5 Questions to Ask When Choosing a Cloud Native Security Platform for DevOps
Palo Alto Networks put together some essential questions to ask when choosing a security platform for DevOps. Familiarize yourself with cloud native security platforms and help build a healthy DevSecOps strategy.
Here we take a look at how you can address the “tools” part of the equation when it comes to security. Specifically, we’ll discuss which questions to ask a vendor and what features DevOps teams should look for when choosing a cloud native security platform.
What Is Cloud Native? What Does It Mean For DevOps?
First, we’re going to focus on the security challenges that arise in cloud native environments, which means those built with technologies that include (but are not limited to) containers, serverless functions, and virtual servers.
Second, we’ll focus on the security needs of DevOps teams and the software development lifecycle. Although DevOps positions may not explicitly involve security, we now live in the age of DevSecOps, and everyone on the DevOps team helps keep infrastructure and applications secure. DevOps security is here to stay and it’s not only an accepted part of the software development process but also a key aspect of modern software quality.
We’ll also consider which types of tools are best suited to help DevOps teams deal with security issues while also promoting the visibility and collaboration that are essential parts of a healthy DevSecOps strategy.
Let’s look at the questions you should ask as you evaluate cloud native security platforms for a DevOps organization.
What Are You Actually Securing?
This question may seem obvious. So obvious, in fact, that you may not give it much real thought. However, infrastructures and environments vary widely, and it’s important to step back and figure out exactly what you need to secure if you want to successfully implement DevSecOps.
Are your workloads running in containers? Are you using serverless functions, or do you plan to add them? How are you orchestrating your workloads? Are you orchestrating them with the native orchestrator provided by your cloud vendor, Kubernetes running as a service, your own Kubernetes build or something else? Which new cloud native technologies does your DevOps team expect to adopt in the future?
Answering questions like these help ensure you choose a security platform that can support your current and future cloud native environments and promote DevOps processes that focus on application security. In most cases, you’ll find that security platforms that are purpose-built to secure a range of environments — not just containerized ones, which are usually the focus of most self-proclaimed “modern” security platforms — are the best and safest fit for your DevSecOps needs.
What Are Your Security Threats? How Can You Stop Them?
This is another question that might seem obvious to your DevOps team. But again, the fast-changing nature of threats and the agile nature of software development mean it’s worth asking what your potential threats actually are. This process may include communication with your security team, as well as a review of past data breaches and security flaws.
Keep in mind that the threats may differ across dev teams, the app you deliver via continuous deployment, or InfoSec and operations teams. This is one place where the DevOps principle of cross-organization communication is crucial for effective vulnerability management.
Which Layers Does The Platform Secure?
Scanning container images for known vulnerabilities is good. On its own, however, it hardly amounts to a complete container strategy. The same could be said for setting up a firewall or locking down access control. These are good security practices, but to achieve true DevOps security you need to secure all layers of your infrastructure, including those managed by teams other than DevOps. For that reason, you want a cloud native security platform that is designed for holistic security, not a point tool that only secures one or two layers.
Where Does The Security Platform Get Its Vulnerability Information?
When it comes to identifying vulnerabilities, security platforms can get their information from lots of sources. They could look at a public Common Vulnerabilities and Exposures (CVE) database or a list supplied by a third-party vendor.
The best security platforms pull vulnerability data from multiple sources. If you’re only relying on one data source to figure out where the threats are, you’re unlikely to catch them all — and just like in the world of Pokémon, catching them all is one of your main priorities for secure DevOps. You need a platform with security tools that pull data from multiple sources to identify threats and vulnerabilities.
How Automated Is The Platform?
Automation is the mother of DevOps (or something like that). What I mean is that without automation, you can’t do DevOps very effectively.
Incidentally, without automation, you can’t do cloud security very effectively. The highly-dynamic nature of containerized, serverless, and other cloud native environments means that trying to interpret all of the data they generate, identifying vulnerabilities, and reacting to them manually just doesn’t work. That’s why you want a cloud native security platform that automates DevOps security tasks wherever and whenever possible — and minimizes human error.
You should still expect to perform some tasks manually, of course. (If we could automate everything, DevOps engineers wouldn’t need to exist anymore!) But to the extent possible, your security platform should automate your security-related workflows. That is another key aspect of security best practices.