Cloud Native: Security By Design and Measuring Value

Inspiration

Two and a half years ago (time flies!) I worked on a presentation on cloud native security for one of my final interviews with Aqua Security and I guess it went well: I was hired! - My boss Benjy Portnoy⛵ must have been in a good mood that day ;-)

I have recently looked at my slide deck to get some inspiration and it worked! Feel free to have a sneaky peak at the original slide deck I prepared back then.

To put things in perspective, cloud-native application development is one of the fastest-growing trends in tech today, with Gartner and IDC forecasting that 90-95% of apps will be cloud-native by 2025.

This article will discuss about how to apply cloud-native security by design and how you can measure business value from it, but let's start with the basics first.

What is cloud native?

A picture is worth a thousand words :-)

How much time did you spend crimping ethernet cables or visiting local data centers over the last 5-7 years instead of building applications at scale with real value for your customers?

It's not about whether apps are built and delivered on a public, private or hybrid cloud; it's about how they're built and deployed. Cloud-native programs use technologies such as containers, microservices and APIs to expand horizontally rather than vertically, and this benefits the business in general.

Why security by design?

The 'rubber hammer' story from Simon Sinek tells a good analogy to answer the question 'why security by design?': (I used hammer instead of mallet)

A group of American car executives who went to Japan to see a Japanese assembly line. At the end of the line, the doors were put on the hinges, the same as in America. But something was missing. In the United States, a line worker would take a rubber mallet and tap the edges of the door to ensure that it fit perfectly. In Japan, that job didn’t seem to exist. Confused, the American auto executives asked at what point they made sure the door fit perfectly. Their Japanese guide looked at them and smiled sheepishly. “We make sure it fits when we design it.” In the Japanese auto plant, they didn’t examine the problem and accumulate data to figure out the best solution—they engineered the outcome they wanted from the beginning. If they didn’t achieve their desired outcome, they understood it was because of a decision they made at the start of the process.”

By implementing security by design, the breaches risk will be drastically mitigated (reducing a potential customer churn and brand damage), developers will be empowered to do what they most love, such as developing applications and creating fast customer feedback loops (improving time to market and increasing revenue) and security teams will be enabled to implement security controls and guidelines in less time (saving time and cost).

In my view, security should not only be implemented by design because it makes sense from a technical perspective, but because it is directly tied to your business goals.

What does cloud-native security looks like?

You got it! Security should be at every cloud-native step of your organisation. How? Shifting security to the left! You may have been living in a bunker for the last 5-7 years if you haven't heard about Shift to the left or DevSecOps in the cloud-native space.

If we do the same thing at least twice, we need to find a way to make it repeatable. Developers love automating everything as code through the Software Development Life Cycle (SDLC) to maximise their time, including security.

This is the same concept as a supply chain in the product manufacturing industry: everything is carefully automated step by step to achieve high productivity while avoiding costly mistakes and gaps in the chain for the company.

The Cloud Native Application Protection Platform (CNAPP)

With the economic constraints increasing over the next 12-18 months, there will be even more pressure for CISOs to quantify the value of their toolsets and increase ROI on their security spend.

So, you may be wondering: Is there any platform that consolidates most of the cloud-native security capabilities and stays at cutting-edge of technology?

The answer to that is yes, Cloud Native Application Protection Platform(CNAPP) defined by Gartner. Aqua Security has been recognised as representative vendor in Gartner market guide for cloud-native application protection platforms(CNAPP).

I recommend you read the Smart Bears Buy Platform article by Christopher Smith to get an overview of the growth of Cloud Native Application Protection Platform (CNAPP) and how Aqua Security 's CNAPP platform is gaining traction among large companies.

How do you measure the value of cloud-native security deployment?

Measuring cloud-native security success has to start mapping back to business' cloud goals, full stop.

I have been involved in many conversations where CEOs, CTOs and CISOs have asked me to explain how they can measure the success of the value delivered by security.

The answer to this question depends on what kind of organisation you are in and its age. Let's assume you have a functional and effective security team and you have successfully established a baseline by following your own framework or any framework/best practices from the market, e.g. CIS or NIST, then you should be asking yourself the following questions:

What does 'value' mean for your organisation?

What is important for your business to succeed, grow and thrive?

As an example, a high-level business objective would be:

TimeTo Market - I would like to deliver faster to increase my revenue

The following table represents one small example of mapping low-level security metrics to a high-level business objective (time to market):

Those low-level technical metrics should be defined as part of your cloud strategy. You should align your cloud strategy to fit your business goals.

You’re not likely to report such low-level metrics to a board, but there’s a way to bubble them up to those higher-level business goals.

Most companies have common business goals, some of which are listed below:

• Reduce costs
• Increase revenues
• Improve the time to market
• Retain customers
• Improve productivity
• Employee Retention

Unfortunately, many organisations are struggling with the basics and are not able to start mapping back to business goals.

How to approach the challenge?

A good starting point is to meet minimum baselines, go back to something like the 18 CIS Critical Security Controls, NIST cybersecurity framework or your own framework. How well are you doing those? Once you are doing those well or making progress in that direction, then you will know how you are securing your organisation. From there, you can start to move on to advanced things, such as mapping low-level metrics to your cloud strategy and business goals to measure success.