<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Embracing the New Mindset of Cloud-Native Security

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

What is a “mindset of cloud-native security”? 🤔 That’s a great question. That’s why Justin McCarthy, CTO and co-founder of StrongDM, recently sat down with Mike Vizard at Container Journal and a panel of technology experts to discuss just that—and how to implement it without creating friction.

The full panel included:

So, what makes cloud-native security different? Here’s the recap: 

Developers Don’t Want to be Security Experts

Security has become a moving target, especially at a time when developers have gained the power to implement, scale, and change infrastructure at will. And as applications and services have become more distributed, visibility has become a challenge as well. 

That’s why cloud-native security is a mindset problem. How do you blend security awareness into the development process? Security must shift from the old-school method of ultimate control to empowering teams to make security-informed choices.

Before the cloud, there was a clear separation between the person who wrote the code and the person who worked on the network. That specialization of skills forced a necessary conversation about “should we versus could we” when it comes to development and security. But with the cloud, those conversations are no longer built-in and can no longer be assumed. On top of that, developers don’t want to be security experts. 

The result? The security professional’s role has evolved and now must integrate actionable security steps into the developers’ workflow in a way that doesn’t bog them down.

Mo’ Technologies, Mo’ Problems

“It's hard for us to learn because our job is hard.”  -Scott Gerlach, co-founder and CSO, StackHawk

One of the hardest challenges for security teams is the perpetual cycle of new technologies being added, which can leave them trailing behind. In a world with Kubernetes, containers, and serverless computing, where new frameworks emerge all the time, how can security keep up? 

Since this speed of growth is inevitable, learning to partner with DevOps has become critical, and security professionals must learn to be comfortable being uncomfortable. Again, it comes down to mindset. You’ve got to spread security tasks into the organization. Developers need tools to help them make better security decisions—without slowing them down.

Analysis Paralysis and Acceptable Risk

“You want to feel productive with your work. And one thing that can feel pretty unproductive is interminable analysis paralysis … At some point, you need a way to halt the debate and say, we’ve made some decisions … let's move forward.”  -Justin McCarthy, CTO and co-founder, StrongDM

How do you determine acceptable risk when cloud-native environments present so many new challenges? The panel considered:

  • Aren’t containers magically secure? 
  • Why are attacks against containers so hard to spot?
  • How are serverless computing frameworks vulnerable?
  • Is cryptojacking more than a nuisance crime?
  • Are we facing a software supply chain crisis?
  • How do we proceed when authentication authorization is disabled by default?

DevOps teams want to move fast. Security wants to protect business assets without creating a bottleneck. And it’s not a “us vs. you”—it’s a balance.

Finding the Balance

Security and DevOps are on the same team and have the same goal. Both are just trying to do what’s best for the organization. So how do teams avoid resentment, with security grumbling about misconfigurations, and developers begrudging requests to scan their code? 

“Partner with those engineering teams. Spend time understanding what they're working on. What are their pain points? Help them do their thing better so that they also want to partner with you.” -Scott Gerlach

Finding that balance comes down to shifting left with security—moving security earlier in the development process. And there are three core things that security teams must do:

  • Sit with DevOps and understand their needs. Embedding security teams with DevOps can help make engineers and developers more security-aware. It can also help security figure out what DevOps is doing, the technologies they’re trying to use, and the problems they’re trying to solve. Working as a team can help everyone move faster.
  • Communicate the value of security. Security teams should ensure that developers are only dealing with security issues that actually matter for the business. Set clear priorities, and don’t bombard them with unnecessary tasks.

Empower DevOps to be more security-aware. Figure out ways to simplify how DevOps can incorporate security earlier in the process. Integrate security tools within the pipeline to scan automatically. Help them choose better open-source components before they start writing code. Simplify their lives by making security an incremental process.

Observability & Security 

Observability plays an important part in a DevOps workflow and can be extended to security as well. Girish Bhatt defines “security observability as a continuum of what we traditionally used to call monitoring and troubleshooting.” 

Security observability serves two purposes: improving business outcomes and delivering products in a secure and timely way. In order to meet these challenges, security teams must:

  • Pare down and centralize observability tools.
  • Synthesize generated events into actionable intelligence.
  • Simplify irregular signals into human-readable language. 
  • Create an enriched record for SIEM tools.
“How do you standardize … an event across [all the signals, tools, and infrastructure]? That’s definitely some undiscovered country.” -Justin McCarthy

Final Thoughts

The panelists wrapped up with advice to anyone working in cloud security: form a partnership with developers, offer simple incremental improvements, and most importantly … try to make it fun.

Did you miss the panel? You can check out the replay below or on YouTube. And don’t forget - if you need modern tech to help you manage all things cloud and infrastructure access, StrongDM has a great demo for you.  

About the Author

, Contributing Writer and Illustrator, has a passion for helping people bring their ideas to life through web and book illustration, writing, and animation. In recent years, her work has focused on researching the context and differentiation of technical products and relaying that understanding through appealing and vibrant language and images. She holds a B.A. in Philosophy from the University of California, Berkeley. To contact Maile, visit her on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

25 Surprising Employee Onboarding Statistics
25 Surprising Employee Onboarding Statistics in 2023
Today there are numerous technologies and solutions to help organizations create an active onboarding experience for employees. But what do the employee onboarding statistics say about the process?
Cost of a Data Breach: 19 Facts and Stats to Know
Cost of a Data Breach: 19 Facts and Stats to Know in 2023
Businesses need to be aware of the cost of a data breach as well as the latest trends in cybersecurity to develop appropriate prevention and response strategies. This article will review the latest statistics on data breach costs and several best practices for eliminating unauthorized data access.
LDAP vs. Active Directory: Everything You Need to Know
LDAP vs. Active Directory: Everything You Need to Know
Struggling to understand the difference between Active Directory and LDAP? Don't worry, we’ll make it simple. These are just two among many methods that can provide secure user authentication and authorization. The information in this article will help you decide if LDAP or Active Directory is right for your organization. Robust security and a seamless user experience are attainable, and you can have both!
What is an Attack Vector? 15 Common Attack Vectors to Know
What is an Attack Vector? 15 Common Attack Vectors to Know
In this article, we’ll take a deep dive into attack vectors. You’ll learn what they are, the most common types, how they’re used, and why hackers continually use them to exploit vulnerabilities. By the end of this article, you'll have a thorough understanding of the fifteen most common types of attack vectors and what you can do to prevent your organization from falling victim to them.
Top 7 Identity and Access Management (IAM) Solutions
Top 7 Identity and Access Management (IAM) Solutions for 2023
In this article, we’ll compare the top IAM solutions: StrongDM, CyberArk Identity, Okta, BeyondTrust, ManageEngine AD360, Saviynt, and Twingate. We’ll explore what business needs identity and access management solutions address, and review the pros and cons of each. By the end of this article, you’ll know how to choose the right IAM solution for your organization.