Cloud-native operations are better protected when using open-source technologies, which bring together the best developers.
Implementing the best security across a cloud-native environment may start with handing off a lot of the nuts and bolts to third parties, in the form of foundations and collaborative teams which come together to ensure that open source software is secure and frequently updated.
Even though organizations should still be aware of what areas they are responsible for security wise, cloud-native tools are becoming more and more sophisticated with layers of authentication, segmentation, compliance, and standards being added to popular open source tools.
The Cloud Native Computing Foundation (CNCF) is the largest of these groups, responsible for the continued development of Kubernetes, Jaeger, and Prometheus, amongst others. It has 175,000 contributors, a large percentage of which have day jobs in some of the leading-edge technology firms, such as Google, IBM, Microsoft, and VMWare.
With this diverse cast of contributors, it makes sense to have a more hands-off approach when it comes to some of the security aspects. However, it is also important to follow the guidance provided by these organizations when it comes to implementation of security protocols, which may not be on by default, alongside regularly patching software, and conducting regular assessments to ensure that there are no gaps internally when it comes to security.
“Diverse innovation sits at the heart of open source development, providing a platform for developers to both experiment and improve upon existing code as well as contribute to a growing body of knowledge,” said Alan Clark, industry standards and new initiatives lead at SUSE. “Cloud-native computing needs this innovation to harness new, better ways of building and deploying applications in the cloud. Given how applications are frequently deployed across multiple environments in cloud-native computing, open source’s promotion of interoperability is crucial.”
Open source tools, especially those like Kubernetes which have a large amount of companies using it, are expected to be supported for quite some time. That said, CNCF and other open source organizations are finding it more difficult to transition long-time contributors away from projects and allowing newer contributors to get involved in graduated projects. The issue is two fold, some graduated projects are so complex that it is difficult for someone who wasn’t been involved since the beginning to understand the scope of it, and others are simply not being used by newer developers as frequently.
This is why it’s imperative for organizations using open source tools to regularly check to see how long its been since the latest patch, and if the developer community is still active. If there is less activity or signs of decay, it may be time to look at other options. Fortunately, the CNCF and other foundations typically greenlight more than one of the same type of project, so if one starts to drift into dormancy there should be another open-source alternative available.