In Cloud Native security, what does Secure by Default mean?

• A. Security is added only during post-deployment hardening
• B. Security is optional and can be enabled if needed
• C. Implementing secure practices and leveraging processes and tools to ensure components are secure from the start
• D. Security defaults to the most permissive settings

Answer: (C)

Secure by default means building security into the system from the very beginning, so components come up with protections already in place rather than requiring extra steps later. In a cloud-native world, that includes starting with secure, minimal base images, enforcing least-privilege access, and applying protections through automated policies and tooling (like admission controls, policy-as-code, and ongoing image and dependency scanning). It also means defaults are restrictive—network access, permissions, and configurations should be denied or minimized by default and only widened when explicitly allowed. This mindset extends across CI/CD, secret management, encryption, and patching, so the system remains secure as it’s deployed, scaled, and updated.

That’s why the best choice describes implementing secure practices and using processes and tools to ensure components are secure from the start. The other options describe reactive or optional security, or defaults that are too permissive, which contradict the idea of building security into the default configuration.