CNCF Cloud Native Security Whitepaper

Jayanta Debnath
2 min readNov 19, 2020

The Cloud Native Security Whitepaper has been released as part of the #kubecon2020.

The CNCF definition of Cloud Native is captured here.

The entire Cloud Native Landscape is also published here.

A high level screengrab from the landscape is as below :

Ref : CNCF Cloud Native Landscape

Key Takeaways are :

  1. Cloud Native Goals which should be Top Priority for Digital Transformation.
  • Vulnerability Management
  • Zero Trust
  • Cloud Security
  • DevSecOps

2. Security Benchmarks

3. Integrated Developer Experience with Security as a First Class Citizen

4. Protection from unauthorized access (person and non-person entities) — Ephemerality reduces the asset exposure to unauthorized entities by constantly rebasing from a last known working configuration.

5. Immutability to preserve the integrity of content and code.

6. Distributed availability of services and tooling to avoid single point of failure (SPF).

7. Auditing and Accountability — Cover for governance and keep track of unauthorised changes and thereby prevent irregularities.

8. SIG Use Cases :

9. Threat Intelligence using the MITRE ATT&CK framework for Cloud.

10. Leverage mutual / two-way transport (bi-directional) authN between Client to Server for all workloads and use both Attribute-Based Access Control (ABAC) and Role-Based Access Control(RBAC) to provide granular authorization.

11. Eliminate Implicit Trust — Leverage Service Mesh(SM) to help with implicit trust and data in motion encryption. SM also helps with dealing with identity issues where traditional Layer and 4 Ip addresses cannot map to workloads cleanly. Resiliency patterns are baked right into the SM for example Exponential Backoff and Retries, Timeouts and Circuit Breaker etc. Streaming platforms can also leverage SM to use workload level AuthZ to set access ruled for topics and brokers.

Runtime Environment (logical view)

Ref : CNCF Security Whitepaper

If you are interested to follow the Security Special Interest Group the links are as below :

Github :