The real value of continuous security scanning for cloud-based workloads
These days cloud application developers are also security engineers. Who did not see this coming, given that application-level security is no longer an option? Also, we are pushing developers to build applications at scale, meaning they are becoming ops engineers and database engineers as well as security engineers, which is scary.
The fact that most developers are not security experts is not lost on me. This has led to devsecops practices where developers are given training, tools, and processes to build and deploy more secure cloud-based applications. Of course, anyone who has attempted to implement that kind of cultural change has found that it can’t be done in weeks. It takes months and sometimes years.
[ Also on InfoWorld: No one wants to manage Kubernetes anymore ]
Emerging concepts out there may help things along. Cloud-native application protection (CNAP) platforms can continuously scan workloads and configurations to find and resolve security issues. They do this during application development, application testing, and application deployment.
CNAP, at its core, aggregates two types of security platforms. The first is cloud security posture management (CSPM) platforms, which development organizations already employ to find surface misconfigurations and other vulnerabilities. The second is cloud workload protection platforms (CWPP), which use agent software to protect workloads.
CNAP security policies are applied to any workload centrally. This includes microservices-based applications, container-based ones, or legacy applications, which are all in redevelopment or development these days.
Centralized security processes make use of agent software to enforce predefined security policies. Moreover, they continuously scan applications and application environments for security concerns that fall outside of set policies. These policies typically are not defined by the developers but by the core enterprise security team.
What does all this mean? More simply put, this is continuous scanning for security issues using centralized policies that are directly related to both security and governance. A continuous security scan might identify APIs that remain open but should be closed for security reasons, for example. Or encryption that is not being carried out when data is moving from applications to databases.
Usually, small things can lead to big problems.
It’s well understood that the faster you build and deploy applications, the larger the attack surface they typically have. Continuous security scanning should allow you to still crank out cloud-based applications yet remain secure—at least, secure in terms of how the policies are set.
My advice is to look at this technology if you’re doing cloud-based development and want to do it at speed. In these days of the post-pandemic rush to cloud platforms, this may be something you’re overlooking or have yet to understand the associated risk.
I’m never impressed by acronyms (CSPM, CNAP, etc.) that appear on the scene. They are typically built on existing well-understood concepts, and these are no different. I am, however, always willing to leverage a good idea no matter what it’s called. Policy-based security scanning is a reality and your development team should consider it.