Co-authored by Chris Craig.
To match the ongoing shift to cloud as a means of increasing agility when delivering services, the architectures supporting these services are also evolving. The cloud IT space is full of terminology such as infrastructure-as-code, highly scalable architectures and microservices architecture — a methodology that is gathering significant momentum.
Adopting these compositions of loosely coupled components is a no-brainer because they are highly scalable and enhance agility for development teams. Before jumping straight on board, however, we should pause to understand the security posture that’s required for this migration.
Asking the Right Questions About Your Microservices Architecture
In many ways, a microservices-based architecture is not far removed from an Internet of Things (IoT) deployment: They both show an increase in independent systems and an associated boost in cross-system communication. With the many recent high-profile attacks on such distributed computing environments, its important for cloud vendors to understand threat vectors and plan for security and compliance.
When faced with a microservices architecture, DevOps engineers need to ask the following questions:
- What is the security impact of the proliferation of application hosting within my environment?
- How can I ensure all my microservices instances remain aligned from a compliance perspective?
- How can I ensure all interprocess communications are secure?
To answer these questions, it’s important to go back to the foundations of traditional IT security best practices, including areas such as security information and event management (SIEM) and endpoint security, to ensure that these well-established technologies remain at the heart of evolving SecDevOps processes such as continuous delivery and continuous monitoring.
Maintaining Continuous Delivery
Automation and delivery pipelines are key to cloud agility. The introduction of microservices and their hosting containers has the potential to increase the attack surface. In addition to traditional software components, development teams may now be packaging portions of operating systems and middleware within these containers.
SecDevOps groups must ask if their current endpoint security solutions can be integrated into the build and delivery chains. Securing the containers before they land in production will be critical to overall compliance and security. By shifting security concerns left in the delivery cycle, organizations can save effort and enable more scalable environments.
Continuous Monitoring Is Critical
The increase in interprocess communications must also be addressed. SecDevOps needs to ensure that SIEM systems can monitor large numbers of interconnected communication paths and secure cryptographic solutions, boundary firewalls and individual runtimes. Authentication and authorization service monitoring at a microservice level is also critical to ensure that individual tenant privacy is maintained in multitenant environments.
It certainly is an exciting time to be developing cloud services, but it is still crucial to engage your DevOps leaders and address upfront security concerns when deciding to shift to a microservices architecture. These steps are vital to establish that you have the operational maturity to maintain security services moving forward.
Senior Engineer, IBM Security
Richard is a Senior Engineer within the IBM Security unit. His responsibilities include developing and securing the cloud platforms hosting the IBM cloud sec...