Nowadays, it is common for cloud-native applications to utilize anywhere from dozens to thousands of servers, and to be composed of anywhere from a handful to thousands of containers that deliver microservices. They manage this by spinning up quickly and shutting down when not needed, so as to use the least amount of computing resources across a hybrid, possibly multi-cloud architecture.
Even DevSecOps personnel struggle with securing modern cloud-native applications using the old network-oriented security model that has traditionally been used for monolithic applications and role-based access control. What is needed is a new security model that assigns trusted identities to each component of the application and user of the application to strictly regulate interactions in what is assumed to be a zero trust environment. Security has to move from being based on a network-oriented model to an application-aware model, and it has to be easy to implement and manage to be truly useful for DevSecOps.
In the old network-oriented security model, a service with a given IP address makes itself available on the network. Access to the service is secured with ﬁrewalls, IPS, WAF, NAC, and VPN gateways that are placed in front of it and are programmed with a set of cumbersome rules and vendor-speciﬁc conﬁguration settings to deﬁne which ports should be opened or closed and which network traffic originations should be allowed through. Syntax and rule priorities vary across the components comprising the security infrastructure, so it is rare for a single individual to understand or be able to maintain the security settings that have been put into the cloud-native application. As application components are spun up and down or moved, the number of security rules that need to be updated across the network topology becomes a management nightmare, bogging down SecOps personnel and constantly surfacing new security vulnerabilities.
Another major problem with network-oriented security is that once the IP address and ports for a Web-accessible application are known, any client residing on the Web may attempt to gain access. What is needed is a model whereby the application knows who the client is, in a cryptographically secure way, so access can be granted or denied based on that information.
DevSecOps personnel want a security model for cloud-native applications that is more secure as well as being easier to use, understand, and maintain. Ideally, it would be integrally tied to the components that comprise the application, not to IP addresses, ports and networking equipment settings. The security model cannot require developers to have to learn a new programming paradigm, because that would slow them down. In a perfect world, the security system could monitor the application component interactions to learn how best to secure them, automating the task of establishing security.
DevSecOps teams want to have better visibility into the security posture of the application. What is needed is a security platform that presents SecOps personnel with a dashboard that clearly shows how the overall application and all its component services are protected end-to-end, based on the application’s components themselves and the resources they utilize, not based on ﬁrewall rules or networking settings.
To learn about application-aware security for cloud-native applications, stay tuned for the next part of this blog series!