August 15, 2017 By Richard O'Mahony 2 min read

Co-authored by Chris Craig.

To match the ongoing shift to cloud as a means of increasing agility when delivering services, the architectures supporting these services are also evolving. The cloud IT space is full of terminology such as infrastructure-as-code, highly scalable architectures and microservices architecture — a methodology that is gathering significant momentum.

Adopting these compositions of loosely coupled components is a no-brainer because they are highly scalable and enhance agility for development teams. Before jumping straight on board, however, we should pause to understand the security posture that’s required for this migration.

Asking the Right Questions About Your Microservices Architecture

In many ways, a microservices-based architecture is not far removed from an Internet of Things (IoT) deployment: They both show an increase in independent systems and an associated boost in cross-system communication. With the many recent high-profile attacks on such distributed computing environments, its important for cloud vendors to understand threat vectors and plan for security and compliance.

When faced with a microservices architecture, DevOps engineers need to ask the following questions:

  • What is the security impact of the proliferation of application hosting within my environment?
  • How can I ensure all my microservices instances remain aligned from a compliance perspective?
  • How can I ensure all interprocess communications are secure?

To answer these questions, it’s important to go back to the foundations of traditional IT security best practices, including areas such as security information and event management (SIEM) and endpoint security, to ensure that these well-established technologies remain at the heart of evolving SecDevOps processes such as continuous delivery and continuous monitoring.

Maintaining Continuous Delivery

Automation and delivery pipelines are key to cloud agility. The introduction of microservices and their hosting containers has the potential to increase the attack surface. In addition to traditional software components, development teams may now be packaging portions of operating systems and middleware within these containers.

SecDevOps groups must ask if their current endpoint security solutions can be integrated into the build and delivery chains. Securing the containers before they land in production will be critical to overall compliance and security. By shifting security concerns left in the delivery cycle, organizations can save effort and enable more scalable environments.

Continuous Monitoring Is Critical

The increase in interprocess communications must also be addressed. SecDevOps needs to ensure that SIEM systems can monitor large numbers of interconnected communication paths and secure cryptographic solutions, boundary firewalls and individual runtimes. Authentication and authorization service monitoring at a microservice level is also critical to ensure that individual tenant privacy is maintained in multitenant environments.

It certainly is an exciting time to be developing cloud services, but it is still crucial to engage your DevOps leaders and address upfront security concerns when deciding to shift to a microservices architecture. These steps are vital to establish that you have the operational maturity to maintain security services moving forward.

More from Cloud Security

AI-driven compliance: The key to cloud security

3 min read - The growth of cloud computing continues unabated, but it has also created security challenges. The acceleration of cloud adoption has created greater complexity, with limited cloud technical expertise available in the market, an explosion in connected and Internet of Things (IoT) devices and a growing need for multi-cloud environments. When organizations migrate to the cloud, there is a likelihood of data security problems given that many applications are not secure by design. When these applications migrate to cloud-native systems, mistakes in configuration…

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today