CloudRoads

View Original

5 Tips to Secure Cloud Native Applications

Published on Nov 19, 2020 | 3 Mins Read

Photo by Parsoa Khorsand on Unsplash

There’s no doubt that security is of paramount importance when it comes to cloud native applications. Wether your are running containers on-premises or on public cloud, you want to make sure your data ,application, and network are secure.

In many organizations security is an afterthought and dealt with only when getting ready to go to production or after breaches. This might work for traditional applications. However, when working with cloud native applications you want to make sure to integrate security into all stages of the software delivery process (aka DevSecOps).

For example, by containerizing your (monolith) application, you’ve broken it down into microservices that communicate and work together. Now, instead of having to protect that (monolith) application running on one virtual machine inside a VPC , you are dealing with many bits and pieces (containers, pods,…etc) scattered across many hosts. The reality is, you just increased your attack surface.

While there are many advantages of using containers , you have to carefully decide if it’s the right choice. Usually you want to look into the application architecture, cost, learning curve, performance, and most importantly security.

For those applications that you decided to run in containers, there are plenty of things you can do to reduce the risk. I’ll go over five things that cost you almost nothing to implement right away. Certainly, This not a comprehensive list. However, it can act as a starting point or the bare minimum to secure cloud native applications.

  1. Rootless Containers

    The container runtime usually requires root access to create the namespaces, control groups,..etc around your application container. However, your application container is unlikely to require root access to operate.  

    The problem with running containers as root is that an attacker might be able to escape a privileged container to the underlying host with root access. This can cause a lot of damage (i.e: CVE-2019-5736).

    There are  many ways to run rootless containers:

  2. Minimalist Images

    You can reduce the attack surface by being a minimalist when it comes to the container image file. Start with the smallest image possible and only add the libraries required for the application to run. As you release more versions of your software, you can always go back  and rebuild the image. 

  3. Image Scanning

    Integrate into your CI/CD pipeline guardrails to identify possible vulnerabilities. This includes:

  4. Golden Images

    Develop golden images for all your development teams. This will allow you to :

    • Reduce the number of errors to deal with when building images

    • Limit the exposure to vulnerabilities from untrusted images

    • Increase the consistency across the board

  5. Patching

    You want to make sure to regularly patch the underlying host or virtual machine and container runtime, . A container is a process and it’s as secure as its underlying host 


Wether you’re just getting started with containers or you are running workloads in Production, Security is something you have to deal with from day one. Not only it will protect your bottom line, but it will make you sleep better and serve your customers with confidence.

The aforementioned steps are among hundreds of things that could be done to secure your cloud native applications. Depending upon the underlying infrastructure, application architecture, and exposure to attacks you want to formulate an effective security strategy that works for your organization.