Tigera’s first State of Cloud-Native Security Report states the adoption of cloud-native applications is growing, thus creating new challenges regarding security, compliance, and observability. Moreover, 97% of companies stated that observability remains one of the biggest challenges for them. “The surprise was not the challenge itself; it was the scale of the challenge,” says Utpal Bhatt, CMO of Tigera, on this episode of TFiR Insights. “The fact that they’re not even able to see how these components are interacting, was the biggest surprise.”
Key highlights from this video interview are:
- Adopting a security cloud-native application architecture presents a lot of new challenges, some of which do not apply to traditional, monolithic architectures. Bhatt explains some of the challenges companies are facing and what proportion of the participants are experiencing these challenges.
- Although cloud adoption is growing, there is a need to redesign and leverage cloud-native architectures to take advantage of the scale and elasticity cloud offers. Bhatt discusses why some companies who adopt cloud-native applications are yet to reap the benefits of them.
- Although there is a lot of awareness on the types of security controls we need to establish and at which stages, there are some gray areas. Bhatt explains that companies are still experiencing difficulties and are more vulnerable. Bhatt discusses how they can solve these problems.
- Bhatt explains the misconception that companies can rely on cloud platform vendors to secure their workloads and give them the level of observability they need to ensure they are not exposed. He explains why this is not the case.
- Bhatt discusses some of the security risks with cloud-native architectures and how Tigera is helping solve these risks.
Connect with Utpal Bhatt (LinkedIn, Twitter)
The summary of the show is written by Emily Nicholls.
Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.
Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya and welcome TFR Insights. And today we have with us, once again, Utpal Bhatt, CMO of Tigera.
Utpal Bhatt: Very excited to be back on the show again, Swapnil.
Swapnil Bhartiya: Now, let’s talk about the state of Cloud Native Security Report. First of all, tell us a bit about this report. What is the goal of doing this report and how frequently do you folks do it?
Utpal Bhatt: Yeah, so this is our first edition of the report and this will be an annual report. We intend to publish this every year around the same time. And the objective of this report is to basically get feedback from the market, especially from the adopters of cloud security or cloud native applications. What are some of the challenges that they’re facing? And then we split the report, the questions into three areas. One is everything about cloud native applications. What is the reason for adopting cloud native architectures? What are some of the stated objectives that they hope to accomplish from these architectures? And what’s inhibiting them from achieving those objectives? So that was number one.
The second one was specifically zoning in on security. What are some of the security challenges that they are facing with the cloud native applications? And then the third part was about compliance. What are some compliance challenges that their organizations are facing? So the survey was sent out to over 300 respondents and we are super excited with the insights we were able to glean from that survey report.
Swapnil Bhartiya: What were the either more kind of, you were expecting that, “Hey, this is what is already the trend that you see in this space,” but then there was certain thing that you were not expecting and that’s what the survey revealed. What was those things?
Utpal Bhatt: Yeah. I think there were quite a few surprises from the survey. We knew, and I think because we’ve been in this business for some time, we’ve been talking to a lot of customers and prospects. We knew that it’s not a slam dunk. In other words adopting a security cloud native application architecture does present a lot of, both the volume and the newness of the challenges. Because it’s a brand new architecture, some of these challenges, they don’t apply to traditional, monolithic architectures. And so we knew that there was always going to be security and compliance challenges. So what was very surprising is the scale of these challenges. And as you can see when it comes to the report, a significant number of people, and it was almost 70…
So in terms of people who are running into this, there are about 87% of companies, for example, stated that they have challenges with compliance requirements. The other surprise was the companies that stated the source of these challenges, right? So observability, 97% of the companies stated that in its observability, the fact that they’re not even able to see how these components are interacting. And rightly so, because a lot of these components live for a few minutes and then they disappear and they are all over in terms of clusters. So that not having that sort of visibility translates into like not being able to secure the application. And the number of organizations that also stated that 96% of their organizations said that security compliance and visibility is the most challenging aspect of collaborative application. So for us, what was surprise was not the challenge itself, but the scale of the challenge. And I think that was the biggest surprise.
Swapnil Bhartiya: Now, when you do look at these surprises, there are a couple of things. One is that, okay, these things are happening, but do you also see that there’s enough awareness plus people are moving in the right direction as well? Or do you see just like early days there will be still a time, it will take time for people to not only get aware of that and then try to fix it? What are you seeing, the silver lining?
