Glossary of Cloud-Native Technologies

Use this guide to better understand cloud-native services and their benefits.

A monolithic application is a logical executable that is built and deployed as a single entity. It includes all functionality, including UI, business logic, data-access code, etc.

Starting a new application as a small, single entity is easier to develop, deploy, and test.

Not modular. Hard to update, scale, update technology stack (update/modernise certain functions of the application).

DevOps is a method of application development that includes groups of engineers owning small components (vs. large swaths of an application) and emphasises automation.

  • Decreases the number of handoffs, lead time/queuing inefficiencies, coding errors, release time, and deployment risk.
  • Increases code quality and reliability.

Continuous integration/continuous deployment

  • Continuous integration – integrating/committing code changes into an application as often as possible and testing them in a variety of ways before delivery. DevOps tools can assist with merging code as conflicting changes can occur when many individuals are committing changes. Centralising the testing and code quality optimisation saves development time.
  • Continuous deployment – after CI has tested and validated the new changes made to an application, continuous deployment automatically pushes these changes through to test and production environments. This keeps developers focused on developing and accelerates the feedback loop with customers.

A microservices-based application is made up of independent components, each running an application process as a service. They are loosely coupled and communicate via APIs.

  • Loose coupling makes it easier to make changes and add services without impacting the entire codebase.

A microservice architecture is important – without it, one can leverage cloud-native technologies, like containers, but without realising many of the benefits of a microservice-based architecture.

Code repositories keep all the code, documentation, notes, and other resources that support a software development project.

Private repositories are accessible only to those within the organisation. Typically, custom or proprietary code is kept in a private repo to prevent the public or competitors from accessing this information.

Public repositories are accessible to the public and often feature collaboration/input from a wide range of people. The advantage is that you can save a lot of time on developing custom code – part of what you’re looking to create might already exist on a public repo.

Source code that anyone can view, alter, and improve. It represents over 80% of the codebase of modern applications.

Different from proprietary software, which only authors can view, alter, and improve. Anyone can use open source software, while a signed agreement is required to use proprietary software

To make sure the open source components (and their sub-components you may not know about) that are brought into an organisation’s codebase are free of vulnerabilities and other issues, software composition analysis tools are a common choice.

SCA – detects and tracks open source components in an organisation’s codebase and helps developers manage and update them. There are varying levels of automation across SDLC – choosing repos and updating repos, for example. It’s much easier and more efficient to identify issues in open source at the earliest possible stage of the SDLC, long before deploying to production.

  • While it’s important for developers to understand the security implications the open source dependencies bring into the organisation, security teams should also understand the overall organisational risk posture as it relates to open source software.
  • Trend Micro Cloud One™ - Open Source Security empowers security operations teams to identify open source code vulnerabilities and license risks across application components for enhanced visibility. Security teams should include open source risk as part of broader risk conversations and understand how direct/indirect dependencies impact their software bill of materials, attack surface, and broader security posture.
  • This doesn’t mean security should slow things down – look for an SCA tool that integrates with your existing application development/delivery tools. Applications will never be perfect, so prioritising the most pressing vulnerabilities is key in not overwhelming developers and DevOps teams. The idea is to make developer interactions with this tool nearly indistinguishable from their other day to day tasks.
  • Easily scale open source security alongside your development teams and pay per project or manifest files.

Cloud-native applications typically require that the supporting cloud infrastructure work properly. Infrastructure as code (IaC) lets you automatically provision what is required to run your application.

Since IaC is just code (in a template), you can apply your DevOps processes in a similar fashion for automated, consistent, and repeatable deployment of cloud infrastructure that is continuously improved and deployed.

Making sure that your “live” infrastructure’s settings/configuration does not drift from its intended state can be a challenge if manual changes are made.

Quickly realise the value of shifting security and compliance to the earliest phase of your CI/CD pipeline with Trend Micro Cloud One™ – Conformity. Our infrastructure-as-code (IaC) template scanner can instantly run templates through the Conformity API during the coding process.

This will enable automated, proactive prevention of misconfigurations and give you peace of mind that the code underpinning your cloud infrastructure is fully compliant and aligned to industry best practices, such as the AWS Well Architected Framework..

