Containers And Microservices Complicate Cloud-native Security
As you've seen, cloud-native systems embrace microservices, containers, and modern system design to achieve speed and agility. But, that's only part of the story. How do you provision the cloud environments upon which these systems run? How do you rapidly deploy app features and updates? How do you round out the full picture?
Containers and microservices complicate cloud-native security
Before we jump directly on the preventive measure, first it is important to learn about the challenges that users face at the time of securing online apps. Microservices and containers have produced an incredible speed and flexibility to DevOps but, the advantages come with security challenges as well. Some of the common challenges associated with cloud-native protection are as followed:
Protecting vulnerabilities against attackers to be safe from threats like privileges elevation and shellcode injection inside the app can be achieved with strong Cloud-Native Security solutions. These approaches need to be implemented at the microservices and container level. Start with the smallest elements to develop protected containers, and their security features will explore into the cluster.
One of the best choices for creating and running microservices application architectures is by using containers. Containers encapsulate a lightweight virtualization runtime environment for your application and allow you to move the application from the developer's desktop all the way to production deployment. You can run containers on virtual machines or physical machines in the majority of available operating systems. Containers present a consistent software environment, and you can encapsulate all dependencies of your application as a deployable unit. Containers can run on a laptop, bare metal server, or in a public cloud.
The cloud native architecture model uses DevOps, continuous integration (CI), continuous delivery (CD), microservices, and containers. Most of the enterprises use the twelve-factor methodology for designing scalable and robust cloud native applications.
The architecture of cloud-native applications requires its own unique approach to security in terms of policies and controls. Beyond meeting the challenge of maintaining consistent security across their data center and the public cloud environment where their applications are deployed, IT must also contend with a lack of mature tools for securing containers, API vulnerabilities and other issues. In virtual-machine (VM)-based cloud deployments, security tools and best practices are more mature, offering more fully featured detection and visibility into threats and performance issues. The same cannot be said of cloud-native environments leveraging microservices and containers. In short, the threat model has changed.
Many organizations are looking toward cloud-native security platforms (CNSP) as the answer. The goal of CNSPs, in part, is to simplify the complexity of securing a diverse, multi-cloud environment. CNSPs are designed to meet the needs of cloud-native architectures and the development practices of DevOps culture. Rather than focused on one particular vendor, CNSPs are cloud-agnostic and are built to provide visibility and protection across a hybrid stack. They also feature capabilities such as secure configuration management, runtime protection for cloud workloads and containers, and detection and response capabilities for virtual machines (VMs), containers and serverless functions. Additionally, tight integrations with orchestration tools are a vital component of maintaining security for applications.
The shift from building applications in a monolithic architecture hosted on a server you could go and touch, to breaking them down into multiple microservices, packaged up into containers, orchestrated with Kubernetes, and hosted in a distributed cloud environment, marks a clear jump in the level of complexity of our software. Add to that expectations of feature-rich, consumer-grade experiences, which are secure and resilient by design, and never has more been asked of developers.
Cloud-native applications that are based on new types of infrastructure such as containers and serverless platforms are being rapidly adopted by organizations worldwide. While cloud-native applications deliver compelling benefits such as elastic scalability, unmatched resilience and rapid development velocity, they also raise challenges.
DevOps and infrastructure teams leverage microservices to run cloud-native applications. In the past, multiple processes or software functionalities would run on one virtual machine. Now, each process or capability is packaged as a separate container or serverless function. Each entity is vulnerable to compromise and needs to be protected throughout the development lifecycle.
Another part of the problem is that organizations use CI/CD tools (e.g. Jenkins, Azure DevOps and Bamboo) to continuously develop, test and release applications. When using containers to deploy cloud-native applications, developers use base images retrieved from local storage or public repositories but often without checking if those images contain security vulnerabilities.
When you run IAM on a per-function basis or define granular permissions for containers in a cluster, you can use those access controls to enforce security. Take the time to create a minimal role or set of permissions for each function or container. This ensures that if an element in the cloud-native architecture is compromised, it will cause minimal damage and prevent privilege escalation to other components.
As defined by the Cloud Native Computing Foundation (CNCF), Cloud native technologies empower organizations to build and run scalable applications in public, private, and hybrid clouds. Features such as containers, service meshes, microservices, immutable infrastructure, and declarative application programming interfaces (APIs) best illustrate this approach.
Kubernetes is an open source container orchestration platform developed by Google. It helps manage distributed clusters of containers, often used for microservices and other distributed applications. Kubernetes is highly resilient and supports zero downtime, rollback, scaling, and container self-healing.
Before I get in to microservices and containers, let me explain what generally constitutes an OSS system. OSS in general includes management functions such as service fulfillment including network inventory, provisioning and activation, service assurance, network management, fault management, monitoring and customer care. According to Telecommunications Management Network (TMN), there are four layers that constitute OSS, namely Business Management Level (BML), Service Management Level (SML), Network Management Level (NML), and Element Management Level (EML).
In my opinion, from a telecom network management perspective, managed services laid the foundation for "as a service" offerings. Then came the cloud. Virtualization provided several key capabilities such as agility, automation, scalability, and faster time to market, which were very difficult to achieve in legacy OSS systems. In addition to virtualization, here comes microservices and containers.
Microservices and containers will play role in the evolution of OSS systems, as in other areas of the telecom infrastructure. Like any other applications, microservices and containers will provide scalability, agility, and acceleration to OSS systems. In addition to OSS systems themselves moving to Cloud native, networks and applications will start to become cloud native and this poses new operational requirements to current legacy OSS systems. In their current form, OSS systems are complicated, but the advent of microservices-based networks and applications will put more demands on OSS systems. Certainly there were number of moving parts in the legacy network such as mobile subscribers, services, VPN, and so on, but nothing like what is going to happen in microservices-based networks. The management complexity that will be created by moving applications to micro services and containers will be profound compared to simple virtualization of network functions on a VM.
In the microservices and container era, there will be more automation, more dynamic workloads that are moving around, and containers that are constantly instantiated and removed in different parts of the clusters. This requires highly sophisticated monitoring, correlation, and management capabilities. Not only applications and infrastructure need to be monitored and managed, but also intercommunication among microservices/containers, their status, and parts of applications running inside the containers need to be monitored and correlated. Machine learning will play a key role in the management of microservices-based networks. Virtualization, microservices, and containers create new demands for securing the network, and security is even more critical to OSS systems.
To manage the microservices and containers, new capabilities are needed in OSS systems. One possibility is to leverage the new tools that are coming out of the container world. Cloud Native Computing Foundation (CNCF) projects such as Prometheus, OpenTracing, Jaeger, and Fluentd provide capabilities around tracing, monitoring, and observability. Security is key in the microservices area, and it is highly relevant for microservices-based OSS systems as well. New projects in CNCF such as notary and TUF will play a role in the area of security. As container technologies evolve, OSS systems will need to evolve further by absorbing new technologies in different layers of OSS.
Try your hand at this monolithic to cloud-native migration quiz to test your knowledge of modern software architectures and the challenges microservices pose in terms of performance, manageability, security and development. If you score well on this monolith vs. cloud-native architectures quiz, you'll be well aware of the potential pitfalls you might encounter when you refactor your applications.
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native applications are a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute.The primary goal of the OWASP Cloud-Native Application Security Top 10 document is to provide assistance and education for organizations looking to adopt Cloud-Native applications securely. The guide provides information about what are the most prominent security risks for cloud-native applications, the challenges involved, and how to overcome them.