This post was co-written by Darin Zook and Rita Manachi.
One month after the MOVEit vulnerability was first reported, it continues to wreak havoc on U.S. agencies and commercial enterprises. Unfortunately, the victim list keeps growing and includes organizations such as the U.S. Department of Health and Human Services, the U.S. Department of Energy, Merchant Bank, Shell, and others.
To be sure, IT leaders in the public sector and other highly regulated agencies focus on security-related programs like data protection, privacy, governance, and regulatory guidelines, and continue to fund them accordingly. However, as cyberattacks and hackers evolve in their practices, so must our approach to securing our most critical systems or else common vulnerabilities and exposures (CVEs) like MOVEit will continue to threaten them.
While the U.S. Department of Defense (DoD) has embraced modern software development processes, other U.S. public sector organizations are under particular pressure to do the same. Meanwhile, as federal agencies respond to the Biden administration’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028), they are being specifically targeted for cyberattacks, which by some accounts, increased 95 percent in 2022, compared to the same period the previous year.
Cloud native changes everything
As both government agencies and private entities rush to adopt cloud native technologies, they’re increasingly becoming more exposed to CVE and malicious attacks. That’s because modern architectures are, by nature, distributed and API-led. According to Forrester Research, with cyber attacks targeting APIs and software supply chains on the rise, they are definitely a security priority.
Cloud native security requires a holistic approach built on integrating security throughout your application development and delivery cycle. With this, it’s critical to establish a cultural reinvention where security is an embedded quality of every digital initiative and the tools and platforms that help hasten and maintain these profound changes.
Our field chief information security officer, David Zendzian, discusses the state of cloud native security in this conversation with Michel Cote who, with his decades of experience in IT security, helps our customers implement and maintain their security strategy in a dynamic environment.
Security beyond the perimeter
Let’s use the recent MOVEit breaches as an example of why we need to think about security beyond the perimeter. MOVEit promises secure, automated, auditable file transfer that meets many regulatory requirements. Years ago, I worked for an organization that leveraged MOVEit for exactly this purpose. We had regulatory requirements that necessitated using file transfer tools with data security beyond the simple FTP or Secure FTP. Solutions like this become invaluable to organizations because they make users’ lives easier while offering greater safeguards and visibility for IT and SecOps.
The challenge is, as with any software, there is always potential for exploits. If this breach had occurred when I was working for that organization, we would’ve been compromised as well. We had traditional perimeter defenses at the edge, separately for our demilitarized area (DMZ), and also between our internal data center and user community. Patching within our organization was as structured as it could be, at least for our Windows systems. Patch Tuesday would come with a new wave of patches to be evaluated, applied to test/dev within a week, and, if all went well, to the production environment within 14–21 days. This was the norm in those days.
This was fine at the time, but, as with most early programs, there were gaps in that model. We applied regular patches and updates to our perimeter defenses and to our Windows systems. However, our vSphere environment, underlying host drivers, and firmware were given the same treatment on a quarterly basis at best.
But what about software sitting on top of the Windows platforms? Without a regular cadence of updates, third-party apps running on Windows were infrequent, inconsistent, and happened when the vendor sent out a vulnerability notice, or if there was an end-of-support version. Legacy software and applications became even more challenging.
Outdated processes built on older software because “we’ve always done it this way” bring organizations even greater risk and cause them to fall into dangerous territory. We can become so confident in perimeter security that our internal systems, and more importantly, the software we depend on, fall dangerously behind.
Cloud native technologies have changed the way we build, deliver, and maintain applications and data, and so have they changed the way we secure them. Microsegmentation within the data center is a start, especially for legacy systems, but that is still not enough. Security needs to be embedded throughout the app development and delivery process. That means security starts from the moment the first line of code is written, all the way through production and beyond. Additionally, it needs to be invisible to developers and users so as not to ruin their experience and productivity.
Security must go beyond the perimeter, the data center, and internal systems. It needs to be integrated and continuous to be effective in today’s digital environments. To truly embrace this idea of continuously secured infrastructure, platform and apps, we need to change how we think about security.
Security is not an outcome
So what do we mean by continuous and integrated security? For security to be integrated fully into the app development and delivery cycle we need to change how we think about security. We posit that security is not an outcome, but rather, outcomes are the tangible results at the end of a mission or project, and are the features and capabilities that allow you to have a secure system. Some examples of security-enabling outcomes include
- A secure software supply chain
- Automated remediation
- Approved or golden container images
- Authentication
- End-point security
- Approved API library
- Software catalog
- Software bill of materials (SBoM)
- Service-to-service encryption (mutual transport layer security) and authentication
- API schema validation and runtime observation/protection
- Certificate lifecycle management
- Uniform and consistent security policies (across clouds, too!)
