Considering recent events involving SolarWinds’ cybersecurity breach, security has become one of the hot topics among IT professionals. When it comes to security, it even gets more complicated when things are in the cloud. Now you have servers on premises and in the cloud that need to talk to each other to exchange data. And even within the cloud, you have applications that run on multiple cloud platforms. With more and more teams using containers and microservices to build applications that can scale better, developers need to pay close attention to security at all levels. Traditional DevOps teams need to work in a DevSecOps environment, where security is involved in all areas of development and where not just a single team is responsible for security.
There is also a strong need for zero trust architecture when building applications that run on distributed environments. This means all users and systems should be treated as potential threats until they are properly authenticated. In other words, zero trust is like having checks at every door in the building, not just the main door. This strategy is great for distributed applications that run on multi-cloud environments, minimizing the attack surface. As a result, a hacker must break into multiple systems to gain access to information instead of one server that contains everything. The National Institute of Standards and Technology (NIST) recently published SP 800-204B, which provides guidelines for deployment architecture in cloud-native applications using service mesh. The attribute-based access control provides requirements for zero trust and robust access control when it comes to communication between any service.
While building applications in the cloud is efficient, cost effective, and highly scalable, it is important to keep security involved at all stages of application development. Security should not be the responsibility of one team; it should be a mindset that is applied at all levels. Do not trust anyone or anything unless verified at each step. Multidimensional protection strategy, penetration resistance, and damage-limiting design approaches should be followed to achieve cyber-resiliency and survivability. Organizations should take a risk-driven view to reduce their trust surface and leverage a holistic portfolio of products and services.