Cloud native is, in many ways, a victim of its own success, and problems like workload identification are becoming more and more common, in part due to the enormous scale of the space.
Workload identity, the process of understanding which workload can be authenticated, is at the forefront for some. It plays an important role in cloud-native environments and is an increasingly complex problem, according to Kevin Bocek, chief innovation officer at Venafi.
Speaking at KubeCon 2024 in Paris, Bocek said the rapid growth of the cloud-native space is creating problems for security teams, as threat actors have increased their attacks on this domain in a bid to capitalize on potential hotspots. blind
“The cloud-native tsunami is making workload identity the focus of both security teams and adversaries. Knowing which workload can be authenticated is becoming more difficult with more clouds, more clusters, and more microservices,” Bocek said.
Sitaram Iyer, senior director of cloud native solutions at Venafi, expanded on the topic in a conversation with ITProdrawing attention to the implications of the increasingly popular and therefore increasingly complex cloud native landscape.
While a more traditional world may give security teams the ability to make direct demands on developers, Iyer said, that “doesn't quite work” in the cloud-native space due to the variety of vendors and cloud-native technologies. Cloud.
“There is nothing unique about cloud-native technology… And eventually you realize that [you have] many different groups, using their own best practices that they believe are best practices. There is no standardization on how an app is deployed,” Iyer said. ITPro.
This problem has prompted the development of a number of techniques and tools dedicated to optimizing and strengthening identity protections in cloud-native architectures, Iyer added.
Developers across the community are turning to SPIFFE, the secure production identity framework for everyone. It is a set of open source standards specifically designed to allow developers to securely identify software.
With SPIFFE, developers can authenticate workload identities in a more reliable and efficient way.
This is particularly important given the rise of multi-cloud environments, Iyer noted. As organizations are rapidly shifting to a multi-cloud approach, this creates additional security considerations and means that identity management of workloads across these domains is an attractive offering.
Cloud-native security posture is an ongoing concern in the space
Bola Rotibi, head of business research at CCS Insight, said ITPro Cloud native is a complex landscape accompanied by equally complex security issues.
The sheer volume of touchpoints on any particular data or process creates complexity issues, Rotibi said, while it is also important to consider security and user identity fragmentation issues along with workload identity.
“I think there's probably a lot more that needs to be said about safety,” Rotibi said. “What is the security posture within Kubernetes? How do you…address fragmentation issues?”
Security concerns also manifest themselves in the often long and complex supply chains through which cloud-native platforms are connected. Speaking at KubeCon 2024, Joshua Lock, a software engineer at Verizon, took a closer look at the problems created through supply chains.
The software supply chain denotes all the steps necessary to produce a piece of software, steps that manifest as dependencies that, in turn, could become vulnerabilities.
“Most people, when they talk about software supply chain security, really think about how [they can] protect against unwanted modifications of some software. Lock said.
“We want to prevent anyone from manipulating [the] software in production or, if we can't do that, we would like to know that someone has manipulated [it]”he added.
This then further complicates security issues when operating in a cloud-native environment, establishing another area where users must pay close attention to ensure that the dependency of one cloud-native platform on another Don't compromise it.