Cloud-Native Architectures Accelerate Need for New Ways to Solve Security Challenges

Published August 17, 2020

In his recent article in Forbes, Richard Stiennon’s claim that There Is No Cloud Security Market Segment stirred some interesting discussions about the need to change the way we view cloud security. Indeed, cloud continues to be a driver for change. A significant majority (87%) of organizations operate applications in a multi-cloud model that includes an average of 2-6 different providers. This reality is forcing organizations to consider changes to everything from tools to team structures.

Along with expansion to the cloud, there is a shift in architectures and how applications are being built.

Our research indicates that every organization is in a state of change today. Whether driven by a desire to lead in a digital economy or accelerated by COVID, organizations are rapidly embarking on an application modernization journey as part of their digital transformation efforts. This change is evident in the composition of the enterprise app portfolio. Today, 15% already leverage modern application architectures. This is significant growth, given that microservices only gained traction as an architecture around 2014 and Kubernetes, the dominant mechanism by which such applications are delivered, deployed, and operated, was officially released in 2015. With less than five years to mature, these modern architectures are already consuming a significant amount of enterprise mindshare.

But, as the French writer Jean-Baptiste Alphonse Karr said in 1848, “plus ça change, plus c'est la même chose." English speakers will recognize this as the more familiar, "the more things change, the more they stay the same."

In the domain of security—and specifically the problems experienced by customers—this is particularly poignant and true yet today.

Here's where the old axiom about change enters the stage: Despite changes in architectures and location, security problems do not change. Customers still need to protect applications, ensure availability, and defend against DDoS attacks. Application security is a bigger challenge due to the expanding attack surfaces and vulnerabilities.

New architectures and locations, same security challenges.

Richard put it very aptly in his Forbes’ article, classifying customer security challenges this way:

"In other words a ‘cloud security’ vendor is really a general purpose security provider for modern computing infrastructures. They may enforce policies across micro-segments (network security) or harden the VMs or containers against attack (endpoint security) or encrypt data in motion or at rest (data security). They may enforce access to cloud applications based on identity (IAM). In other words, all of the cloud security providers can be put into network, endpoint, data, or IAM categories."

While challenges may be the same, the operational approaches and technology customers need to solve these security problems must change. The spread of applications and their users along with the scale of attacks necessitates a new approach to solving the same old security problems. One of the core tenets of this new paradigm is to shift from point security solutions with dependency for inline inspection to a broader holistic approach to security. In that sense, a general security provider cannot address or extend their capabilities to address the security challenges in the new world. For starters, the convenient choke points used by general security providers at well-defined perimeters are non-existent in the new world. Another model of delivery as a service (a.k.a. SASE) is possible for only a subset of security challenges, most of which can be addressed by the cloud/compute providers themselves!

At F5, we're committed to delivering a new approach and offering customers a better way to solve their security challenges, no matter the architecture or location of their applications. We believe that a new approach to security that aligns with the faster operational pace of modern application development is necessary. We've embarked on a path to a multi-purpose application analytics platform that, by its very nature, provides the foundation needed to develop services using new techniques that scale to meet the challenge of today's attacks.