The Conformity Template Scanner for infrastructure as code is included at no additional cost, so you can scan and re-scan your templates for potential risks before deploying any infrastructure.

Object storage in the cloud is an elastic and flexible way to store unstructured data, particularly useful in supporting cloud-native applications that require scalable supporting infrastructure.

Tracking data at scale is not a simple task, so many object storage services offer a form of object tagging with customisable metadata.

  • Can be used to signal downstream workflows, apply lifecycle policies (for retention, deletion, etc.), and glean insights about cloud costs and security posture.

Pervasive use of object storage introduces a new attack vector vulnerable to malicious files. Trend Micro Cloud One™ – File Security protects your downstream workflows through malware scanning, integration into your custom cloud-native processes, broad cloud storage platform support, and other innovative techniques. You have peace of mind knowing that your data files entering your cloud environment will not impact internal systems or  affect external reputation.

Scale security alongside your cloud object storage with File Security and pay-per-object storage repository scanned, with small repositories costing less.

Cloud workload is a general term for applications/compute running in the cloud.

Evolved from virtual machines to include containers, serverless functions, databases, and other services that consume cloud-based resources.

Traditional cloud workload services now offer many more choices across operating systems, processor types, and processor configurations, even tailoring compute offerings for artificial intelligence, machine learning, and high-performance computing (HPC).

The advantages of hybrid cloud computing are many, but there are new risks and threats. Organisations must ensure compliance requirements are met while maintaining unified security across all workloads – physical servers, virtual, cloud, or container.

Trend Micro Cloud One™ – Workload Security provides comprehensive detection and protection in a single solution purpose-built for server, cloud, and container environments. Workload Security allows for consistent security, regardless of the workload. It also provides a rich set of APIs, so security can be automated and won’t impact your teams.

Network security tools, such as host-based intrusion prevention and vulnerability scanning, detect and stop network attacks and protect vulnerable applications and servers while file integrity monitoring, anti-malware, and behavioral analysis stop targeted attacks and detect suspicious activity.

Cloud-native virtual patching inspects and blocks malicious activity from business-critical traffic, detects and prevents intrusions, thwarts attacks on web-facing applications, and adaptably protects cloud networks, workloads, and containers. Leveraging TLS decryption and Zero Day Initiative research, quickly respond against threats that exploit known and unknown vulnerabilities without slowing down your application.

Workload Security automatically scales with your workloads to protect your ever-changing cloud real estate. Simply pay per workload hour protected across your multicloud environment, and smaller workloads cost less.

Containers are a form of software package that contains all the necessary elements (configuration files, libraries, dependencies, etc.) to run on any infrastructure, abstracting the application layer.

Traditionally, applications were developed in a specific computing environment, and often had bugs when run in a different environment. By using a containerised architecture, developers can build faster and have fewer errors.

Developing a containerised application is one thing but managing a container deployment is an operational challenge. Many organisations look to Kubernetes to assist with automating processes, such as deployment and scaling. If you’re using Kubernetes, your containers are placed in pods that run on nodes, and your nodes are part of a cluster.

Many organisations seek to offload additional overhead with a managed Kubernetes service. Because of the different dimensions of a Kubernetes deployment, the process of scaling up is more complex than simply “adding more containers.”

Kubernetes cluster

A managed Kubernetes service will support autoscaling within pods and across clusters and increase reliability and portability should you choose to move your deployment to different infrastructure. Other processes, like patching and updating hosts, are part of this as well.

Another option to reduce complexity of managing container infrastructure is to use serverless containers, a type of containers-as-a-service. They eliminate the need to manage the supporting elements of container infrastructure like clusters and virtual machines. Other flavors of container-asa-service give the user access to the underlying infrastructure.

With container lifespans as short as minutes, or even seconds, it’s difficult to pinpoint your attack surface and security posture. Look for a container security solution that protects your full container lifecycle and scales detection and protection with your container deployment.

Regardless of the level of abstraction of your container deployment, Trend Micro Cloud One™ – Container Security can help secure your application. Starting with automated build pipeline container image and registry scanning, it’s designed for developers and operations teams.

