James Watters, CTO for Modern Apps at VMware, gave a compelling talk at Cloud Native Security Day on what he called “modern least privilege.” The basic concept is to apply the principle of least privilege across the DevSecOps lifecycle to properly secure modern apps. By Kit Colbert @VMware, Cloud CTO.
Modern apps are more complicated than traditional apps – they have greater scale, change faster, are more distributed (i.e., no traditional security perimeter). While it may seem like this would make it more difficult to secure them, many of the innovations in the cloud native development space, when properly leveraged, can make many aspects of security easier by automating them and making them the default/easy option.
There are several principles of cloud native architecture that underpin the 3 Rs (Repair, Repave, Rotate):
- Immutability
- Ephemerality
- Ephemeral identity
- Event-driven vulnerability management
- DevX as control (Shift left + DevX)
Delivering a great developer experience means allowing the developer to focus on their business logic. Developers should be thinking about security, but ideally the DevSecOps platform just handles most of it for them. I.e. the security controls, as much as possible, are just built in.
We have an exciting opportunity to dramatically improve security in our enterprise applications by embracing these principles of modern least privilege. Good read!
[Read More]