We are on a journey from the age of server-reliance to eventually a serverless era – with a couple of inflection points along the way. New and fundamental technology changes have enabled this path. However, with this advance in technology comes new challenges which require an examination of the way we approach cybersecurity altogether.
A Shift of Mindset
The shift from monolithic, centralized systems towards a distributed microservices model also requires a shift in mindset – from static, perimeter-centric security towards security that is decoupled from network or infrastructure. As we begin to redefine our approach, we must deal with the fundamental tension between the past and future; between security for servers, and serverless technology.
Explore this journey by clicking on the links to learn more.
Legacy to Cloud Native: Pets vs. Cattle
To understand the future, we must look to the past. What are the fundamental differences between cloud-native and legacy infrastructure, and how can we bridge the two as we lift and shift our applications to the cloud?
Legacy infrastructure is complex, semi-static and network-centric. It often requires manual control and does not scale. Cloud-native security, on the other hand, is required to be automated, scalable, and perimeter-agnostic. Furthermore, it must be infrastructure and platform independent to be truly effective.
To understand the change in mindset required, let’s examine the “pets vs. cattle” analogy, a DevOps concept that was first introduced by Bill Baker, a distinguished engineer at Microsoft in a presentation he provided on “Scaling SQL Server” in 2012.
The “pets” service model is applicable to legacy infrastructure. It is used to reference a model where we treat our servers as we would our beloved pets. Fido (the server) is unique. We love him, nurture him, and restore him to health when he is sick. When he’s not around (the server goes down), everyone is aware.
Servers in this analogy are treated as indispensable – we have attachments and dependencies to each one. Examples of “pet” servers include firewalls, mainframes, solitary servers, load balancers, database systems, etc. If your firewall goes down, panic ensues.
For the scalability required in the cloud-native era, and for IT Ops at the enterprise level, we must take a “cattle” approach to the service model.
Here, “cattle” equates to a herd of servers, built using automated tools, and designed with failure in mind. Servers are assigned identification numbers as would be cattle, in a herd (ID-001, ID-002, etc). There is no distinction made between these servers, and if a single member of the “cattle” herd goes missing, it is easily replaced by another – nobody sheds a tear or takes it for a backyard burial.
This makes it possible to route around failures by rebooting or replicating data, and requires very little human interaction. Examples of “cattle” servers include web server arrays, NoSQL clusters, queuing cluster, search cluster, caching reverse proxy cluster, multi-master datastores like Cassandra, big-data cluster solutions, and so on.
Virtual Machines & Containers
The “pets vs. cattle” analogy can also be stretched to examine the relationship of virtual machines (VMs) vs. containers. VMs take minutes to launch, whilst containers take mere seconds. They are more effective and require far fewer resources compared to VMs.
Containers are important to consider when addressing security requirements in the current landscape: security teams struggling to address the requirements in a cloud-native environment will be further stressed when tasked with encompassing container-based resources, too.
Security Requirements for the Cloud-Native Era
In the cloud-native era, securing your applications comes with new challenges altogether. Cloud security solutions must be automated, scalable, and decoupled from network or infrastructure, and applicable at a granular level across multi-cluster or multi-cloud.
Aporeto was built with the transition to the cloud-native era in mind, and to accelerate the migration of enterprises to the cloud. The Aporeto platform protects cloud applications from attack by authenticating and authorizing all communications with a cryptographic identity assigned to every workload. This alleviates reliance on unmanageable error-prone IP white-list policies, and reduces operational tension. A distributed homogeneous security policy is enforced per workload independent of network or infrastructure configuration, enabling uniform security orchestration across multi-cloud environments.
For more information on how Aporeto can help your organization to consume cloud, build cloud-native applications and improve application velocity, read our ebook Identity-Powered Cloud Security.