It’s a sure bet that containers and microservices will become new security vulnerabilities for cloud-native applications without discussions about best practices and standards. Credit: CalypsoArt / Getty In doing postmortems on breaches of applications and data sets in the cloud, problems are often traced back to communication. Frequently, it’s not issues with computer-to-computer communication, but communications with the humans designing the cloud-based systems and those who are charged with its security. The applications using modern mechanisms such as containers, Kubernetes, and microservices are often missing security vulnerabilities that they are exposing. The analogy I like to use is that architects are designing the best smart building known to the world but not installing locks. The locks needed to be engineered into the building during the design and not be an afterthought, as they often are in the world of cloud system security. The essence of this problem is a lack of best practices and standards that the people engineering these cloud-native solutions can depend on. We’re beginning to see some guidance emerge that allows both the architecture and security teams to better coordinate around standards and best practices. An example of emerging best practices and standards would be the ones developed by the Application Containers and Microservices Working Group of the Cloud Security Alliance. They give application developers and architects, as well as anyone responsible for application containers and microservices security, a repeatable approach to designing, developing, and deploying a microservices architecture pattern. In short, this set of guidance tells you how to have a microservice operate independently and communicate with other microservices. Microservices have evolved to become a common application component of net-new cloud-based systems. Of course, application components should not become attack vectors from some hacker who has found out how to exploit microservices. Design meets security. The idea here is to have close coordination between those who are designing and building cloud-native applications (with or without microservices) and those who are responsible for security. Much of this has fallen away from IT culture as security teams feel blindsided by the adoption of new technology, such as microservices. At the same time, development teams feel the pressure to come up with more innovative and valuable uses of cloud-native technology in support of the business. We need to do both. Create a culture of tight coordination and communication with the cloud architecture and cloud security teams. Encourage the use of standards and best practices for architecture and security. Promote ongoing, continuous improvement of both cloud-native architecture and best-of-breed security practices and technology. Pretty simple if you ask me. I suspect I’ll be breaking up fights between the application and security teams for the next few years, though. You guys need to help me out. Related content analysis Generative AI won’t fix cloud migration You’ve probably heard how generative AI will solve all cloud migration problems. It’s not that simple. Generative AI could actually make it harder and more costly. By David Linthicum Jul 12, 2024 5 mins Generative AI Artificial Intelligence Cloud Computing analysis All the brilliance of AI on minimalist platforms Buy all the processing and storage you can or go with a minimum viable platform? AI developers and designers are dividing into two camps. By David Linthicum Jul 09, 2024 5 mins Generative AI Cloud Architecture Artificial Intelligence analysis The next 10 years for cloud computing Despite AI's explosive growth, the industry still needs to face facts that customers are unhappy about costs and vendor lock-in. By David Linthicum Jul 05, 2024 5 mins Amazon Web Services Google Cloud Platform Microsoft Azure analysis Serverless cloud technology fades away Serverless was a big deal for a hot minute, but now it seems old-fashioned, even though its basic elements, agility and scalability, are still relevant. By David Linthicum Jul 02, 2024 4 mins Serverless Computing Cloud Computing Software Development Resources Videos