In the cloud native ecosystem, there is a growing concern that “safe speed” is becoming an oxymoron along the lines of “jumbo shrimp.”

Many impressive things are developed every day in the cloud and a lot of them can be created at lightning-fast speed. Yet a lot of mistakes can be made fast too, which raises the possibility that security is being compromised as well.

A January report from McAfee LLC documented that 25% of companies had sensitive data downloaded from cloud platforms to unsecure personal devices and 52% of cloud services users have had data stolen. It’s metrics such as these which have placed the “shared responsibility model” for the cloud under scrutiny.

In this model, cloud providers are responsible for access to a data center, core files and operating system, and customers are responsible for everything else that can be configured. Then there is an alternative model.

“There is something that’s not talked about as much and that is the ‘shared irresponsibility model’ that’s happening within companies,” said Dan Hubbard (pictured), chief executive officer at Lacework Inc., a security provider for cloud and container environments. “Developers are saying they’re not responsible for it and security is saying they’re moving too fast. One of our mantras is to run with speed and safety, but it’s kind of hard to run with scissors and be safe at the same time.”

Hubbard spoke with Stu Miniman, host of theCUBE, SiliconANGLE Media’s livestreaming studio, in episode five of Cloud Native Insights, a series which focuses on transitions in the marketplace and how companies are making the journey to modernize and leverage cloud native technologies. They discussed conflicts between the way security solutions are implemented and a DevOps culture, keys for implementing modern security in a cloud native world, navigating fragmented multicloud environments and positive signs of progress in creating a more secure ecosystem within the enterprise.

Cloud washing

What Hubbard identifies as “shared irresponsibility” highlights a clash within many enterprises between developers, whose work is often closely tied to the success or failure of a company, and security professionals tasked with protecting the outcome of that work. A study conducted by Oracle Corp. and KPMG found that nearly two-thirds of enterprise chief information security officers only got involved with cloud projects after a security incident and less than 10% understood a shared responsibility model at all.

“Unfortunately, security people and a lot of the security solutions that are out there, the incumbents if you will, are trying to deliver their current solution in a cloud way,” Hubbard said. “They’re doing what I call ‘cloud builds’ or cloud washing and they’re doing it in a system that’s not applicable to the modern infrastructure and the modern way that developers are building. If you’re going to build in the cloud you have to secure it the same way that you’re building it, in the modern way.”

What should modern security look like in a cloud native world? A first step is to accept the inevitable reality that cybercriminals are not going away, and they will continue to innovate with speed and agility, according to Hubbard.

The second step is captured in one word: automate.

“Automation is critical,” Hubbard said. “The cloud providers are literally releasing new APIs and acronyms almost weekly. Automation and the ability to adapt to that is one key message that we hear from customers.”

Assisted enforcement

The challenge for many organizations will be what automation path to choose so that the technology can be properly channeled into productive use without expanding risk. A report released last month by the Brookings Institution about improving cybersecurity through AI warned that dependence on the technology will likely provide an incentive for attackers to target specific algorithms with potentially devastating results.

There is the added concern that the speed of innovation itself would quickly outstrip any automated security rules which could be applied.

“The notion of people writing and building rules is very hard in this world because things are moving so quickly,” Hubbard said. “In the past, it was really difficult to spin up 10,000 servers in an Asia data center to do research for four hours, security would probably know if that’s happening. Nowadays, that’s like three lines of code.”

A more likely model for the cloud native world will follow a principle of guided enforcement, automating responses to enterprise results with a human check at the other end.

In this scenario, which Hubbard acknowledges is still in an early stage of formation, some Lacework customers send the firm’s automated alerts to an internal Slack channel asking if a particular employee has permission to open an S3 bucket in a certain region.

“If ‘no,’ then a program runs a serverless function and closes it,” Hubbard explained. “I believe that we’re going to move to a world that’s more about orchestration and automation where there’s a set of parameters and you can orchestrate certain things or maybe an ‘Ops Assist’ mode.”

Fit with modern workflow

Another important element in modernized security involves an ability to navigate effectively in a multicloud world. Cloud security extends far beyond Kubernetes and containers, enveloping protection for infrastructure-as-code, serverless, virtual machines and highly complex workloads.

“You’ve got a very fragmented world out there and all of it needs to be secured,” Hubbard said. “The most consistent theme we’re hearing is that DevOps has to become involved because they know the application of the stack much better than security, it has to fit into your modern workflow of DevOps. That means deep integrations into Jira, Slack, PagerDuty, New Relic and Datadog are a lot more important than integrating to your Palo Alto Networks firewall, your Cisco IDS system and your endpoint antivirus.”

There are rays of sunshine in today’s security space, according to Hubbard, as companies grapple with rising levels of attack. One involves a movement toward least privilege, a process for restricting access rights to only those with authorization to bypass security restraints.

The peril of what can happen when too many people have access privileges within company networks was highlighted last week when Twitter Inc. suffered a breach of its system and 130 high-profile accounts were hacked. In a recent update, Twitter acknowledged that social engineering was used to obtain credentials from several employees which allowed the attackers to bypass two-factor authentication and access a key internal database.

“What most are excited about is the journey toward least privilege, minimizing the scope of the attack surface within your developers and their access to your infrastructure,” Hubbard said. “We’re pretty far from there. It’s an easy thing to say and it’s a pretty hard thing to do.”

Another positive development has centered around advances in meeting compliance standards, which has progressed from teams of auditors camping out in data centers every six months to a process where Lacework can tell how a customer is doing against a particular requirement within a minute, according to Hubbard.

This is the kind of progress which presages positive developments for security in the cloud native world. The key will be for enterprises to build protections inside cloud environments as well.

“It’s not about how do I take my existing security stack and move it over,” Hubbard said. “My suggestion to people who are moving into the cloud is really think about compliance and configuration best practices first. The ability to look at your configuration in near real time and understand if you are compliant or following best practices is real. This is a great time to crawl, walk, run.”

Preferably, without scissors.

Here’s the complete video interview, the latest in the continuing Cloud Native Insights series and one of many CUBE Conversations from SiliconANGLE and theCUBE:

Photo: SiliconANGLE