2024-08-07 –, Florentine F
The 'Cloud-Native' approach like microservices, serverless functions and containers have gain popularity in application development. While offers significant benefits like scalability and resiliency, they also created a more complex and distributed attack surface, leaving the DevOps environment vulnerable to threats like supply chain attacks and lateral movement. Consequently, It's crucial for organizations to rethink their strategies towards DevOps and pipeline security. This talk aims to address 'Cloud-Native' security challenges in DevOps, through the lens of Zero Trust's core principles - verify explicitly, least privilege access and assume breach. By drawing insights from real-life attacks, we will present the cloud-native DevOps threat landscape; the talk concludes with guidance for implementing Zero Trust Security to secure the CI/CD pipeline and DevOps environment, highlighting key priorities and capabilities to consider when developing your DevOps Security strategies.
Traditional application security can often prove ineffective when dealing with the complexities of cloud-native development, largely due to its dynamic and distributed nature. Cloud-native developments brings new security challenges, such as cloud misconfigurations that could lead to compromised authentication credentials and secrets or vulnerabilities in container images that could result in malicious code injections. Implementing security controls also pose challenges- the ephemeral nature of containerization makes security monitoring and logging more complex. Threat actors often target the CI/CD pipelines, due to the broad attack surface, example of that would be the third-party integrated tools that require source code access or runtime access (SAST & DAST).
Zero Trust model has been widely adopted as a strategic solution, relevant for organizations of all sizes and security maturity levels. Its key security controls, focusing on network and identity access controls with continuous monitoring, aim to enhance the overall security posture in the cloud environment. This proactive approach defends against upstream threats by verifying each interaction within the system. Organizations can establish a consistent security framework for their DevOps security in cloud-native environment by adopting Zero Trust Security.
This talk provides insights on the attack surface of the cloud-native DevOps environment, with real-life attack examples. It helps organizations in gaining an understanding of the current threat landscape, augmenting their security awareness to better prioritize their defenses. The talk offers practical guidance, featuring security controls in line with the core principles of Zero Trust security, to address complex attack vector issues prevalent in the cloud-native DevOps environment. The session concludes with guidance and tips to develop a security roadmap. This will include recommended techniques and tools (non-vendor specific) which they can leverage to enhance their DevOps environment's security posture and CI/CD pipelines.
The talk is structured into three parts:
The first part gives an all-rounded picture of the evolving threat landscape for DevOps and CI/CD pipelines. By referencing to key trends in DevOps security threats, cloud-native attack surface and real-life attack examples, it presents the amplified attack surface and vulnerabilities within DevOps in a cloud-native environment.
The talk then briefly introduce the core principles of Zero Trust model -"verify explicitly, least privilege, and assume breach", explores the benefits of extending this approach from safeguarding cloud environment to DevOps security and and explain why it's a preferred strategy in many scenarios. This section also demonstrate how these principles can be seamlessly translated into security requirements and control in a DevOps context.
The final part takes a deep dive into implementing Zero Trust security within the cloud-native environment and enhance the security posture of DevOps. This section will also highlight key priorities and security capabilities to consider, when implementing a strategy to reinforce the security measures at every stage of the DevOps workflows and CI/CD pipelines.
Emma is an Enterprise Security Architect at EPAM Systems, with expertise spanning cloud security, DevSecOps, and security strategy. In her current role, she designs and implements security solutions into cloud platforms and software development projects for her clients. Formerly at Microsoft, she delivered cybersecurity projects and technical workshops to diverse clientele, from emerging tech startups to established FTSE 100 firms. She is passionate about cloud security, Zero Trust, and AI/ML security. Alongside her professional work, Emma is dedicated to promoting a more diverse workforce in cybersecurity through mentorship and community programs. She is an ambassador of WiCyS UK&I, a member of the Industry Advisory Board for the Faculty of Computing, and a guest speaker at the University of Buckingham in the UK.