Table of Contents

Network secuirty and zero-trust in cloud native applications

By Pujun Xie (p-se@edu.hse.ru)

Introduction

Cloud native [1] is a concept of application architecture that emphasizes the close integration of application design, deployment, and management with the cloud computing environment. It is not just about simply migrating applications to the cloud, but about rethinking and designing applications with the advantages of cloud computing to adapt to the dynamic, elastic and distributed cloud environment.

Cloud native representative technologies include container, serverless, service mesh, microservices, immutable infrastructure, and declarative API, which can build software systems that are loosely coupled, automation, fault-tolerant, easy to observe, easy to manage, and easy to expand. However, while cloud native changing the design, development, and operation mode of cloud applications, it also brings new security requirements and risks. Containerization technology becomes a main source of risks input in cloud native environment, microservices lead to exponential growth of interactive ports between applications, serverless and service mesh bring high flexibility but also huge hidden dangers to safety management.

As cloud native environments are dynamic, containerization, and microservices-based, traditional perimeter security strategies are no longer fully adaptable. Zero trust security [2,3] is a security strategy that is different from the previous perimeter security. It does not trust any behaviors in the network and always verifies and continuously monitors it. This more granular and flexible security policy is better suited to complexity and scalability of cloud native environments.

This survey will firstly introduce security critical areas and risks in cloud native. Then we will summarize some common security strategies in cloud native architecture. At last, we will introduce zero trust model and its application on cloud native architecture.

Security risks in cloud native

In this section, we will briefly summarize the common security risks in cloud native. These security risks of cloud-native architecture are different from the risks of traditional software architecture. So they bring many new risks to cloud-native architecture [4,5]. The main risks in the cloud native environment are folllowing:

Container image risks:

Container runtime risks:

Microservices risks:

Service mesh risks:

Cloud infrastructure risks:

Security strategies in cloud native

In this section, we introduce the security strategies to deal with the risks above. These security strategies can effectively improve the security of the cloud native architecture. The security strategies are following:

Container security strategies:

Microservice security strategies:

Service mesh security strategies:

Cloud infrastructure security strategies:

Zero trust

Zero trust [2,3] is an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users and resources. It assumes no implicit trust granted to user accounts or endpoints based solely on their physical or network location or ownership. Instead, it emphasizes a set of security primitives that require continuous verification and authorization. Besides, it operates on the principle of “Never trust, always verify.” It means that every attempt to access the network, regardless of its source, must undergo identity verification and context authentication. This model is particularly suited to the dynamic and distributed nature of cloud-native architectures, which require detailed and flexible security.

The zero trust has the following principles:

Identity verification: Verification of identity is the fundamental prerequisite for a zero trust model. It ensures that each user, device, or application possesses a verified identity and is granted access to resources solely on that basis.

Least privilege access: This principle guarantees that entities are granted only the minimal level of access necessary for them to function effectively. Thereby, reduce potential opportunities for abuse of access privileges.

Micro segmentation: Isolation divides a network into distinct segments to prevent the propagation of malicious programs across different parts. Each segment is isolated from the others. It ensures that if one segment is compromised by attackers, they can not transfer to other segments.

Continuous monitoring: Different from relying on traditional periodic audits of users, networks, and systems, zero trust implements continuous monitoring of user activities and system health. This dynamic assessments can enable the timely detection of anomalies before they escalate.

Device access control: Zero trust not only controls user access but also enforces strict device access controls. It monitors access attempts from various devices, ensures authorization, and assesses their security to prevent compromises. So zero trust reduces the attack surface of the network.

Zero trust for cloud native

In this section, we will introduce some best practice for zero trust model in cloud native architecture. These practices are a good way to implement the principles in the last section. By combining the best practice for zero trust model in cloud native architecture and security strategies in cloud native architecture, we can ensure the security of cloud native architecture to the greatest extent.

Define policies and principles: Develop and obtain comprehensive support for a zero trust security policy, enforce the principle of least privilege, and precisely control access permissions.

Identification of sensitive data and assets: Identify the locations of critical data and assets, and clarify the resources that need to interact with users and devices.

Micro segmentation of networks: Divide the network into segments to reduce the impact scope of potential threats, and customize access policies for each segment.

Strengthen multi factor authentication: Ensure stricter identity verification to increase the difficulty of attacks.

Dynamic access control: Real time adjustment of access permissions based on user behavior, device status, and other contextual information.

Monitoring and logging: Continuously monitor abnormal behaviors and maintain complete log records for subsequent analysis and auditing.

Continuous verification and optimization: Regularly update access control and security settings, and continuously conduct security training and awareness-raising activities.

Conclusion

In this paper, we conduct a survey about network security and zero trust model in cloud native architecture which includes critical areas and risks in cloud native architecture, security strategies in cloud native architecture, and zero trust model for cloud native architecture. This will give readers new understandings to the security risks in the cloud native structure and guide them to ensure the security of the cloud native architecture.

Reference

1. Gannon, Dennis, Roger Barga, and Neel Sundaresan. “Cloud-native applications.” IEEE Cloud Computing 4.5 (2017): 16-21.

2. Stafford, V. “Zero trust architecture.” NIST special publication 800 (2020): 207.

3. Chandramouli, Ramaswamy, and Zack Butcher. A zero trust architecture model for access control in cloud-native applications in multi-cloud environments. No. NIST Special Publication (SP) 800-207A. National Institute of Standards and Technology, 2023.

4. Theodoropoulos, Theodoros, et al. “Security in Cloud-Native Services: A Survey.” Journal of Cybersecurity and Privacy 3.4 (2023): 758-793.

5. Basu, Srijita, et al. “Cloud computing security challenges & solutions-A survey.” 2018 IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC). IEEE, 2018.