New approaches to developing cloud-based applications require new approaches to securing them. Specifically, cloud-native applications typically use containerization and micro-segmentation of workloads to limit so-called east-west access of workloads. This includes communications between containers when combined into an application.
This strategy contrasts with virtual machines or running code running on servers in data centers, where the primary security is perimeter protection, which secures north-south access between clients and servers.
In a hybrid…
READ MORE
New approaches to developing cloud-based applications require new approaches to securing them. Specifically, cloud-native applications typically use containerization and micro-segmentation of workloads to limit so-called east-west access of workloads. This includes communications between containers when combined into an application.
This strategy contrasts with virtual machines or running code running on servers in data centers, where the primary security is perimeter protection, which secures north-south access between clients and servers.
In a hybrid environment, agencies need to reinforce the perimeter protection paradigm with a microsegment-level protection strategy, said Patrick Sullivan, chief technology officer for security strategy at Akamai. Together, these approaches form the basis of zero trust, he said on the Federal News Network show. Industry Exchange Cloud.
“You always have to protect that front end,” Sullivan said. “But behind that, with microsegmentation, you can restrict those communication pathways. So even in the worst-case scenario, where an attacker gains a foothold on a workload – perhaps a web server, for example – they are very limited in what they can do to get ahead.
Akamai itself has transformed from its roots as an Internet content delivery network, Sullivan noted. “We have grown to be the leader in protecting web applications and application programming interfaces,” he said. “We’ve been a big player in zero trust access.”
In 2023, the company expects its cybersecurity revenue to outpace that of its streaming services and website performance, Sullivan said.
Few agencies are totally dependent on the cloud. Most operate in hybrid environments: in their own data centers and in several clouds. And in clouds, they also work in multiple ways, he noted. Some cloud-hosted workloads exist as replications of servers in the data center, the rack-and-stack approach, for example.
In contrast, “the opposite of rack-and-stack is more of a cloud-native type approach, where you’re looking at the unique capabilities of the cloud and sort of revisiting some of those design assumptions,” Sullivan said.
Extend security beyond the perimeter
This also extends to security services. Perimeter security can still work from a physical firewall, but “where security exists in a software-based segmentation model, it’s right there on the workload,” Sullivan said.
In this cloud-native model, each container, when launched in a workload, invokes an agent based on a tag or multiple tags, he explained. These include both static tags that persist, inherited from service creation, as well as dynamic tags that query the workload for vulnerabilities encountered in production.
“The safety decision would be made on the spot based on the workload,” Sullivan said.
API protection is also an important part of zero trust in cloud-native environments, he added. Indeed, containers interact with each other through APIs.
“APIs have their own attack surface,” Sullivan said. “The Open Web Application Security Project’s list of top 10 vulnerabilities is slightly different for an API than for a web attack surface. This is largely due to the more direct exposure of business logic that you see with [container] Apis.”
Get the visibility needed to reduce risk
The explosion of APIs from developing containerized applications running in microsegmented networks is changing the work of security personnel, he said. “The main challenge for the security team is visibility, understanding where all these APIs are.”
The way to get that visibility is through a development governance process that gives the security team an opportunity to review APIs, he said. Then it becomes a matter of risk management and dealing with the riskiest APIs first. This approach, Sullivan said, is made possible by the emergence of Web Application and API Protection Platforms (WAAPs).
Security in the Zero Trust model – at the API and micro-service level – reduces the need to worry about threat vectors such as phishing and bot attacks. There’s no soft interior behind a hardened perimeter, Sullivan said and likened the new approach to designing the resilience and damage limitation of ship hulls.
“You design the hull to be as robust as possible, but there’s always compartmentalization beyond that. So even in the worst case scenario, where there’s a compromise of the hull, it doesn’t have to not be catastrophic You can limit exposure to a limited area of the vessel.
To listen and watch others Industry Exchange Cloud sessions, visit our event page.
#cloudnative #workload #security #starts #container #level #Federal #Information #Network