Every once in a while, a new transformative architecture emerges, which challenges how we think about applications and our understanding of how to build and operate them securely. Containerization has created the possibility of microservices, and we are still writing the guide for protecting data in this environment.
As an example, many organizations are using microservices orchestrators, such as Kubernetes (k8s) and OpenShift, to build their next generation applications. These microservices are very powerful and robust tools, yet designing, deploying, or using them securely takes some guidance and good tooling.
I will be addressing this topic in my talk at RSA Conference 2019 and in a series of posts here.
As you all know, from a server perspective, we’ve gone in a very short time from a bare-metal server systems with a single operating system; to virtual machines; to cloud, which is virtual on demand; to containers. From an architecture perspective, we’ve gone from monolithic (everything you need in one box); to the stateful decoupling of service-oriented architecture; to stateless, reusable and ephemeral microservices.
As we operate in this evolving environment, we need to constantly rethink our strategies for protecting our organizations and the data that drives their business or mission.
Among the topics I will address at RSA and in this series of blog posts include:
- What questions should security professionals be asking about microservices?
- What are the requirements of secure microservices?
- What are the right tools to get the job done?
- How can we repurpose technology we’ve already invested in?
5 Initial Focus Points
Containers are ephemeral in nature, and microservices frameworks like Kubernetes treat them as such. For example, pods (k8s term for 1+ containers deployed together) are deployed as needed and may live for years or just a few seconds. Our security strategies going forward need to respond to this new pattern. In my talk at RSA, I will discuss five categories we need to consider for security in a Kubernetes world:
- Identity – authorization, authentication, and auditing of humans, components, and APIs!
- Software pedigree – What’s in the image that makes the container?
- Data security – Containers are ephemeral, so they use “external” persistent storage. Do I encrypt it? If so, how?
- Network security – CNIs, ingresses, services, and service mesh networks are some of the new common network components you must operate securely and understand how to protect.
- Trust -- All nodes/components have to be able to talk to other nodes components, and they all need certificates that will require PKI and excellent certificate management.
In addition, I will share some best practices and offer ideas on how to take advantage of microservices security.
Please join me at RSA on Tuesday, March 5 at 10:20 am in the North Briefing Center and watch for additional blog posts in which I will expand on the topics above.