Gone are the days of monolithic applications that run on dedicated machines. Instead, modern applications are being designed and deployed around microservices, containers and mixed-cloud environments. These environments give developers and DevOps teams tremendous flexibility, while at the same time improving efficiency by enabling the reuse of well-tested, shared services in many applications.
Sounds great, but what happens to security in this new world? Perimeters are no longer well-defined and static. There are more ports open and more APIs exposed so access control becomes a complex, distributed problem. In this new world of modern applications that leverage microservices and containers, we are faced with a dramatically larger, highly dynamic attack surface, opening the door to new, more complex threats.
Adding to the problem is that traditional perimeter and network security approaches don’t work for these modern applications. API Gateways and TLS Proxies can secure an application’s perimeter, but leave internal services unprotected from malicious east-west traffic. Network segmentation and host firewalls can secure infrastructure, but these tools lack application context, limiting visibility and providing only coarse controls for microservices.
Like it or not, it’s now up to the DevOps teams to respond to these security challenges and ensure that microservices environments are well-protected. There are three essential security defenses that DevOps teams need to put in place:
- Visibility into all interservice interactions. DevOps teams need tools that create a clear network map of how the application behaves. Having a deep understanding of normal application behavior enables DevOps to detect non-conforming communication alerting the security team to compromises.
- Least privilege access controls. DevOps teams need mechanisms to ensure controlled and authorized access to every microservice, limiting the impact of breaches and coding errors. This means DevOps and security must have fine-grained access controls, up to the application-layer, on every microservice.
- Encryption for sensitive data being communicated. DevOps teams need to enable end-to-end encryption for microservices traffic that may traverse public networks and shared infrastructures. This means DevOps teams must automate the management of certificates and keys, to minimize any chance of human error.
DevOps teams today resort to orchestrating a variety of technologies to implement these security features in their environments: microsegmentation to isolate workloads, proxies to manage TLS encryption and language-specific client libraries for visibility and application-layer access controls. These are complicated systems, involving complex custom coding and dedicated appliances. As such, they pose serious operational and scalability challenges. Moreover, it’s impractically hard to verify that these disparate mechanisms are actually jointly satisfying the intended security goals.
The good news is that new tools and approaches are emerging that empower DevOps to automate these microservices security features without custom coding or heavy appliances. These new approaches, called runtime microservices security solutions, insert a security layer around every container or process that comprises a microservice, and provide visibility and control to communications at the microservice level. Techniques for delivering a runtime microservices security layer include: SDK-based products, application-aware network segmentation and security virtualization. Once this layer is in place, security can be deployed with standard DevOps processes, providing the required security protections for microservices at greatly reduced management cost and headache for DevOps teams.
What are the essential ingredients of a runtime microservices security solution? An effective security layer should ensure the three essential defenses—real-time visibility, application-layer access controls and end-to-end encryption—at scale and in highly dynamic environments. In addition, it must be deployable without adding heavy new appliances that take up precious resources and time to manage. Such a solution should provide a great visual interface to help manage the large amount of data collected. Don’t forget that any such solution must also provide a programmatic API that delivers the same information as the visual interface.
The benefits of microservices are enormous when done right: flexibility, efficiency and cost savings. But security cannot be tacked on as an afterthought to be handled by DevOps teams. Existing tools designed for static perimeters simply won’t cut it in this new world. Instead, DevOps teams should explore security solutions that have been specifically designed for the unique challenges that microservices environments create.
About the Author / Tarun Desikan
Tarun Desikan is the CEO and co-founder of Banyan, a San Francisco-based startup focused on delivering best-in-class security solutions for container & microservices environments. He has over 15 years of experience developing and securing network infrastructure and Platform-As-A-Service offerings. Before his current role as CEO, Tarun was VP of Product at Moovweb, where he helped migrate hundreds of enterprise customers to modern responsive infrastructure in the Public Cloud. Tarun holds a BS in Electrical Engineering from BITS, Pilani, India, and an MSEE and MBA from Stanford University.