Today’s enterprises have more compute options than ever before across the cloud native continuum. This continuum, spanning VMs, containers, managed Kubernetes, PaaS and serverless, provides users trade-offs and advantages when it comes to building and running their modern workloads and applications. Recently, Enterprise Strategy Group conducted a survey titled “Leveraging DevSecOps to Secure Cloud Native Applications.” This research, covers the latest adoption numbers, trends and security concerns across all of the categories in the cloud native continuum—with insights into how organizations are successfully building and securing these technologies. Join ESG, Senior Analyst and Group Practice Director Doug Cahill and Palo Alto Networks VP of Product John Morello to unpack the latest survey findings and discuss how security plays a vital role in securing cloud native applications.

1. Security Across the Cloud
Native Continuum
with ESG and Palo Alto Networks

2. Today’s Speakers
Doug Cahill
Practice Director and
Senior Analyst,
Enterprise Strategy
Group
John Morello
VP, Product,
Twistlock,
Palo Alto Networks

3. © 2019 by The Enterprise Strategy Group, Inc.
Cloud-native (adj.) - applications built on an
elastic, microservices-based architecture and
managed via agile DevOps processes.
… but not necessarily deployed in and
delivered from a public cloud

4. © 2019 by The Enterprise Strategy Group, Inc.
Portability Makes Containers Location Agnostic

5. © 2019 by The Enterprise Strategy Group, Inc.
The Composition
of Cloud-native
Applications

6. © 2019 by The Enterprise Strategy Group, Inc.
Containers Have Moved from Dev and Test to Production
37%
of organizations running
containers in production
report being ahead or
significantly ahead of app
deployment schedules
76%
21%
3%
Yes, we currently use
containers for production
applications
We plan to use containers for
productionapplications in
the next 12 months
(dev/test/staging only)
No, but we are interested in
containers

7. © 2019 by The Enterprise Strategy Group, Inc.
Serverless
functions are
quickly being
adopted
Yes, we use
serverless
extensively,
35%
Yes, we use
serverless on
limited basis,
18%
We plan to
start using
serverless in
the next 12-24
months, 16%
We are
evaluating
serverless,
28%
We have no
plans to use
serverless, 3%
Don’t
know, 1%

8. © 2019 by The Enterprise Strategy Group, Inc.
Production Server Workloads are, and will be, a Heterogenous Mix
Serverless, 15% Serverless, 20%
Containers, 23%
Containers, 26%
Virtual machines,
34%
Virtual machines,
30%
Bare metal servers,
28%
Bare metal servers,
23%
Percent of production workloads runon each
server type today:
Percent of production workloads runon each
server type in 24 months:
0%
20%
40%
60%
80%
100%

9. © 2019 by The Enterprise Strategy Group, Inc.
Challenges Securing
Cloud Native Applications

10. © 2019 by The Enterprise Strategy Group, Inc.
26%
30%
33%
33%
35%
35%
43%
We have not experienced any challenges
Our existing security tools do not support cloud native
environments
Meeting prescribed best practices for the configuration of cloud-
resident workloads and the use of cloud APIs
Lack of visibility into the activity of the infrastructure hosting our
cloud-native applications
Our application development and DevOps teams do not involve our
cybersecurity team due to fear of being slowed down
Lack of understanding of the threat types, and attack vectors and
methods specific to our cloud-native applications
Use of multiple cybersecurity controls increases cost and
complexity
Maintaining security consistency across our own data center and
public cloud environments where our cloud-native applications…
TOP CHALLENGES
The People, Process, and Technology Concerns of Securing Cloud-native Apps

11. © 2019 by The Enterprise Strategy Group, Inc.
Less Control,
More Concern
The elements of
cloud-native
Apps of most
concern
Serverless
cloud
functions, 29%
Cloud service
provider, 23%
Application
code, 15%
Application
containers,
15%
Orchestration
platform, 9%
Docker host
layer, 6%
Other, 1%
Don’t know,
2%

12. © 2019 by The Enterprise Strategy Group, Inc.
22%
26%
26%
26%
27%
28%
29%
32%
32%
An infectedcontainer cancross-contaminate other containers
Automating the integrationof container security controls via
ourcontainer orchestration platform
Portability makes containers more susceptible to “in motion”
compromises
There is a lack of mature cybersecuritysolutions forcontainers
The speed atwhichcontainers are built and deployed results in
security controls not being included fromthe outset
The potentialfor container sprawl couldresult in poorly
managedcontainers leaving our production environment(s)
vulnerable
Our current server workload security solutiondoes notsupport
or offerthesame functionality forcontainers, requiring that we
use a separate container security solution adding costand…
We needtoverify images storedina container registry meetour
security and compliance requirements tobe trusted for
production
Aligning the implementationarchitecture of a container
security controlwithour intended containerdeploymentmodel
Container
Security
In addition to
process and
technology,
alignment with
deployment plans
is a top security
concern

13. © 2019 by The Enterprise Strategy Group, Inc.
Top-of-Mind
Attack
Types Run
the Gamut
43%
43%
43%
44%
45%
46%
48%
49%
49%
54%
40%
46%
47%
45%
47%
43%
44%
40%
42%
38%
17%
12%
11%
11%
8%
12%
8%
10%
9%
9%
The misuse of a privileged account by…
Ransomware
Mis-configured cloud services,…
“Zero day” exploits that take…
Attacks that results in the loss of data…
The misuse of a privileged accounts,…
Malware
Exploits that take advantage of known…
Targeted penetration attacks
Exploits that take advantage of known…
0% 20% 40% 60% 80% 100%
Veryconcerned Somewhat concerned Not concerned

14. © 2019 by The Enterprise Strategy Group, Inc.
Where’s the
network tap?!

