerability scanning/management, eventually implementing guardrails or quality gates into their regular workflows.

DevOps teams should work with leadership and security to identify consolidated platforms that can scale to continuously monitor configurations and protect the continuum of compute options discussed above. These types of platforms that can integrate security across the development life cycle are beginning to gain more attention and are becoming increasingly practical solutions.

Next Steps

The survey data makes clear that the cloud will continue to evolve as it matures, and it will remain multi-everything. It also suggests there are things DevOps teams can do to help set the model for how cloud is adopted in their organization.

Security and development teams will need to increase collaboration to identify threats and controls. By shifting left and inserting security to the earliest possible point in the development process, using platforms that integrate across the life cycle, threats or vulnerabilities can be anticipated and their impact reduced.