Cloud-Native Security: Going Upstack From the 3 Rs

May 1, 2017 Kamala Dasika

Another day, another highly visible cybersecurity breach in the news.  And another flurry of tighter controls in IT by way of gates and checklists. Well...why not? After all, security breaches are occurring more frequently and are predicted to intensify this year. At the same time, this trend sits uncomfortably alongside another, where enterprises are demanding more applications at a faster pace. So, the mandate has become - crank up your security and also deliver software faster.

DevOps and Agile have turned the release engineering process on its head, which has enabled development and operations teams to deliver apps at a higher cadence. But, with the weight of the company’s reputation and operational risk on their shoulders, the security teams are lagging by continuing the traditional and conservative approaches that slow down or limit changes. Mandatory tests, gates, and reviews of changes to every app are the norm and this puts security in the critical path at every stage of the software delivery lifecycle. These seemingly opposed goals of speed and safety are leading to suboptimal tradeoffs. According to research by McKinsey, half of the CIOs and executives that they interviewed cited existing security controls as “a major pain point” impacting their frontline productivity.

Transforming the Department of Slow, Heck No, and Oh No You Didn’t!

It is becoming clear that a single individual or team cannot be responsible for the security of the entire organization. Modern CSOs have to consider democratization of security because their organization can be so much more successful if security is embedded into the DevOps process and not seen as an external impediment.

Speed Reduces Risk: Making DevOps Secure by Default

People who know Pivotal, have probably heard us talk about the three R’s of Enterprise security- Rotate datacenter credentials every few hours, Repave all servers and applications in the datacenter every few hours from a known good state, and Repair vulnerable operating systems and application stacks consistently within hours of patch availability.

Platforms like Pivotal Cloud Foundry not only make it easier to support the kind of cultural shift necessary for DevOps, they make it easier to practice good security. Most attacks target applications and operating systems with known vulnerabilities. Something as simple as timely patching of software with updates as they become available greatly reduces the number of exploitable entry points available to an attacker.  

With Pivotal Cloud Foundry, Operations teams are making updates to apps and the platform itself in production with no downtime. Operating system patches and upgrades are applied via what we call "rolling canary" deploys that are done “in flight” across batches of infrastructure until the update has permeated the whole system. This is just one example of how the speed enabled by the platform lowers the friction of implementing security in the enterprise, and improves overall security posture.

In addition to the 3 Rs, is there more that we can do to defend apps from attacks like cross-site scripting and SQL injections?

This is important because, despite fact that  ~70% of the vulnerabilities are in the application layer (Gartner), the majority of IT spend is going into securing networks and endpoints. This incongruity makes it clear that enterprise IT still has some work left to do in this space. With a new collaboration and integration, we are eager to lend a helping hand.

Security as a Real Time Decision Engine

Signal Sciences, one of Pivotal’s newest partners, is taking on the challenge of bringing security context and visibility to DevOps teams while providing continuous attack protection. The company is founded by some of the same people who were running  security at Etsy, and pioneered the inclusive security culture that enterprises are now seeking out as a model. Through this experience, the founders of Signal Sciences discovered that security tools have to become much faster and turn into real time decision engines that feed the entire software lifecycle. This is what the company set out to build.

Signal Sciences is a web protection platform that’s designed for collaboration, so development, operations, and security teams can work together. Signal Sciences offers a menu of deployment options including including Next Generation Web Application Firewall (NGWAF), Runtime Application Self-Protection (RASP), and Reverse Proxy modes. Whether you choose to deploy in the server instance as a plugin, in the code, or standalone, Signal Sciences provides security visibility and protection for all of your application instances.

Pivotal Cloud Foundry users can download and install the Signal Sciences Service Broker tile to expose the service in the Marketplace. Developers can then protect their applications simply by embedding the agent in their application and binding the service to their app. This is a fast and consistent way for Security and DevOps teams to ensure that all applications are secured.

Intelligent Attack Protection

Signal Sciences uses application security and anomaly data to determine if an attack is in progress. By recognizing specific attack patterns and indicators, Signal Sciences can stop an attack before it completes. This method allows for a smarter detection model and helps reduce the number of false positives that tax users and owners of the system. A number of out-of-the-box detections are available for customers to use as-is or customize to their specific needs.

Visibility that Brings Security Earlier into the SDLC

Collaboration often starts with a common, trusted set of data. To that end, the Signal Sciences platform has a real time engine that informs the various teams of the nature of attacks, where they are occurring, what targets they are hitting, etc. Users can also plug into any modern security workflows including DevOps, ChatOps, CI / CD, ticketing system, etc. via out of the box integrations. This way, fixes can be designed in real time thereby shortening the mean time to detect and fix vulnerabilities.

Scale to Support the Most Demanding Web Apps

Applications running on cloud-native platforms like Pivotal Cloud Foundry can horizontally scale in or out within seconds. Traditional WAF tools fall short in such dynamic and scalable environments. This is because any revision to the number of application instances triggers manual configurations and changes to the hardware, making the effort counterproductive to the benefits of dynamic scaling. The Signal Sciences platform scales your application security while quickly propagating updated protection models.

Learn More

If you’re interested in learning more about what we’re doing in the realm of Cloud Native Security, join Signal Sciences CSO, Zane Lackey, and I on a live webinar, “Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps”.

 


Read about how Pivotal approaches Cloud-Native Security.

About the Author

Kamala Dasika

Kamala Dasika has been working on Cloud Foundry since 2011 and has previously held various product or engineering positions at VMware, Tibco, SAP, and Applied Biosystems. Kamala started her software career 17 years ago with a transformative technology – the first fully automated, high throughput instrument used to sequence the Human Genome. She believes she is working with another transformative team at Pivotal that will change the way software is produced. Kamala holds a B.S.E in Computer Engineering and an M.B.A., Marketing Management.

More Content by Kamala Dasika
Previous
What are Microservices?
What are Microservices?

A short explainer on what microservices are and how they can help a company.

Next
Cloud-Native and the Apparating App
Cloud-Native and the Apparating App

Cornelia Davis describes her new book all about Cloud-Native software. Pivotal readers can get the book for...