15. © 2019 by The Enterprise Strategy Group, Inc.
Defining the cloud security visibility gap
Workload configs, privileged user activity, system
activity, and more

16. © 2019 by The Enterprise Strategy Group, Inc.
Implementing a Secure
DevOps (“DevSecOps”)
Program

17. © 2019 by The Enterprise Strategy Group, Inc.
Agile and DevOps Adoption are in Lock Step
Yes, we
employ agile
extensively,
31%
Yes, we
employ agile
in a limited
fashion, 21%
We plan to
employ agile
in the next 12-
24 months,
16%
We are
interested in
agile, 28%
We do not
employ agile
and have no
plans to do so,
3%
Don’t know,
1%
Yes, we
employ
DevOps
extensively,
34%
Yes, we employ
DevOps in a
limited fashion,…
We plan to
employ
DevOps in the
next 12-24
months, 16%
We are
interested in
DevOps, 25%
We do not
employ
DevOps and
have no…
Don’t know,
1%
AGILE
ADOPTION
DEVOPS
ADOPTION
17

18. © 2019 by The Enterprise Strategy Group, Inc.
We have incorporated
security into our DevOps
processes extensively, 36%
We have incorporated
security into our
DevOps processes in a
limited fashion, 19%
We plan to incorporate
security into our DevOps
processes, 22%
We are evaluating
security use cases
that can be
incorporated into
our DevOps
processes, 20%
We have not yet
discussed how
security fits with
our DevOps
processes, 2%
Growing Adoption
of DevSecOps
Need for specificity of
uses and repeatability
via security-as-code
18

19. © 2019 by The Enterprise Strategy Group, Inc.
Pre-Deployment DevSecOps Use Cases
19

20. © 2019 by The Enterprise Strategy Group, Inc.
Top Runtime DevSecOps Use Cases
20

21. © 2019 by The Enterprise Strategy Group, Inc.
Sample Secure DevOps Use Cases
Agile User Stories by Environment
DEV - SDLC integrated AppSec
• Composition analysis
• Static code analysis
TEST - Reduce attack surface at build-time
• Eliminate known vulnerabilities
• Harden configurations of workloads and services
PROD - Policy-based runtime controls
• Least privilege, anti-threat, anomaly detection, auditing
• Policy by tag, and thus templates, for consistency
21

22. © 2019 by The Enterprise Strategy Group, Inc.
More Apps Will be Secured via DevSecOps Over Time
7%
27% 26%
34%
8%1% 7%
24%
33%
35%
1%
Less than 10% of
apps
10% to 25%of
apps
26% to 50%of
apps
51% to 75%of
apps
More than 75% Don’t know
Percent of production cloud-native applications secured via DevSecOps today (N=200)
Percent of production cloud-native applications secured via DevSecOps 24 months from now (N=352)
22

23. © 2019 by The Enterprise Strategy Group, Inc.Copyright 2018 Trend Micro Inc.23
Securing cloud-
native apps is a team
sport.

24. Security Across the
Cloud Native
Continuum

25. Software is eating the world
Every org is becoming a software org
Software orgs need modern tools
DevOps, containers, and cloud native are those tools
The world is dangerous
‘Democratization’ of sophisticated attacks
Security teams and SOCs overloaded
Your own software is the softest target

26. Think about your cloud native infrastructure… it’s
abstraction on top of abstraction, especially from a
networking standpoint
Everything is ephemeral and everything is constantly
changing — many more entities to secure
Security is largely in the hands of the developer
Security needs to be as portable as the applications
Cloud Native Makes It Harder...

27. The nature of cloud native applications allows for
a new approach to security
Apply machine learning to understand actual
runtime behavior
Build models of what applications should do to
detect and prevent what they shouldn’t
…But Also Easier

28. Defining the Cloud Native Continuum
Isolation
Compatibility
Control
Density
Agility
Simplicity

29. Virtual Machines
• Greatest levels of isolation, compatibility and
control
• Full control of the OS, full control of the
platform
• Can be operated in stateful or stateless
fashion
• Suitable (but not always optimized) for any
type of workload

30. Containers
• Increased agility, with decreased control
• User still responsible for underlying
infrastructure - but you lose the OS control of
VMs
• Can be complex due to broad configurability
• Control can be shared between Developers
and traditional operations

31. Containers-as-a-Service
• Less control than containers with roll-your-
own orchestration, but simpler to operate
• More platform lock-in vs. containers or VMs
• CaaS bundles runtime, management and
orchestration - along with small levels of host
control
• Developer led infrastructure

32. Serverless
• The simplest, most agile technology on the
continuum
• No control (or often visibility) into the
underlying host environment
• Devs just build - push functions to the
platform
• Optimized for on-demand, highly scalable
tasks

33. Enabling Better Defense
The nature of cloud native technologies
allows for a new approach to security
Machine learning and automation take
manual configuration out of the picture
Whitelist what applications should do to
detect and prevent what they shouldn’t
33

34. New World Security
Shift security left – modeling integrated
into CI/CD
Policy custom tailored for each
application, each build
Security that automatically scales with the
environment
34

35. In Conclusion
• The cloud-first lens: Broad adoption of cloud services has created a cloud
security readiness gap, imperative to retool
• The cloud-native lens: The rise of microservices is adding complexity
and heterogeneity
• The DevSecOps lens: A secure DevOps program starts with a cultural shift to
treating security a as team sport en route to a full lifecycle approach
• The security-as-code lens: Scaling across projects requires repeatability

36. Get Started
Take a test
drive
Prisma Cloud
30-day Free Trial
https://marketplace.paloaltonetworks.com/s/product-rdl

37. THANK YOU
paloaltonetworks.com
Twitter: @PaloAltoNtwks