Container Security enables earlier and faster detection of malware, secrets/keys, compliance violations, and vulnerabilities, including those found in open source code.

DevOps teams are enabled to continuously deliver production-ready applications and meet the needs of the business without impacting build cycles.

As your container environment scales up and down according to your business needs, look for a security solution that is equally flexible to support your business-critical, cloud-native applications. Cloud One – Container Security only charges you per each protected container node or protected serverless container.

Serverless functions take abstraction a step further and eliminate the need to manage any infrastructure at all – all you need is the code you’d like to run, and the cloud provider will take care of the rest.

Each time your serverless function is invoked, the cloud providers spin up the required infrastructure and bill you accordingly for what you use. If your serverless function isn’t invoked, you don’t get charged.

Trend Micro Cloud One™ – Application Security secures your serverless functions from the most pervasive runtime attacks, including SQL injections, remote command execution, illegal file access, malicious uploads, URL redirects, payloads, and more.

Get visibility of your web applications’ security posture down to the vulnerable line of code with minimal impact on performance.

Baked into the serverless function, Application Security is tied to your application at the hip, ensuring your serverless function doesn’t get invoked insecurely.

Since your cloud provider bills you according to how many times your serverless function was invoked, shouldn’t security for that application be the same? Application Security charges per 1000 invocations, so you only pay when your application runs.

Cloud accounts are what cloud builders log into to access cloud services and resources. Sounds simple, but these accounts can represent both human users and non-human/machine identities, making things complicated. Machine identities could represent your cloud workloads/applications, operational tools, or other components. Policies can be set to specify what resources, services, actions, and other entitlements cloud accounts can access.

Each of the 3 hyper-scale cloud providers looks at this concept differently:

  • AWS: Referred to as accounts, access boundaries, usage limits, etc., these entities are administered at the account level. multiple AWS accounts can roll up into a billing/management account, but IAM, API access, and other policies are set at the AWS account level.
  • Azure: Predictably, Azure looks to an organisation’s Active Directory, where each AD identity translates into Azure.
  • GCP: You can use your organisation as a single boundary for your cloud resources, but many opt to create individual “projects,” each with its own IAM policy.

Easily manage the configuration of cloud services across AWS, Azure, and GCP with Trend Micro Cloud One™ - Conformity. Connect your cloud account, and in minutes you will have a comprehensive view of your cloud security posture. Conformity uses a custom access policy to view your cloud account metadata configuration settings – no read or write access to your data.

Often, the teams that are worried about the secure configuration of public cloud services are not the same teams deploying them. Conformity integrates with many different communications channels and workflow systems to make sure the right people have the right information to remediate misconfigurations without slowing developers down.

Fully API-enabled automation removes the manual, repetitive tasks that are prone to human error. Embrace DevOps without the fear of misconfiguration introducing security gaps in your cloud infrastructure.

Whether you’re a large enterprise moving to the cloud, or a cloud-first startup, Conformity can help you quickly get visibility of and improve your multicloud security posture with flexible pricing. Simply pay per cloud account connected to Conformity, and small accounts with fewer resources pay less.

Using private networks in the public cloud lets users deploy resources into a defined virtual network, loosely resembling a traditional, datacentrestyle network. Resources in the private network are isolated from other resources in the public cloud.

This is done by provisioning subnets (layer 3 of the OSI model), reserved ranges of IP addresses that act as a divided slice of public cloud networking for private use, and virtual LANs (layer 2) as part of the virtual network.

Virtual networks can be further customised with routing tables and network address translation. VPNs can also be used to link on-premises infrastructure to the virtual network in the cloud via a private and secure connection.

Quickly gain enterprise-grade detection and protection at the network layer security to protect everything in your VPCs. By deploying within the cloud network fabric, you can protect your infrastructure and network segments rapidly and easily with actionable security that doesn’t slow down your business or network traffic.

With its inline and transparent deployment approach that fits within your existing cloud architecture Trend Micro Cloud One™ – Network Security allows you to begin traffic inspection immediately without disrupting your business applications or established network connections.

With network security moving at your cloud’s speed, flexible pay-as-you-go pricing enables you to pay only for GB of traffic inspected.