The cloud-native application landscape is undergoing a series of innovations as new cloud trends emerge. But what are the main security challenges in cloud-native?
This was the subject of a webinar that took place on August 18th, when Magno Logan, information specialist at Trend Micro, and Wagner Elias, CEO at Conviso, had a chance to chat about cloud-native applications.
We have listed some of the main topics raised during the conversation.
After all, what is Cloud Native?
Magno and Wagner started the chat by talking about the different attributes that the market gives to the term cloud-native. “Nowadays I see two different definitions – the concept of cloud-native created by the Cloud Native Computing Foundation itself – which would be microservices, observability, API by default. And there’s the second concept, much discussed by vendors, who address every service offered by the cloud provider as cloud native – and I don’t really like this definition because it’s more sales-oriented”, says Magno.
The Cloud Native Computing Foundation (CNCF) that Magno addresses is an open-source foundation subsidiary of the Linux Foundation. They define cloud-native as the use of open source software, as well as technologies such as containers, microservices, and service mesh, to develop and deploy scalable applications on cloud computing platforms.
“Some concepts are too important to be neglected,” stated Wagner. “When we talk about a cloud-native application, we are talking about architectural concepts that change, and consequently, security also changes”.
Containers and container orchestration
Another topic covered during the webinar was containers and container orchestration – which, according to the speakers, are among the first associations many people make when the topic is cloud-native.
“Containers came to solve a problem we had in the development part of application deployment – library dependencies, and the issue of resource management consumption on the server – people used to overestimate resources and didn’t use everything, so a lot of money was lost because one single application was running on the server. Now with containers, it’s possible to run several separate, isolated applications, each with its libraries,” said Magno.
Then finally Docker came up to make it all easier. But how to manage it when it grows too big – and reaches hundreds of containers?
According to Magno and Wagner, this is where we come to container orchestrators, with Kubernetes being the best known on the market. It is a living system that controls and manages your applications.
However, it is worth noting that although Docker technology and its containers became popular in 2013, this technology is not exactly new. The original concept of a container has been present in the framework of operating systems since 1970 when developers of UNIX systems imagined a way to isolate critical code in these operating systems. This allowed developers to test their code in isolation, almost like a sandbox. We talk more about this in this article on container security – be sure to check it out!
When it comes to cloud-native, what is the developer’s role?
Another point raised by Wagner and Magno during the conversation was the role of the development professional in this process.
“I usually say that the security model that we used to adopt where there is a validation gateway – whether with tests or automated tools to do source code analysis – is, yes, important, but they don’t solve the whole problem. Because today the dev can manage the entire programming ecosystem”.
According to the expert, today the programmer can build the environment in which this application will run, provision the cloud services, and distribute them within the Kubernetes – that is, how we work has completely changed, with more autonomy for the developer.
A trend pointed out by experts is that skills usually attributed to areas such as QA and AppSec will be increasingly absorbed by developers.
If you’re interested in participating in discussions about news, innovations, and news about the development security world, be sure to join Conviso’s DevSecOps community.