Why speed is the key to cloud-native security.
Have you ever been zipping down the 101 when you come up on a car doing 35 mph or so? There’s a good chance they’re going so slow because they want to stay safe. It sounds like a reasonable approach. The slower I go the safer I’ll be. Except that’s wrong. A slow driver on the highway causes the rest of us to hit the breaks and swerve, increasing the chances of an accident. It might be counterintuitive, but it’s true: In order to stay safe on the highway, you need to keep your speed up.
There’s a similar phenomenon happening with cybersecurity. An increasing number of Fortune 500 enterprises have or are in the process of adopting modern, cloud-native practices like Agile and DevOps in order to build and release software faster so they can better respond to customer demand and stay a step ahead of the competition. But many of these same enterprises approach security the same way our driver approaches safety on the highway: by going slowly.
Taking a slow and steady approach to security makes intuitive sense. Let’s not do anything rash that may make us vulnerable to attack. But the slow and steady approach doesn’t work in a world where there are more users interacting with systems than ever before, where applications are created and updated daily or hourly, and where attacks against corporate networks are essentially continuous. A new report, created jointly by Thales eSecurity and 451 Research, puts it this way:
“This year we found that organizations are dealing with massive change as a result of digital transformation, but this change is creating new attack surfaces and new risks … “But while times have changed, security strategies have not … If security strategies aren’t equally as dynamic in this fast-changing threat environment, the rate of breaches will continue to increase.”
In fact, in order to improve security in cloud-native environments, enterprises need to speed up. When it comes to your infrastructure and applications, speed doesn’t kill. Speed secures.
But what does that actually look like? Justin Smith, Chief Security Officer for Product at Pivotal, boils it down to what he calls the Three R’s: Rotate, Repave, Repair. Let’s break these down.
The Three R’s
By rotate, Justin means rotating datacenter credentials every few hours. Speaking at SpringOne Platform, Justin pointed to the 2016 SWIFT data breach, in which hackers broke into the Bangladesh central bank’s network and swiped over $80 million using stolen credentials. By frequently rotating datacenter credentials, so that each is only valid for a short period of time, stolen or leaked credentials soon become useless to hackers.
But no one tactic is enough. Even though rotating credentials frequently reduces the likelihood of a network breach, some will still succeed. That’s where repaving comes in. This refers to repaving each and every server and application in your environment from a known good state multiple times a day. Everytime you repave a server, the slate is wiped clean and everything on that server — including malware — is swept away. This effectively shortens the window of time an attacker has to act if he or she manages to get into the network in the first place.
Finally, repair means to apply security patches to operating systems as soon as possible after they are made available. The longer the time between patching, the longer the time hackers have to take advantage of existing OS vulnerabilities.
Automation, Automation, Automation
The three R’s are great, you’re thinking, but how can I possibly keep up this pace? My infrastructure team is stretched thin as it is and can’t possible rotate, repave and repair this quickly, day in and day out. And that’s true in traditional infrastructure environments. But if you’re using a secure, modern platform, such as Pivotal Cloud Foundry, it can be done. The key? Automation.
Consider the case of CSAA Insurance Group. The company is the insurance arm of AAA, offering car, home and other types of insurance to millions of AAA members. Prior to adopting Pivotal Cloud Foundry, the company typically applied patches on a quarterly basis, according to Kyle Campos, Technology Operations Manager for CSAA’s digital services organization.
How frequently does CSAA apply patches now that its running Pivotal Cloud Foundry? “Now we do that at least once a week,” Campos said, speaking at Cloud Foundry Summit in Basel, Switzerland last fall. “We just recently, with help from Pivotal, got our repaved pipelines down and continuous delivery for minor versions of PCF. We rotate every day and we have minor dot releases come out once every week.”
CSAA can repair its platform because Pivotal patches critical vulnerabilities found anywhere in the platform — from the operating system and middleware to specific Cloud Foundry components — within 48 hours of a fix becoming available. Operators use Concourse, a continuous integration/continuous delivery system remastered for teams that practice agile development and need to handle complex delivery permutations, to set up pipelines that detect and apply patches to their PCF foundations automatically, usually with zero downtime. Pivotal Cloud Foundry similarly automates the repave and rotate processes.
So even though it may sound counterintuitive, remember, speed — and automation — is the key to robust security. To learn more about the Three R’s, check out this on-demand webinar with my Pivotal colleague Kamala Dasika and Zane Lackey from Signal Sciences. Kamala and Zane explore strategies to overcome these and other security challenges unique to cloud-native apps. Stay safe out there!
Change is the only constant, so individuals, institutions, and businesses must be Built to Adapt. At Pivotal, we believe change should be expected, embraced, and incorporated continuously through development and innovation, because good software is never finished.
Hit the Gas to Stay Secure in a Cloud-Native World was originally published in Built to Adapt on Medium, where people are continuing the conversation by highlighting and responding to this story.
About the AuthorFollow on Twitter Follow on Linkedin More Content by Jeff Kelly