Born in The Cloud

Article

Born in The Cloud

By Michael Shetrit, CISSP | CCSP, Manager at Cyber Risk Services Deloitte Israel

In the industry and the media there is a strange saying that "the world is migrating over to the Cloud." This statement is fundamentally wrong! The world has already migrated to the Cloud, and about 90% of organizations in the world and 94% of Enterprise organizations are already using some element of the Cloud. In recent years, the Cloud services market has grown at an average rate of 29% annually. The technology research company, Gartner, has estimated that the Cloud market was valued at $25 billion in 2010 and $490 billion in 2022. It is expected that the market size will reach $592 billion in 2023 and cross the threshold of a trillion dollars in 2028! This enormous growth is driven by a process of "the maturation of the Cloud" and an increasing number of organizations that are transferring additional applications and services to the Cloud (technological updating and modernization processes) and that are developing new applications that work only in the Cloud. The growing use of the Cloud is occurring concurrently with evolving economic patterns and the adoption of "service" models for consuming information technologies, in contrast to the old "ownership" model, where organizations purchased and managed hardware and software licenses, storage infrastructure, communication and services. toCloud providers are establishing new Regions, expanding communication infrastructure, and increasing storage and computerization volume capacity in existing Data Centers to meet the growing demand for cloud services.

In the early days of the Cloud, pioneering organizations migrated applications from local data centers (On-Premises) to the Cloud, using a method known as "Lift and Shift," according to which the applications were moved without almost any change in code and configuration. A fast, simple “Lift and Shift” with no need to retrain the IT and operation teams. The accompanying disadvantages were that even though the application had changed "address," it carried over the same limitations and constraints to the Cloud as were on the On-Premises, only with a higher price tag. The Cloud has built-in advantages, such as the automation of processes and tasks, rapid lunch and shutdown of applications and services, efficient use of resources and usage models, and flexible payment, based on actual consumption.

In recent years, a genuine revolution is taking place, which   changes orders and working routines and fundamentally affecting the way organizations develop applications and services in the Cloud. This revolution is called Cloud-Native Application (CNA). So, what is so revolutionary about CNA? A moment of history. In the "old world", the development of organizational applications was a field ventured into only by highly skilled professionals, involving long planning and development processes, complex methods (such as Waterfall and Spiral), which often did not achieve the project's goals, resulted in significant deviations in schedules and costs, infrequent version updates, monolithic code (code containing  the most of the application's parts such as front-end, back-end and configuration), and limited flexibility in the face of ever-changing business demands.

On the other hand, a typical Cloud-Native Application is comprised of a collection of services such as identity management and authentication (this service is often found on another Cloud or On-Premise), massive use of open code libraries, micro-services, from code pieces that run "serverless" and code packaged in containers, (application packaging model "in an isolated container" together with configuration files and dependencies) and  everything connected "in low coupling" using APIs. The application has no defined physical location and may be dispersed across multiple data centers and clouds. CNA applications run in public, private or hybrid Clouds and are designed to take full advantage of the Cloud’s benefits, along with rapid distribution and updating processes. The  leading development methods in CNA are Agile and SCRUM, which advocate  flexibility in all product phases, short development cycles focused on achieving defined goals (known as Sprints) and very frequent updates. How frequent? As many as necessary, sometimes several times a day! thanks to orchestration and automation abilities for launching, removing, and replacing pieces of code and services. This decentralizes application architecture, has created resiliency in a way that was not possible using traditional environments. (The full definition of CNCF Cloud Native Definition v1.0 – can be found in the list of links, including in Hebrew).

However, in addition to the many advantages we have listed, there is great complexity, along with risks to information security. The CNA application has no clear boundaries, and risks are scattered in all components of the application, the source code, configuration settings, diverse services, open-source libraries, Kubernetes infrastructures and the configuration settings of Cloud accounts. In June 2021, OWASP (Open Web Application Security Project) published a new category: OWASP Cloud-Native Application Security Top 10, noting the ten common information security weaknesses in CNAs. OWASP supports about 200 projects (the most famous of which are Top 10, such as Web Application, API (Application Programming Interface)). The lion’s share of security weaknesses are "inherited" to applications from open source libraries, which are used. Some weaknesses are a result of unsecured configuration of services, and poor development and implementation practices. A pronounced shortage of information security professionals is felt here, especially considering gaps in understanding, and working in multiple Cloud environments, lack of knowledge in current development processes, architecture, and operation of information systems in the Cloud. As always, the gap was identified early enough by startups that offer tools and visibility to deal with the challenges, and companies such as Oxeye and Aqua Security offer tools and solutions based on the diverse stages in the product's life cycle. In complex environments like CNA, there is a need for a thorough view that refers to secure development processes (SSDLC), writing, auditing, and integration of development processes in a comprehensive manner (Secure by Design), tight management of information assets and the supply chain in the various services and open source libraries (an Excel sheet will not work here), penetration testing, integration of automatic and manual testing tools throughout the product’s life cycle and a profound understanding of the Shared Responsibility Model between the Cloud provider and the customer, for each of the services comprising the application.

So Where Do We Begin?

By studying and understanding all components of the subject matter. The Cloud Native Computing Foundation (CNCF) website founded by The Linux Foundation is a good place to start, to understand the basics and to formulate an overall perception. After that, one requires a series of actions that includes training for development teams and adoption of SSDLC and Security by Design methodology in a way that is appropriate for the organization and the development technologies, consultation with experts on the review and recognition of risks that exist in all application components and developing an overall protection concept.

Israel on the Map

Israel is a kind of superpower in the world of Native Application Security, and together with an impressive number of startups developing solutions and tools, there exists knowledge and experts on the subject. Note the list of Leaders in the OWASP Cloud-Native Application Security Top 10 link. At the same time, Israel is less prominent in the modernization of applications and adoption of the Cloud as a strategic move, among traditional organizations.

Did you find this useful?