By Hari Bhullar, Vice President, Checkmarx, APAC and Middle East
While the rate of digital transformation has been accelerated by the recent pandemic, the rise in cloud native adoption in the Asia Pacific (APAC) was already discernible before that, as governments in the region had been encouraging and facilitating the shift to the cloud.
In 2015, the South Korean government established a national cloud computing strategy along with a blueprint to promote cloud computing. In 2017, the Australian Government’s Digital Transformation Agency developed its Secure Cloud Strategy to guide government agencies in their transition to and adoption of the cloud. In 2018, Singapore’s government announced a five-year cloud computing initiative of its own, which would not only improve service quality and speed up delivery, but also be a good example for the corporate community.
In the APAC, overall cloud spending will reach $200 billion with a compound annual growth rate of over 20% since 2018, according to “The Future of Cloud in Asia Pacific” report by Cisco and Boston Consulting Group (BCG). Singapore is among the top 3 markets in APAC, while across ASEAN, Indonesia, Malaysia, the Philippines, and Vietnam economies are expected to lead the pack in terms of cloud spending growth at a CAGR of 25% by 2024.
However, with the rise of cloud computing has been an increase in concern about how to best secure it. According to the Deloitte Access Economics survey, security issues lie on top of challenges faced when moving to a cloud environment, with 40% saying security is a challenge.
Cloud computing code is everywhere
To paraphrase the title of a recent movie, modern code is everywhere, all at once.
Whereas previously code would have resided in a single location, now it is dispersed throughout the cloud. What used to be simple to scan using standard testing tools, the modern codebase is distributed, and now encapsulates orchestration and configuration files for containers like Docker and Kubernetes, and the underlying cloud platforms. All of these need to be evaluated concurrently, as how the configuration is done is interdependent on one another.
The rise of Infrastructure-as-Code (IaC) has also complicated matters. Instead of manually configuring individual systems, the process of provisioning and configuring an environment is now done through the code. An organization’s infrastructure then becomes part of the configuration files, which also need to be scanned, and it ideally needs to be done in one go in a single process.
To top it all off, the development teams are now distributed and dispersed, and will additionally rely on third-party components developed by outsiders. It is vital that for security purposes, teams are coordinated, as what one party does will very probably affect how security is implemented in another.
Security from line one, in-depth and breadth
As a result, security needs to be strongly integrated into the development process. Components cannot be examined piecemeal, and security cannot be implemented as an afterthought.
For example, code needs to be tested from the first line that is written, and that includes any open source components that have been incorporated. When new features are incorporated, they need to be similarly evaluated to the same strict standards.
The IaC also needs to be tested in tandem with the code that has been developed, as a single badly configured file can spread vulnerabilities throughout the whole enterprise, due to the automation inherent in IaC. It is important to document the posture of the module created to provision an IaC, the intended environment, the standard to which it should be hardened, and how you ensure that standard is met.
Finally, third-party components such as APIs can introduce unexpected vulnerabilities, and they, too, need to be both documented and tested to ensure security.
Mitigating risks to reap the benefits
Although securing cloud-native applications can seem onerous to some, the risks associated with implementing them can be mitigated with the right policies and tools in place, making them a part of the development process, rather than an additional burden.
If successfully implemented, organizations and governments can reap the benefits of speed, deployment, and management that it brings, allowing easy access to the latest technologies and their accompanying benefits.
Checkmarx is a global software security company.