+
EDITOR’S QUESTION
ANDREW SENIOR,
CUSTOMER SUCCESS
MANAGER, NUTANIX
///////////////////
C
loud has become the first choice for
modernised applications, which we
now term cloud-native applications.
These dynamic applications are designed
with high scalability and elasticity in mind
to meet the requirements of a highly
competitive and digitally transforming
world. With the ever-improving ease of
access to cloud-services and low barrier to
entry, it is easy to deploy your applications
and then overlook their security.
Designing your cloud-native applications
with security in mind is essential, clearly
understanding all of the end-points that
you’re exposing. Containerisation and the
move to micro-services architectures has
added complexity to the application security
landscape. Having a clear understanding
and visibility into these applications is
vitally important as cloud-native implies
a dispersed and dynamic application
architecture and with that there is potential
for attack on more fronts. Visibility could be
provided by application monitoring, network
monitoring, Intrusion Detection System
(IDS) and Security Information and Event
Management (SIEM) tools.
The ability to react to and address an
attack is of vital importance too, so
understanding what mechanisms and
contingencies you may activate is vitally
important. With the risk that an entire cloud
platform could be compromised, it would
be wise to mitigate this through the use of
multiple clouds, both private and public. A
significant cloud attack could constitute a
disaster and invoke a DR plan.
Cloud providers enable you with a platform
to deliver your applications and hardening
www.intelligentcio.com
them for security remains your responsibility.
Each provider has services and features
within their platforms to ensure security
for your applications, and there are several
third-party tools which are able to measure
security and policy compliance for your
deployments. Two examples of these
policies are Sarbanes-Oxley (SOX) and
PCI DSS. While clouds and tools provide
this functionality to you, it’s again your
responsibility to make sense of these
recommendations and then use these
services and features to take action and
implement the required measures to secure
your applications.
Traditional network security skills and
understanding are an absolute necessity,
but there are also security skills required and
learned in the application space. Organisations
are not only practicing DevOps now, but
DevSecOps to ensure that applications are
built with security as top of mind.
Best practices are documented and
available for all of the well-known
technologies in use by modern cloud-native
applications, but making sense of these
along with implementation and governance
will require skills and expertise which may
be in short supply. n
INTELLIGENTCIO
27