August 15, 2017 By Richard O'Mahony 2 min read

Co-authored by Chris Craig.

To match the ongoing shift to cloud as a means of increasing agility when delivering services, the architectures supporting these services are also evolving. The cloud IT space is full of terminology such as infrastructure-as-code, highly scalable architectures and microservices architecture — a methodology that is gathering significant momentum.

Adopting these compositions of loosely coupled components is a no-brainer because they are highly scalable and enhance agility for development teams. Before jumping straight on board, however, we should pause to understand the security posture that’s required for this migration.

Asking the Right Questions About Your Microservices Architecture

In many ways, a microservices-based architecture is not far removed from an Internet of Things (IoT) deployment: They both show an increase in independent systems and an associated boost in cross-system communication. With the many recent high-profile attacks on such distributed computing environments, its important for cloud vendors to understand threat vectors and plan for security and compliance.

When faced with a microservices architecture, DevOps engineers need to ask the following questions:

  • What is the security impact of the proliferation of application hosting within my environment?
  • How can I ensure all my microservices instances remain aligned from a compliance perspective?
  • How can I ensure all interprocess communications are secure?

To answer these questions, it’s important to go back to the foundations of traditional IT security best practices, including areas such as security information and event management (SIEM) and endpoint security, to ensure that these well-established technologies remain at the heart of evolving SecDevOps processes such as continuous delivery and continuous monitoring.

Maintaining Continuous Delivery

Automation and delivery pipelines are key to cloud agility. The introduction of microservices and their hosting containers has the potential to increase the attack surface. In addition to traditional software components, development teams may now be packaging portions of operating systems and middleware within these containers.

SecDevOps groups must ask if their current endpoint security solutions can be integrated into the build and delivery chains. Securing the containers before they land in production will be critical to overall compliance and security. By shifting security concerns left in the delivery cycle, organizations can save effort and enable more scalable environments.

Continuous Monitoring Is Critical

The increase in interprocess communications must also be addressed. SecDevOps needs to ensure that SIEM systems can monitor large numbers of interconnected communication paths and secure cryptographic solutions, boundary firewalls and individual runtimes. Authentication and authorization service monitoring at a microservice level is also critical to ensure that individual tenant privacy is maintained in multitenant environments.

It certainly is an exciting time to be developing cloud services, but it is still crucial to engage your DevOps leaders and address upfront security concerns when deciding to shift to a microservices architecture. These steps are vital to establish that you have the operational maturity to maintain security services moving forward.

More from Cloud Security

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Cloud security uncertainty: Do you know where your data is?

3 min read - How well are security leaders sleeping at night? According to a recent Gigamon report, it appears that many cyber professionals are restless and worried.In the report, 50% of IT and security leaders surveyed lack confidence in knowing where their most sensitive data is stored and how it’s secured. Meanwhile, another 56% of respondents say undiscovered blind spots being exploited is the leading concern making them restless.The report reveals the ongoing need for improved cloud and hybrid cloud security. Solutions to…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today