Portshift this week added a Policy Advisor control interface that enables organizations to identify the most efficient and secure connections that can be made between microservices based on containers.
Zohar Kaufman, vice president of research and development for Portshift, says the extension to a platform that enables organizations to create a zero-trust application environment by assigning identities to applications also makes the Portshift Cloud Workload Protection Platform applicable to emerging cloud-native applications. Any communication between microservices that is not specifically allowed by the Policy Advisor is instantly disallowed, he says.
The Portshift platform attaches identities to applications as they are being built on a continuous integration/continuous deployment (CI/CD) platform. The Policy Advisor extends that capability to microservices by installing agent software on a Kubernetes cluster, Kaufman says.
The policies that a DevOps team decides to implement then can be created using a set of plain English commands that automatically map that policy to the underlying YAML files that were used to configure the Kubernetes environment. That deterministic approach makes it easier for cybersecurity professionals to participate in a DevSecOps process without necessarily know how to code, he adds, noting that historically, there’s been a lot of friction between DevOps teams and cybersecurity professionals that Portshift serves to reduce.
Policy Advisor gives DevOps teams the option to create rules based on suggestions surfaced by the platform or create custom rules to meet specific runtime requirements. Administrators can select a suggested rule from a policies page that shows the source, destination, traffic details and pending actions. The Policy Advisor then identifies the number of connections that could be affected by the rule to prevent what otherwise might be an unintended consequence. Once executed, the new rule will appear in the connection policy window, which the administrator then can save, modify or delete.
In theory, containerized applications should be more secure than monolithic applications because rather than having to patch an entire application, developers can rip and replace containers that house compromised code. The issue that organizations will run into, however, is that each containerized application can be made up of hundreds of microservices. It’s not too difficult to imagine how one of those microservices might communicate with an external microservice that appears legitimate but is actually something inserted by a cybercriminal.
Not surprisingly, one of the biggest issues a developer of a containerized application often faces is convincing cybersecurity professionals to sign off on deploying their applications in a production environment. A lack of visibility into how microservices communicate with each other doesn’t engender a lot of trust.
Portshift is not the only startup vendor focused on providing a zero-trust platform for securing microservices. Most IT organizations should expect to deploy some form of this capability in the months ahead as the number of microservices-based applications deployed in production environments increases steadily.
In the meantime, developers would be well-advised to proactively educate their cybersecurity colleagues about why microservices are a better way to build applications as well as secure them.