Cloud, Cyber, Zero Trust 3 MIN Read

Cloud-Native Security: What It Is, What It Isn’t and How to Make it Happen in Your Organization

April 8th, 2022


Learn more about GDIT’s cloud portfolio, including our cloud-native security capabilities.

The term “cloud” is thrown around quite a lot these days, and for good reason. The world’s consumption of cloud services is only growing, and the Federal government is no exception. Innumerable agency data centers and on-premises hardware are quickly giving way to off-premises computing, much of it in the cloud. Gartner forecasts increased growth for the overall public cloud services market with a five-year CAGR of 21.5%, and projects that spending on public cloud services will reach $848 billion in just three years.

The explosion of cloud computing within Federal agencies presents enormous opportunity for accelerated mission delivery, expanded capabilities, enhanced user experiences for end users, and greater security – a paramount concern for many agencies, from those in the defense and intelligence space to civilian agencies that handle large amounts of sensitive, PII data.

“Cloud-Ready” vs. “Cloud-Native”

To impart a patina of modernity on traditional technology stacks you may hear “cloud-ready” or “cloud-enabled.” This usually refers to technology built for on-premises applications and then migrated to the cloud. Often these applications were originally designed with local resources and hardware in mind.

Revisions and refactoring can allow for a “cloud-ready” moniker, but the underlying architecture remains the same. Generally, “cloud-ready” software struggles to take advantage of cloud-based resources and is unable to provide the scalability and resiliency that a truly cloud-native application can bring. Cloud-ready sees the cloud as another enclave in which to operate, cloud-native was born in the cloud, molded by the cloud’s capabilities from its inception, cloud-native has never seen an on-premises installation.

'cloud-ready' software struggles to take advantage of cloud-based resources and is unable to provide the scalability and resiliency that a truly cloud-native application can bring.

Jim Fitzsimmons

Cyber Technology Consultant, GDIT Cyber Center of Excellence

Instead, cloud-native applications are architected from the ground up to use cloud-based technologies. Cloud infrastructure can be extended nearly instantaneously when needed, allowing organizations the flexibility to add or reduce capacity as needed. Cloud-native applications employ microservices deployed within lightweight containers using orchestration, runtime, and networking services. Cloud-native applications leverage cloud computing frameworks and infrastructures and encourage an accelerated software development life cycle. Cloud-native applications also take full advantage of modern cloud practices such as immutable infrastructure, containers and container registries, infrastructure-as-code (IaC), and integration through APIs.

The Cloud-Native Fundamentals Push Security Left

Cloud-native’s fundamental principles include scalability, resiliency and frequent changes. These capabilities have brought about the emergence of DevSecOps and have pushed security left. Organizations can begin to tackle vulnerabilities and threats by building in security from the start of the development process through to production, ensuring multiple layers of security and continuous monitoring for new vulnerabilities.

Cloud-native security requires focusing on:

  • Operating in-step with other cloud-native development and architecture strategies of an organization.
  • Ensuring applications are secured in a manner that is in context with how they function.
  • Identifying vulnerabilities and performing remediation during development.
  • Integrating security tooling into each phase of the software lifecycle through automated scanning in source code management systems and scanning of derived artifacts, such as container images.

Security models and tools built for the days of on-premises hosting are becoming more and more of a liability. Many of the tools in use in production environments today were designed before the wide scale adoption of cloud platforms and are insufficient in providing adequate security.

The speed and scale of the cloud makes it more important than ever to secure your cloud-native applications with the appropriate cloud-native security tools that can keep up with the incredibly fast-paced world of modern cloud-native applications and capabilities.

And that’s exactly how it should be.