- Traffic introspection and personally identifiable information (PII) and/or payment card industry (PCI) data detection
Your software supply chain is the main target
The best way to secure your supply chain is to automate it and the CI/CD pipeline that drives it. So really, security must be a developer experience consideration. Adopting a shift-left mindset that allows developers to inherently write more secure code, and applying pervasive automation to the entire supply chain process is critical to this.
In addition to process changes, platform features like application templates with preapproved configurations, golden paths, multi-cluster policy enforcement, and internal developer portals help ensure security is infused and automatically applied before an app gets into production.
APIs and containers dominate security concerns
Modern cloud native environments are distributed by nature. We see the same distributed patterns at the app level with microservices and event-driven architectures. As a result, APIs continue to hold a major role in the app development and delivery cycle—essentially functioning as the nervous systems connecting services and data. This makes them an attractive vector for attack, with some pundits and analysts suggesting an exponential increase in API attacks in the past six months.
According to Forrester Research, container and API security are at the top of the list for enterprise security leaders. One of the most effective attack vectors called out by Forrester are so-called shadow APIs, which is one that lives outside the normal IT governance management and security processes, making them harder to detect. Though they might not always be created for malicious use, they can wreak havoc on your security and governance posture.
Since acquiring Mesh7 two years ago, VMware has incorporated advanced app and API security capabilities into the VMware Tanzu Service Mesh product, bringing visibility, discovery, and better security to APIs. These capabilities help manage and mitigate the damage that these shadow APIs can do and generally strengthen your API security posture.
By the same token, containers influence how we build, ship, manage, and secure software. To be sure, the cloud native security space is thriving, which is evident with the Cloud Native Computing Foundation (CNCF) dedicating a whole conference to the topic. In fact, as we point out in a recent CNCF community blog post, the foundation tracks 94 security and compliance projects and products in the cloud native landscape.
In the last half decade or so, VMware has catapulted its presence in the Kubernetes community, contributing to multiple projects—including some of the most popular security focused ones. We’re also embedding security-enhancing features in our flagship VMware Tanzu and Aria offerings, including:
VMware Tanzu Application Platform – With multiple features that help organizations embed security in the full application lifecycle from code to production and maintenance. It includes features such as application templates and automated container image scanning, out-of-the-box TLS configuration, customizable security banners, and integration with Aqua Trivy, an open source vulnerability scanner by Aqua Security (Alpha). Learn more about the latest security-enhancing features from Tanzu Application Platform.
VMware Tanzu Application Service – Our original internal developer platform comes with out-of-the-box security features that support modern security practices like shifting left, automated container builds, app security groups, and more—all of which help you ensure your applications and the platform on which they run are continuously secured. Read about the latest version of Tanzu Application Service.
VMware Tanzu Mission Control – For multi-cluster management on any cloud, Tanzu Mission Control enables you to manage security and data protection policies to Kubernetes clusters in any environment; centralized authentication, authorization, and federated identity from multiple sources (e.g., AD, LDAP, and SAML); and cluster conformance and Center for Internet Security (CIS) Benchmark inspection configuration and security issues. We’ve also just announced new Private Registry Support and a Tanzu Mission Control self-managed option!
VMware Tanzu Guardrails – A multi-cloud governance service to automate and scale end-to-end policy enforcement across clouds and Kubernetes. Organizations can consistently apply preventative guardrails and enforce standards that help regulate cost and reduce risk across clouds, Kubernetes and hosts. The service takes a policy-as-code approach to automate governance through definition of desired state using Infrastructure as Code (IaC) templates and enforcement of policies in cloud accounts. Tanzu Guardrails (formerly Aria Guardrails) leverages event-based detection and provides a consolidated view of configuration drift across tools and clouds. Organizations can secure cloud resource configurations and improve compliance with the capability to correlate policy violations with graph-based cloud inventory and risky cloud entitlements, and with access to a rich library of built-in and custom policies. By sending actionable alerts to the right teams, suppression of noise, and using automated remediation, organizations can respond to critical violations faster. Learn more about VMware Tanzu Guardrails.
VMware Application Catalog – Built on the enterprise edition of Bitnami Application Catalog, VMware Application Catalog ensures that your developers are using only the latest versions, delivered with a comprehensive SBoM, customized as per your enterprise policies, and tested for use on multiple Kubernetes platforms.
Open source is where innovation happens and developers want access to the latest open source software to help them build great apps. Meanwhile, platform engineering teams need to prevent developers from inadvertently compromising their systems by using unsanctioned open source components that don’t meet enterprise requirements. Having a trusted library to access open source software is critical. This IDC Research report offers a deeper look at how modern tools like VMware Application Catalog can help customers manage software supply chain security leading to well-maintained, current, safe, and secure applications.
Learn more
Hungry for more? Download the Securing Cloud Applications eBook, a hands-on guide for working developers that minimizes the abstract and complex security theory that focuses on the practices you need to secure applications running on Kubernetes and the cloud.