Cloud adoption is a key driver for digital transformation and growth for today’s businesses, and with that, the need to secure cloud infrastructure and applications. As cloud operations continue to grow, the question of how to effectively secure the cloud remains one of the most pressing issues for today’s security professionals.
The Rise of Shift Left
One of the most common buzzwords in security circles in recent years is “shift-left security,” empowering developers to integrate security practices early in the software development lifecycle, prior to cloud deployment. Shift left encompasses securing the build pipeline and development, building to security standards and best practices, IaC and configurations management.
Shift left rose to prominence thanks to the idea that organizations could implement completely secure build strategies, in order to scan and fix misconfigurations before pushing code into live production environments. While an excellent idea in theory, in practice it is impossible to catch 100 percent of misconfigurations prior to deployment, leading to vulnerabilities in runtime cloud environments.
Is Shift-Left Security Enough?
The push for cloud-native operations has transformed the security industry in many ways, including in overall strategy. Organizations are dealing with increasingly complex cloud environments that include distributed applications, modern workloads, containers and microservices. This shift to cloud operations has provided a number of benefits for organizations, including increased agility and auto scaling capabilities, but with those come dynamic production environments and expanding attack surfaces.
While shift-left security can be effective in many contexts, it faces challenges when it comes to adequately protecting running cloud workloads, due to the dynamic nature of live production environments.
For example, a shift-left security approach means applying known security best practices to build time, often leaving organizations with lists of thousands of vulnerabilities that they have to sort through to determine relevance. This results in teams chasing down massive amounts of vulnerabilities just to figure out if they are true risks to the organization, rather than having a clear view of which vulnerabilities should be prioritized and remediated. To avoid this, a shift-right approach can be implemented in order to provide organizations with the runtime insights needed to understand which vulnerabilities are actually critical and require fixing.
Facing Runtime Threats & Realities
With cloud expansion also comes increasingly advanced threat actors, who are often able to exploit vulnerabilities without organizations even knowing. Even if organizations were able to catch every single misconfiguration before pushing into runtime to limit the number of vulnerabilities, attacks will only continue to increase in sophistication. At present, attackers are often able to enter cloud environments and exploit them without security teams even becoming aware of their presence and only discovering the damages after the fact.
For example, attackers can easily take control of vulnerable identities and perform privilege escalations, which can take security teams days or weeks to recognize.
While shift left has allowed organizations to build securely, it falls short of keeping up with this changing landscape to enable them to run securely in the cloud. No matter how many shift-left protocols are employed by an organization, it is a never-ending battle to educate teams on building best practices and chasing down misconfigurations regardless of risk. In addition to this, shift left falls short of allowing security professionals to understand their cloud environments in real-time, making it increasingly difficult to defend against bad actors.
What is Shift Right?
As these threats and attack surfaces continue to evolve, focus has shifted to adopting a shift-right security strategy, which involves monitoring what applications and infrastructure are actually doing at runtime in order to prioritize threats and vulnerabilities, focusing on the ones that actually matter to organizations.
Shift right views cloud security more dynamically, providing both Sec and Ops teams the visibility and controls they need to run securely. Shift right is less of a new topic in security, and more a reckoning for security teams to face their current runtime reality and understand that build practices do not sufficiently protect them at runtime.
For this reason, organizations are moving beyond the shift-left, build secure mentality and adopting the more dynamic shift-right, run secure approach that is needed to adequately protect their most critical assets throughout the production lifecycle from code to cloud.
Shift Right to Find, Shift Left to Fix
Shift right essentially provides organizations with operational data from all of their running services, applications and infrastructure, turning it into security context. By understanding the real risks and threats present in their unique cloud environments, organizations can prioritize and use this information as a source of truth regarding the real state of their cloud infrastructure.
When you understand what is actually happening at runtime, you are also able to understand risks and vulnerabilities in context and fix them on the left accordingly. The idea of shifting right and leveraging runtime data goes beyond the idea of building securely, instead providing the real-time data needed to fuel organizations’ build practices. By understanding the runtime reality, including exploitable vulnerabilities, real-time threats, and potential compliance breaches, organizations are able to work backward toward the left and fix the entire build process.
In short, cloud-native infrastructure security requires looking beyond traditional shift-left strategies and leveraging runtime data with real-time insights into cloud applications and infrastructure. By doing so, organizations can prioritize risks and threats, gain visibility into their cloud infrastructure and leverage the runtime insights needed to inform their entire build cycle and ensure security from code to cloud.