Cloud native architectures require a new approach to security. The cloud native stack doesn’t communicate in the predictable and tightly coupled way that stratified frontend, middleware and backend layers provide. Applications composed of microservices and serverless functions are loosely coupled pieces of code talking to each other in unique, asynchronous ways — and there are exponentially more of them.
“It’s an explosion of complexity,” said Sonya Koptyev, director of evangelism at Twistlock, in this podcast interview at KubeCon and CloudNativeCon last month in Seattle.
When managing such complex environments, it can be difficult for operations and security teams to even know which services developers have running on various cloud providers, let alone to identify and remediate a critical vulnerability such as the recent, major privilege escalation vulnerability in Kubernetes that, if left unpatched, allows attackers to take over entire compute nodes.
“Once [companies] get past that couple of hundred employee mark they have all sorts of services they’re running that the security team doesn’t know about, and with that you introduce all sorts of vulnerabilities and threats into the environment,” Koptyev said. “The security team can’t secure them because they don’t know about them.”
Watch on YouTube: https://youtu.be/4aQ1KJE6Lrs