Open source software is now essential for driving digital innovation. And arguably, the cloud-native space wouldn’t exist without it — open source software (OSS) is now ubiquitous throughout all aspects of cloud-native architecture.
Open source projects powering the cloud-native shift, like Kubernetes and Linkerd, have ushered in increased standardization, interoperability and accessibility across the board. We see OSS used for container orchestration, container runtimes, service mesh, observability tools and many other areas. But what about security? Should security really be rooted in open source software as well?
The CNCF recently conducted a microsurvey to see how organizations are managing their cloud-native security. Impressively, 82% of respondents say it’s important that the security systems they implement are built using open source software. The willingness to adopt OSS for security signals a maturity of the cloud-native space and its core projects. Whatever previous qualms or distrust there once was about using open source for mission-critical operations appear to have subsided.
Nonetheless, challenges still exist when faced with securing cloud-native infrastructure. Below, we’ll examine some takeaways from the CNCF report to showcase developers’ attitudes when attempting to protect their cloud-native projects. Optimism aside, operators will inevitably have to address these concerns to reap the benefits of OSS while maintaining high-grade security.
State of Cloud-Native Security
The study found that an impressive 85% of respondents believe modernizing security to be very important to their cloud-native deployments. Cloud-native architecture requires a new security response that goes beyond traditional measures. A cloud-native security posture requires more “dynamic, granular and nuanced control rather than legacy checklists,” reads the report. Policy-as-code is one example of a modern security habit that aligns with current DevOps pipelines.
Open source is essential for modernizing legacy infrastructure. As follows, the security architecture must modernize to embrace more standardized procedures and automation to reduce manual burdens. A compounding threat landscape means new cloud-native adoptions must respond quickly. Yet, a lack of shared security standards and a disparate array of security and compliance tools make deciding upon a common approach difficult.
This fragmentation is explored in the CNCF report, which found a wide range of internal processes being implemented to tackle security for cloud-native environments. For example, 35% of respondents say their organizations use a combination of manual and automated processes to enact security policies and procedures and 20% have a completely manual process, depending on people and manual security reviews. Only 9% say they have a fully documented set of procedures that are implemented automatically for their teams.
Most alarming, 12% have no known policies, procedures or processes whatsoever. Without standard security practices across cloud-native technology, vulnerabilities are bound to arise. For example, insecure defaults could remain unchecked (a simple yet all-too-common issue that remains a top threat for Kubernetes clusters). Or, a lack of automated scanning could leave CVEs that threaten container integrity in place. Organizations must thus coalesce on new universal security techniques to truly protect cloud-native architecture.
Challenges With Open Source Cloud-Native Security
Most organizations desire cybersecurity systems built using open source software. This optimism proves Linus’s Law; yet, getting there does not come without its challenges. First off, some groups remain stuck in the inherent challenges of running cloud-native environments. More than half (58%) found a lack of technical expertise to be a top difficulty. This was followed by trouble matching new methods and processes like DevOps and CI/CD with existing requirements, tools or processes at 51%; data security at 49% and rising complexity at 46%.
When making greater use of cloud-native products or projects, engineers often run into common security concerns. Slightly more than half (53%) marked no secure-by-default guarantees as a top security concern. Next came visibility into systems, networks and traffic, at 50%. Other issues followed, such as a lack of threat visibility into third-party software (39%), ensuring the general health of open-source projects (35%) and a lack of documentation around each piece of OSS’s security (35%).
Cloud-native tools are beneficial. Yet, operators have noticed that they often require some augmentation to enact the proper security settings due to the challenges above. In fact, 66% of survey respondents said that authentication, identity and access management were most commonly required to be augmented within cloud-native projects. Next came compliance and regulation, auditing, management and monitoring (61%), workload isolation and/or tenant isolation (59%) and key management/credential rotation (53%).
Strengthening Cloud-Native OSS
With reliance on OSS escalating, ensuring these packages are stable and straightforward to implement with the correct security controls will be essential to maintaining a strong cloud-native IT industry. There are certain actions cloud-native OSS maintainers can do in this area to ensure better usability and knowledge sharing around each project. Too often, popular GitHub repos are left puzzlingly opaque, with a lack of explanation.
Yet, the onus is also on adopters to instill a modern security culture that fits the cloud-native paradigm. Complete cloud-native security must encompass the four key pillars of code, container, cluster and cloud, writes Mostafa Radwan.
The CNCF fall 2021 Cloud-Native Security Microsurvey, organized by TAG Security, exposed security perspectives and concerns among today’s cloud-native technology adoption. For further insights, you can grab a copy here.
"want" - Google News
November 01, 2021 at 01:00PM
https://ift.tt/3BxDOTI
CNCF: 80% of Orgs Want Open Source Cloud-Native Security - Container Journal
"want" - Google News
https://ift.tt/31yeVa2
https://ift.tt/2YsHiXz
Bagikan Berita Ini
0 Response to "CNCF: 80% of Orgs Want Open Source Cloud-Native Security - Container Journal"
Post a Comment