Google this week made a case for moving beyond firewalls to secure microservices-based applications built using containers by sharing the best practices for a zero-trust networking model it relies on to secure its own web-scale IT environment.
Maya Kaczorowski, a product manager for Google, says Google makes extensive use of a BeyondProd framework, a cloud-native networking model that, among other things, ensures there is no inherent mutual trust between services and that chokepoints for consistent policy enforcement across services are created. Other concepts embedded into BeyondProd include mutually authenticated service endpoints, transport security, edge termination with global load balancing and denial of service protection, end-to-end code provenance and runtime sandboxing.
All the services Google provides run atop the Borg container orchestration engine, a pre-cursor to Kubernetes that Google still employs, on which BeyondProd is deployed.
BeyondProd is not intended to replace the need for firewalls as much as it is designed to augment them, says Kaczorowski. In fact, Google this week announced it has expanded its relationship with a dozen providers of cybersecurity platforms, including firewall providers Palo Alto Networks and Fortinet. It’s not at all clear, however, that any of the three major cloud platforms are all that much more secure than the other. In fact, just about every third-party cybersecurity vendor that supports Google Cloud also supports Amazon Web Services (AWS) and Microsoft Azure.
Google, like other cloud service providers, is highly committed to securing its own infrastructure. However, the security of the applications running on top of any cloud platform remain the responsibility of the IT team that deployed them. As IT teams increasingly embrace microservices-based applications, many are discovering that legacy approaches to securing applications are now insufficient.
Kaczorowski says Google is sharing how BeyondProd is constructed to encourage IT organizations to build their own zero-trust networking model for securing microservices-based applications.
The challenge many organizations will encounter in the months and years ahead is the need to deploy a zero-trust networking model across multiple clouds and on-premises IT environments that are likely to be running hundreds, if not thousands, of microservices. Unfortunately, most IT organizations are still struggling with how to secure monolithic applications on public clouds.
The highly dynamic nature of the containers that make up the bulk of the microservices being deployed presents organizations with a major challenge that in most cases will require them to define and adopt a range of best DevSecOps practices around a zero-trust networking model that needs to be continuously updated and managed. In many cases, roles surrounding who is responsible for building and deploying the zero-trust network across a team of cybersecurity and networking professionals have yet to be defined. Similarly, many organizations are still trying to determine to what degree developers will be held accountable for maintaining the security of their applications before and after they are deployed in a production environment.
Cybersecurity is likely to remain one of the biggest barriers of adoption when it comes to building and deploying cloud-native applications for the foreseeable future. The issue, however, is not so much the security of the cloud platforms being employed as much as it is the immaturity of the processes being employed to secure the applications running on those clouds.