DevOps Cloud Security Challenges for a Modern Environment

81% of organizations say that cloud security is their top challenge in 2021, more of a problem than they find managing cloud spend, the growing lack of resources or staying on top of compliance or governance.

The truth is, many of these issues are interrelated, as a misconfigured Kubernetes cluster can add unnecessary costs, a cloud data breach can risk compliance, and without a smart cloud set up – it’s easy to see how resources can be misappropriated to manual and repetitive tasks when they could be freed up to add value elsewhere. Bottom line? It all comes back to security. Rather than think about C-suite challenges – which often come down to dollars, cents and ROI, let’s start from the other side of the equation. What problems are DevOps teams facing when it comes to securing a cloud-native environment?

Kubernetes Complexities

According to a recent D2IQ report, 94% of people feel Kubernetes is a source of pain and complexity in the organization. When you break down the respondents by group, just 56% of IT decision-makers notice the challenges of k8s, while this number jumps to 78% when you only speak to developers. It’s clear that the DevOps teams on the front lines are the ones who are struggling with Kubernetes, while IT decision-makers are more likely to benefit from proving added portability and flexibility and less vendor-lock in.

But, hey – shouldn’t Kubernetes work for DevOps too? Increasing productivity and making managing the cloud more efficient and streamlined are widely cited benefits of the orchestration platform. It’s true that when implemented with best practices, K8s can provide dynamic scaling, auto-healing capabilities and native load balancing to name just a few.

However, Kubernetes is a uniquely complex cloud security environment. On the infrastructure side there is no real separation between the control plane and the data plane, and on the network side – authentication and authorization needs require deep insight into setting up Role Based Access Control measures.

 

Alert Fatigue from the Pace of Change

61% of today’s CIOs say that their IT environment changes every minute. The days of relying on manual effort are long behind us – the cloud is dynamic and therefore your security needs to be the same. Most security tools rely on notifications and alerts that present a dashboard of issues to solve, but especially when organizations need to rely on dozens of disparate security tools, these can quickly run into the thousands, sometimes even hundreds of thousands of alerts. As a result, more than 30% of IT security professionals simply ignore the alerts that are coming in.

Do you need it spelling out? Alert-based systems simply don’t work in such a fast-moving environment. Alerts don’t necessarily reflect real-world risk, for example a public S3 bucket may not contain sensitive information, and one that’s considered private and therefore doesn’t trigger an alert could actually be accessible through a seemingly unconnected issue such as a compromised developer workstation, or cloud security credentials that have been left in a public GitHub repository.

With these complexities, DevOps are struggling. They have hundreds or thousands of alerts that don’t equate with real risk, and at the same time, they have blind spots where the real attack paths aren’t being highlighted by the plethora of alerts.

Shifting Left in a Meaningful Way

Say the words “shift left” to the average developer and you might find yourself met with an eye roll. What started as a powerful approach to improve quality and security by moving security elements such as testing, code reviews and analysis, validations and assessments earlier in the DevOps process has lost some of its sheen. Some of the challenges with adoption include:

Changing the culture: Change is hard! Often when shift left doesn’t stick, it comes down to “this is how we’ve always done things”. Developers need to feel that this is not just a new approach, but inherently a better one too.  

Adding work for developers: Your software development team is already rammed – fact. Many DevOps teams may have a misapprehension that shift left means “shift more work onto us” to help those later in the cycle.

Focusing on speed: A focus on checking security off the to-do list can result in skipped steps or lack of effort put in at this critical time. Security needs to be in-depth as well as early, or you’ve missed the point.

Disrupting workflows: Your development team has a good thing going on, and they know how to achieve results. Any shift left initiatives need to fit seamlessly into their process – or they’ll just find a workaround.

Security that Suits DevOps, Not the Other Way Around

Understanding the challenges of a cloud security environment for your DevOps teams allows you to incorporate security in a way that works for those at the build stage – increasing the likelihood that change will stick.

A strong cloud security posture for 2022 means covering the whole cloud environment including Kubernetes, focusing on real-world attack paths that present risk, (rather than relying a slew of disconnected alerts) and providing the automation tools to ‘shift left’ without disrupting DevOps processes – decreasing the workload rather than adding complexity.

Ready to add your unique cloud environment and context to the mix? Start for free

-----------------------------------

About Lightspin

Lightspin’s context-based cloud security empowers cloud and security teams to eliminate risks and maximize productivity by proactively and automatically detecting all security risks, smartly prioritizing the most critical issues, and easily fixing them. For more information, visit https://www.lightspin.io/