<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Embracing the New Mindset of Cloud-Native Security

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

What is a “mindset of cloud-native security”? 🤔 That’s a great question. That’s why Justin McCarthy, CTO and co-founder of StrongDM, recently sat down with Mike Vizard at Container Journal and a panel of technology experts to discuss just that—and how to implement it without creating friction.

The full panel included:

So, what makes cloud-native security different? Here’s the recap: 

Developers Don’t Want to be Security Experts

Security has become a moving target, especially at a time when developers have gained the power to implement, scale, and change infrastructure at will. And as applications and services have become more distributed, visibility has become a challenge as well. 

That’s why cloud-native security is a mindset problem. How do you blend security awareness into the development process? Security must shift from the old-school method of ultimate control to empowering teams to make security-informed choices.

Before the cloud, there was a clear separation between the person who wrote the code and the person who worked on the network. That specialization of skills forced a necessary conversation about “should we versus could we” when it comes to development and security. But with the cloud, those conversations are no longer built-in and can no longer be assumed. On top of that, developers don’t want to be security experts. 

The result? The security professional’s role has evolved and now must integrate actionable security steps into the developers’ workflow in a way that doesn’t bog them down.

Mo’ Technologies, Mo’ Problems

“It's hard for us to learn because our job is hard.”  -Scott Gerlach, co-founder and CSO, StackHawk

One of the hardest challenges for security teams is the perpetual cycle of new technologies being added, which can leave them trailing behind. In a world with Kubernetes, containers, and serverless computing, where new frameworks emerge all the time, how can security keep up? 

Since this speed of growth is inevitable, learning to partner with DevOps has become critical, and security professionals must learn to be comfortable being uncomfortable. Again, it comes down to mindset. You’ve got to spread security tasks into the organization. Developers need tools to help them make better security decisions—without slowing them down.

Analysis Paralysis and Acceptable Risk

“You want to feel productive with your work. And one thing that can feel pretty unproductive is interminable analysis paralysis … At some point, you need a way to halt the debate and say, we’ve made some decisions … let's move forward.”  -Justin McCarthy, CTO and co-founder, StrongDM

How do you determine acceptable risk when cloud-native environments present so many new challenges? The panel considered:

  • Aren’t containers magically secure? 
  • Why are attacks against containers so hard to spot?
  • How are serverless computing frameworks vulnerable?
  • Is cryptojacking more than a nuisance crime?
  • Are we facing a software supply chain crisis?
  • How do we proceed when authentication authorization is disabled by default?

DevOps teams want to move fast. Security wants to protect business assets without creating a bottleneck. And it’s not a “us vs. you”—it’s a balance.

Finding the Balance

Security and DevOps are on the same team and have the same goal. Both are just trying to do what’s best for the organization. So how do teams avoid resentment, with security grumbling about misconfigurations, and developers begrudging requests to scan their code? 

“Partner with those engineering teams. Spend time understanding what they're working on. What are their pain points? Help them do their thing better so that they also want to partner with you.” -Scott Gerlach

Finding that balance comes down to shifting left with security—moving security earlier in the development process. And there are three core things that security teams must do:

  • Sit with DevOps and understand their needs. Embedding security teams with DevOps can help make engineers and developers more security-aware. It can also help security figure out what DevOps is doing, the technologies they’re trying to use, and the problems they’re trying to solve. Working as a team can help everyone move faster.
  • Communicate the value of security. Security teams should ensure that developers are only dealing with security issues that actually matter for the business. Set clear priorities, and don’t bombard them with unnecessary tasks.

Empower DevOps to be more security-aware. Figure out ways to simplify how DevOps can incorporate security earlier in the process. Integrate security tools within the pipeline to scan automatically. Help them choose better open-source components before they start writing code. Simplify their lives by making security an incremental process.

Observability & Security 

Observability plays an important part in a DevOps workflow and can be extended to security as well. Girish Bhatt defines “security observability as a continuum of what we traditionally used to call monitoring and troubleshooting.” 

Security observability serves two purposes: improving business outcomes and delivering products in a secure and timely way. In order to meet these challenges, security teams must:

  • Pare down and centralize observability tools.
  • Synthesize generated events into actionable intelligence.
  • Simplify irregular signals into human-readable language. 
  • Create an enriched record for SIEM tools.
“How do you standardize … an event across [all the signals, tools, and infrastructure]? That’s definitely some undiscovered country.” -Justin McCarthy

Final Thoughts

The panelists wrapped up with advice to anyone working in cloud security: form a partnership with developers, offer simple incremental improvements, and most importantly … try to make it fun.

Did you miss the panel? You can check out the replay below or on YouTube. And don’t forget - if you need modern tech to help you manage all things cloud and infrastructure access, StrongDM has a great demo for you.  


About the Author

, Contributing Writer and Illustrator, has a passion for helping people bring their ideas to life through web and book illustration, writing, and animation. In recent years, her work has focused on researching the context and differentiation of technical products and relaying that understanding through appealing and vibrant language and images. She holds a B.A. in Philosophy from the University of California, Berkeley. To contact Maile, visit her on LinkedIn.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

What is Cyber Insurance?
What is Cyber Insurance? Definition, Coverage, Cost & More
As cyber threats have increased in recent years, more organizations are turning to cyber insurance to mitigate their financial risks. In this article, we’ll review cyber insurance basics, including what cybersecurity insurance is, how it works, what it covers, and what it costs. By the end, you will understand the different types of cyber insurance, the benefits of coverage, and how cyber insurance fits into a comprehensive security strategy.
SAML vs. OAuth
SAML vs. OAuth: Everything You Need to Know
In this article, we will provide a high-level overview of the Security Assertion Markup Language (SAML) and Open Authorization (OAuth) information access frameworks. You’ll learn about the key similarities and differences between SAML and OAuth, the unique benefits of each framework, and specific use cases for each. By the end of this article, you’ll have a clear understanding of SAML and OAuth to help you determine which is right for your organization.
What Is Credential Stuffing? Definition, Prevention & More
What Is Credential Stuffing? Definition, Prevention & More
In this article, we’ll define credential stuffing and explain the risks that credential stuffing attacks pose to organizations and customers. We’ll cover recent examples of credential stuffing attacks and discuss how to detect and prevent them. By the end of the article, you should understand the full scope of credential stuffing, including how to protect your customers’ and employees’ account credentials with the right tools. 
Man-in-the-Middle (MITM) Attack
Man-in-the-Middle (MITM) Attack: Definition, Examples & More
In this article, we go over the man-in-the-middle attack definition and discuss the different types of these attacks. We'll take a deep dive into the dangers of man-in-the-middle attacks and address some examples. By the end of this article, you'll have a complete understanding of how a man-in-the-middle attack works and how to detect and prevent one.
Insider Threat: Definition, Types, Examples & Protection
Insider Threat: Definition, Types, Examples & Protection
In this article, we’ll take a look at insider threats in cyber security and the dangers they pose. You’ll learn the insider threat definition, who the insiders are, the types of insider threats to be aware of, and how to detect threats. By the end of this article, you’ll have a clearer understanding of the entire insider threat ecosystem and the best practices you can use to protect your organization, data, and systems.