Using a Full Lifecycle Approach to Secure Cloud Native Applications

This post is also available in: 日本語 (Japanese)

Security professionals are being deluged by a profusion of tools – there seem to be point tools for nearly every single issue. Thankfully, there are platforms that smartly package these tools into more comprehensive solutions. The trend many are seeing now, though, is that these platforms have so far only focused on certain parts of the software development lifecycle. What many security teams need are simpler, full lifecycle approaches to secure cloud native applications.

I want to highlight a trend of consolidating cloud security posture management (CSPM) and cloud workload protection platforms (CWPP) into the emerging area of cloud native application protection, which offer a full lifecycle approach and simplify security. In addition, I'll present subsequent recommendations stemming from the consolidation.

Palo Alto Networks was recently listed by Gartner in “Top Security and Risk Management Trends” as one of three sample vendors converging CWPP and CSPM capabilities across development and production, including container/serverless protection.

It Can Be Challenging to Secure Cloud Native Applications

Cloud native applications present tremendous challenges for security and risk professionals:

A larger number of entities to secure

DevOps and infrastructure teams are leveraging microservices – using a combination of containers, Kubernetes and serverless functions – to run their cloud native applications. This growth is happening in conjunction with a constantly increasing cloud footprint. This combination leads to a larger number of entities to protect, both in production and across the application lifecycle. 

Environments are constantly changing

Public and private cloud environments are constantly changing due to the rapid-release cycles employed by today’s development and DevOps teams. As enterprises deploy weekly or even daily, this presents a challenge for security personnel looking to gain control over these deployments without slowing down release velocity.

Architectures are diverse, spanning multi- and hybrid-cloud environments

Enterprises are using a wide-ranging combination of public and private clouds, cloud services and application architectures. Security teams are responsible for addressing this entire infrastructure and how any gaps impact visibility and security. 

The Need for Integrated Security Across the Application Lifecycle

In order to secure cloud native applications and cloud environments, security controls need to be addressed before deployment. This includes integrating vulnerability scanning and hardening checks into integrated developer environments (IDEs), security configuration management (SCM), continuous integration (CI) workflows and image registries to quickly pass feedback to the development teams and address security issues before deployments. 

Additionally, protecting cloud environments and running applications is a top requirement for modern enterprises. Security teams need to continuously monitor cloud configurations, while also protecting the VMs, containers and serverless applications running on top of that infrastructure.

This is where a consolidated platform helps organizations scale their security efforts, both across the lifecycle and up and down the entire stack.

An Emerging Category: Cloud Native Application Protection Platforms

Recently, Gartner published “Top Security and Risk Management Trends,” highlighting key themes and requirements for security and risk professionals. In the report, Gartner states:

“As a result of the protection needs of cloud-native applications, the CWPP and CSPM market are rapidly converging into cloud-native application protection platforms. Support for scanning of containers and serverless functions in development is becoming a mandatory requirement for any CWPP. Runtime protection of containers and serverless functions is also becoming a requirement. CSPM across development and runtime is becoming a requirement.”

In the report, under Trend No. 8, we think Gartner includes recommendations for security and risk management (SRM) leaders looking to improve their cloud workload protection. Here are a few key recommendations that Palo Alto Networks has chosen to summarize:

• Address the requirements of protecting cloud workloads, including server workload protection and container security capabilities.
• Prioritize CSPM to ensure workloads are configured properly and extend CSPM into the development process.
• Ensure your security provider is fully API-enabled for automation.
• Consider a comprehensive cloud-native application protection platform that combines CWPP and CSPM, including capabilities for containers and serverless, in a single solution.

We believe Palo Alto Networks is well-positioned to secure cloud native applications.

In November 2019, Palo Alto Networks announced that Prisma Cloud was the industry’s most complete Cloud Native Security Platform, officially combining best-in-class capabilities from evident.io, RedLock, PureSec and Twistlock to address the needs that organizations have across CSPM and CWPP. And in the second half of 2020, Prisma Cloud will strengthen its capabilities, adding identity-based microsegmentation for applications running on any cloud, through the integration of the recent acquisition of Aporeto.

We’re proud to be formally mentioned in this report, as we strongly feel our capabilities map directly to the suggested requirements for cloud native application protection.

To learn more about Gartner’s insights and recommendations for securing cloud native applications, download “Top Security and Risk Management Trends” today.