Cloud security and architecture teams need to communicate better

In doing postmortems on breaches of applications and data sets in the cloud, problems are often traced back to communication. Frequently, it’s not issues with computer-to-computer communication, but communications with the humans designing the cloud-based systems and those who are charged with its security.

The applications using modern mechanisms such as containers, Kubernetes, and microservices are often missing security vulnerabilities that they are exposing. The analogy I like to use is that architects are designing the best smart building known to the world but not installing locks. The locks needed to be engineered into the building during the design and not be an afterthought, as they often are in the world of cloud system security.

The essence of this problem is a lack of best practices and standards that the people engineering these cloud-native solutions can depend on. We’re beginning to see some guidance emerge that allows both the architecture and security teams to better coordinate around standards and best practices.

An example of emerging best practices and standards would be the ones developed by the Application Containers and Microservices Working Group of the Cloud Security Alliance. They give application developers and architects, as well as anyone responsible for application containers and microservices security, a repeatable approach to designing, developing, and deploying a microservices architecture pattern.

In short, this set of guidance tells you how to have a microservice operate independently and communicate with other microservices. Microservices have evolved to become a common application component of net-new cloud-based systems. Of course, application components should not become attack vectors from some hacker who has found out how to exploit microservices. Design meets security.

The idea here is to have close coordination between those who are designing and building cloud-native applications (with or without microservices) and those who are responsible for security. Much of this has fallen away from IT culture as security teams feel blindsided by the adoption of new technology, such as microservices. At the same time, development teams feel the pressure to come up with more innovative and valuable uses of cloud-native technology in support of the business. We need to do both.

• Create a culture of tight coordination and communication with the cloud architecture and cloud security teams.
• Encourage the use of standards and best practices for architecture and security.
• Promote ongoing, continuous improvement of both cloud-native architecture and best-of-breed security practices and technology.

Pretty simple if you ask me. I suspect I’ll be breaking up fights between the application and security teams for the next few years, though. You guys need to help me out.