Custom Cloud Native Stacks: Worth the Tradeoffs?
Securing cloud native environments can be overwhelming in any situation. But that’s especially true if you’re building your own stack from the big buffet line of the CNCF’s Cloud Native Landscape.
First, you need to fit all your chosen projects together, making sure you find and follow all the security to-do’s. Next you have to customize them to behave however you need — after all, that’s why you built a custom stack, right? Then as each project is updated or you discover useful new features, you have to tinker with your platform a bit — but this means you need to run through all those checklists again. All while also making sure each project is on a version that is verified to work with all the other projects you’ve selected from across the CNCF‘s buffet!
Hopefully we didn’t trigger anyone with that scenario. It’s just that the cloud native security landscape is complicated, and security teams are having a hard time keeping up.
Taking a continuous and integrated security approach can help make this less daunting. As Jürgen Sußner, enterprise architect at DATEV and a Tanzu Vanguard, explained:
“Cloud native security is totally different from traditional enterprise security. Traditionally, security has been a gate someone has to go through on their way to production. Applying this to cloud native would disrupt the continuous delivery and improvement process. Therefore, security has to be part of the pipeline — not just shifted left, but shifted everywhere. Meanwhile, platform engineers need overall visibility of the whole application landscape to see who is affected by what and how to fix it or if it was fixed. That’s why cloud native application protection platforms are gaining importance.”
Weighing the Tradeoffs With Custom Stacks
Assembling your own stack involves major tradeoffs though, as you have to take on and manage more security risk. Both of those things — DIYing your stack and your security — require investing time, money or both! So what is worth your precious resources?
Kubernetes security is particularly intense and encompassing, as our friend and CNCF Ambassador Whitney Lee demonstrated in her 2023 KubeCon+CloudNativeCon talk. It’s little wonder that it’s so complex: Kubernetes’ scope is huge, so you must standardize not only the infrastructure layer but also how applications are architected, run and managed. There are so many seams, connections and surfaces to secure in Kubernetes that it all turns into a web of red strings, much like a crime map you’d see on your favorite procedural drama.
This isn’t meant to be FUD; it’s just how it is when you build a custom stack. But it does mean that you need to plan for and prioritize security and governance in your platforms across every component within a custom stack. According to the 2024 State of Cloud Native Platforms survey results, people using cloud native platforms get it. This is the fifth year we’ve done this survey (formerly known as the “State of Kubernetes”), and it feels like the best one yet.
Putting Your Money Where Your Priority Is
When it comes to priorities, what people spend money on is one of the best ways to see what actually matters to them. In our decades of working in the tech industry, security is almost always a top 3 investment priority.
Our new research shows the same thing: When we asked survey respondents, “In your opinion, which of the following types of tools or capabilities are worth investing in paid support or services?” security was at the top of the list.
Security and compliance aren’t the only drivers to use an off-the-shelf (or “off-the-cloud”?) platform, but based on the spending habits above, we theorize it’s an important reason.
Managing Changing Regulations
Our survey’s focus this year was on large companies, with 66% of respondents coming from companies of 5,000 or more employees, and 35% with more than 20,000 employees. We also tracked the number of developers in each organization and their industry type. Those demographics are important because they represent organizations that function in highly regulated industries that need to keep up with changing guidelines and regulations.
By volume, these are typically the organizations with the most software, the most software that needs to be modernized and the most widely used software. This means that any software improvements those organizations make will have a huge impact on people’s daily lives. Think about renewing your driver’s license in an app, ordering your groceries online or just quickly transferring money to friends after a fancy dinner.
Finding an Easy Place To Start
When it comes to improving software, here’s one more finding from the survey: The number one use case respondents are focusing on is deploying and testing applications in the CI/CD pipeline. This is important since a shocking low number of organizations have build and test automation in place. Automating your software pipeline not only speeds up release cycles, meaning you have more opportunities to try out new ideas to improve your apps, but it also gives you more controls for security and governance.
If you want to get a feel for how large organizations are using cloud native app platforms, check out the full survey. You’ll get a good sense of the priorities, the struggles and also the benefits people are getting with cloud native platforms. From what we’re seeing, people are focusing on the right things as they look up the stack and focus more on their platforms.
