Security is table stakes in any enterprise-grade platform. At Pivotal, security is always top of mind and is integrated into every aspect of the Pivotal Cloud Foundry platform. We gather and incorporate customer and community-driven requests into the platform to provide security and enable compliance for organizations across all industries.
This blog kicks off a series focusing on security features within the Pivotal Cloud Foundry platform and should be part of any enterprise cloud platform. Our first blog starts with Application Security Groups. The inception of Application Security Groups was based on overwhelming feedback from customers in highly regulated industries (e.g., financial services, government, healthcare, etc.), as well as the numerous requests from the Cloud Foundry community. The goal of Application Security Groups was simple—enable individual applications to be locked down to only necessary connections.
Platform security should begin locked-down and then be opened up only as needed. Access should start with the application and then deliberately progress out towards to the perimeter. Application Security Groups were first made available in the Pivotal Cloud Foundry 1.3 release in September 2014, and introduced some great application-centric security features. By starting with the application, administrators are able to identify and prevent bad actors before they hit the network.
Application Security Groups allow administrators to control the traffic flowing out of an application—access controls that are difficult to implement with traditional technology stacks. Each Cloud Foundry application uses a dedicated Linux container, and each Linux container includes a dedicated virtual network interface. Application access controls are defined by the administrator, and the application-specific policies are stored and then applied to the virtual network interface by the platform before an application ever starts. Within the controls, Application Security Groups are a collection of ‘allow’ rules that can be made with global or application specific assignments enabling access to be set based on individual application requirements.
The individual application requirements are addressed through whitelisting, and whitelisting is layered on top of a series of container-centric lock-downs, allowing limited access to other applications and services. The whitelist approach, similar to the way a firewall works, looks at IP addresses, ports, and protocols to confirm that only explicitly approved traffic is allowed from the container. By locking application containers down to pre-defined routes, administrators are given the ability to reject all unexpected traffic by default.
Application Security Groups are completely configurable rules, and the rules are applied to applications based on the evolving security requirements throughout a deployment lifecycle. Security attributes can be loosened while applications are being packaged—as access to the Internet is required to download updates from package management tools. Additional rules can then automatically harden access as applications are moved into production, removing any unnecessary outbound connections. The outcome is that administrators have full, automated security throughout the workflow.
Pivotal prioritizes security at each layer of our open cloud platform. The approach provides organizations with an easy and flexible way to rapidly provision, deploy, and manage software environments while meeting stringent security and compliance requirements. Expect to see more security capabilities in Pivotal Cloud Foundry in 2015, starting with the next release. Feedback is welcome and encouraged as we continue to expand Pivotal Cloud Foundry security capabilities.