Utpal Bhatt: On one hand, if you look at where the organizations are spending their efforts, whether it comes to new applications or modernization of existing applications, 75% of the companies said that they are adopting cloud native applications and cloud native application architectures. So in the last, at least up until, over the last 12 months, majority of the effort is going into that cloud native architecture approach. And, rightly so, because with the pandemic, we have seen a lot of organizations moving to the cloud and the progression to the cloud typically starts with just a simple lift and shift. And then all of a sudden, when they’re in the cloud, they realize that they’re not actually getting the benefits from the cloud because they are not leveraging cloud native architecture. And so the next phase is to actually redesign and start leveraging cloud native architectures so that they can take advantage of the scale and elasticity and the agility that the cloud offers. So that I think is on track what we are seeing.
Now, secondly, I think what we are seeing is that there’s certainly a lot of awareness in terms of what types of security controls they need to establish and at which stages. So there’s clearly awareness that, the build time stage, you need to have scanning and if you have that, then that’s going to help in a better runtime posture. So there is certainly that sort of awareness. There are a few areas that I feel like that there’s more awareness and then there are few gray areas, right? So everybody knows, I think the easy stuff, I think that’s there’s more awareness. And I talked about scanning, it’s almost like your wires protection or malware protection, you just have to scan your images. And so I think everybody knows that that’s acquired.
Or where we see organizations still kind of scrambling or being a little bit more vulnerable is in the area of how do you, because the whole concept of the network disappears with cloud native applications, that how do you apply those same kind of principles where the perimeter was a great line of defense for a lot of non-cloud native applications? And in the cloud native world, where there is no concept of a perimeter, how do you apply things like access controls? So the principles of zero trust. Or how do you apply intrusion detection and intrusion prevention techniques? And that’s where we see a lot of organizations struggling.
And that being said, I think now there is increasing amount of realization that the only way to solve it really is to apply those same types of controls at individual workload levels. You’ll never be able to create a perimeter due to the nature of the application components. And so the only real way to do it is to apply those controls at the workload level. And I think that is something that you can see from the report that organizations are definitely accepting that as the best way to secure cloud native applications.
Swapnil Bhartiya: Is there also some kind of misconception because as more and more people move to the cloud, they do feel that cloud will solve all of their problem. But the reality is that, it does, as you say, it offers elasticity, it does offer a scale, but it doesn’t solve a lot of other problem. That is securing your workload application or other things. So what did you notice there, because that’s where players like Tigera come to help folks.
Utpal Bhatt: Yeah. Yeah. And that’s a great question. I think there is definitely a realization that, while cloud brings a lot of benefits, it also introduces a lot of complexity. And you cannot rely on the cloud platform vendors themselves, especially to secure your workloads and to give you the level of observability that you need to ensure that you’re not exposed and so on. So I think there’s certainly a realization that cloud just introduces a new set of challenges. And I think most importantly, I think organizations are realizing that the scale of challenges that the cloud introduces is much bigger than what they could control in their own private environment. Because once again, the private environments had the benefit of a perimeter. And so even though you had, let’s say, Log4j example, you had vulnerabilities in your code that came because of your usage of Log4j, the perimeter for the most part would block any sort of incoming attack. And so you had almost like that shield that protected you.
With cloud and especially cloud native architectures, because the perimeter has collapsed, individual services are communicating outside the network. Individual services are dependent on a slew of other services. So there’s a lot of internal intra cluster traffic, which means it’s much easier, number one, for someone to enter your cluster, for an attacker, and number two, once the attacker is there, it’s very easy for them to move laterally because the communication is always happening intra cluster over the network.
And so that’s why I think that is the biggest issue that cloud and cloud native architecture introduces. And I think that frankly, the challenge really with this is that, organizations that are fundamentally rethink how they’re going to secure it, because just if your approach is, hey, I’m just going to identify as many issues as I can using the best tools and the most updated databases of threats, you’re not really solving the problem. What you’re going to find is you’re actually identifying a lot of issues. But if you look at your teams, your teams are not going to grow that fast, and you’ll never be able to remediate those issues that you’re finding, right?
So you’ll have to recreate that environment that was helping you in your on-prem world, which is reducing the threat surface, right? How do I reduce my attack surface? How do I reduce the ways I can be attacked? And so adopting that is the first thing that organizations will have to do and do that in the cloud native world, which is where, I think bringing the principles of zero trust to your workloads is going to be critical.
And so that is a shift in architecture and that same shift will also help them respond better in case they find themselves exposed, because they can immediately shut down communication from a particular service or a workload that can quarantine that workload. And only when they’ll have that level of control over how their applications can communicate either outside or within the cluster, is when they’ll be able to recreate that same level of security that they’ve been used to, for their on-prem world.
Swapnil Bhartiya: Utpal, thank you once again for taking your time out and of course, talk about CNI availability and also findings of this report. And I would love to have you back on the show, as usual. Thank you.
Utpal Bhatt: Thanks for having me on the show, Swapnil. Always a pleasure to talk to you.