In today’s software-first, on-demand economy, competitive advantage can be measured in weeks, days, or even hours. Speed wins. Application development teams are moving faster to keep their businesses in the lead. And to accommodate that speed, modern businesses are turning to strategies like containerization and microservices, which have made rapid-fire application enhancements a reality.
Yet, this rapid growth has not come without its share of challenges. Cloud native development is evolving at a breakneck pace. However, amid the rush to transition to these modern environments, many development teams may be putting security on the back burner, creating new risks and opportunities for nefarious cybercriminals. Machine identities are just one example of this trend. If developers find them difficult to implement, they may be tempted to sidestep these roadblocks and create workarounds that do not comply with organizational security policies.
How big are security challenges for cloud native?
To better understand the state of cloud native security and machine identity management, Venafi sponsored an independent survey of 800 security and IT leaders in large organizations across the U.S., U.K., France, and Germany. The report examines the top threats and challenges impacting the state of cloud native security at organizations today, including their approach to cloud native security, challenges faced, ownership among security and development teams, and the foundational role machine identities play within cloud native security.
First and foremost, we found that cloud native is being widely embraced and Kubernetes has become its de facto standard with 84% of security and IT leaders believing that Kubernetes will soon be the main platform used to develop all applications. But 75% believe speed and complexity of cloud native development creates new security blind spots and 59% have already experienced security-related issues within Kubernetes or containers.
Indeed it was readily apparent that organizations are grappling with how to secure against the unique risks of cloud native environments. While 87% have started to move legacy applications to the cloud, many did not optimize for cloud native. More than half (53%) simply did a lift and shift to the cloud with most application code remaining the same. And a full 69% acknowledge that when moving to the cloud, they dragged previous security problems with them. In fact, 59% of senior-level leaders admit they didn’t understand the security risks when moving their legacy applications to the cloud.
Challenges facing cloud native security
Migrating to cloud native environments has resulted in staggering levels of complexity that leave many organizations overwhelmed by security needs that stretch across all aspects of the application life cycle.
- Software supply chain attacks. A staggering 75% of security and IT leaders believe that software supply chain attacks are their biggest security blind spot.
- Service mesh complexity. Acknowledging its inherent complexity, 61% reveal they cannot issue certificates at the speed needed in Kubernetes and service mesh.
- Zero trust remains elusive. While admitting that zero trust is essential to security in modern distributed environments, 79% admit that it’s too hard to implement.
- Code signing development artifacts. Almost half (47%) of security and IT leaders admit they do not enforce code signing for artifacts because it slows down development.
Machine identity management: The missing piece?
Because they secure all communications and connections within a cluster, machine identities are the foundation of cloud native security. But if machine identities are not easily accessible throughout the development process in cloud native environments, developers may be tempted to take security shortcuts and create workarounds that sidestep the proper usage of machine identities.
- Machine identity management is essential. Among security and IT leaders, 88% believe that machine identity management is essential to the success of zero trust models.
- Power of machine identities undervalued. However, 74% of security and IT leaders worry that developers are challenged with several conflicting priorities, so security is not always top of mind.
- Machine identities underutilized. When faced with the choice, developers will choose speed over security, with 68% of security and IT leaders worried that developers sometimes don’t use certificates because issuance adds friction to developer processes
- Lack of cloud native security expertise. Most security and IT leaders lack confidence in their ability to secure cloud native, with 90% believing security teams need to increase their understanding of cloud native environments to ensure applications are secure.
Machine identities are critical to secure sensitive microservices and cloud native resources that can be accessed from anywhere on the Internet. To properly implement the latest advances in technology, organizations need to establish the identity of cloud native machines such as containers, microservices, DevOps artifacts, API connections, and more. To function securely, all these interconnected cloud native machines must be able to rapidly verify their identities with each other. Yet, the management of this proliferation of machine identities can be challenging in cloud native environments and organizations may have trouble keeping up with today’s rapid pace of continual innovation.