Why security in cloud-native workloads starts at the container level

New, cloud-enabled approaches to application development require new approaches to securing them. Specifically, cloud-native applications typically employ containerization and microsegmentation of workloads to limit so-called east-west access of workloads. This includes communications among containers when they’re combined into an application.

That strategy stands in contrast to virtual machines or runtime code operating on servers in data centers, where the primary security is perimeter protection, which secures north-south access between clients and servers.

In a hybrid environment, agencies must augment the paradigm of perimeter protection with a strategy of protection at the microsegment level, said Patrick Sullivan, chief technology officer for security strategy at Akamai. Together, these approaches form the basis of zero trust, he said during Federal News Network’s Industry Exchange Cloud.

“You still need to protect that front end,” Sullivan said. “But then behind that, with microsegmentation, you can restrict those communication paths. So even in the worst-case scenario, where an attacker gains a foothold on one workload — maybe a web server, for example — they’re very much limited in what they can do to go forward.”

Akamai itself has transformed from its roots as an internet content delivery network, Sullivan noted. “We’ve expanded to be the leader in web app and application programming interface protection,” he said. “We’ve been a big player in zero trust access.”

In 2023, the company expects its cybersecurity revenues to exceed those of its streaming and website performance services, Sullivan said.

Few agencies are totally cloud-dependent. Most operate in hybrid environments: in their own data centers and in multiple clouds. And within clouds, they operate in multiple ways as well, he noted. Some cloud-hosted workloads exist as replications of servers in the data center, the rack-and-stack approach, for example.

By contrast, “the counter to rack-and-stack is more of a cloud-native type of approach, where you look at the unique capabilities of the cloud and kind of revisit some of those design assumptions,” Sullivan said.

Extending safety beyond the perimeter

That extends to security services too. Perimeter security may still work from a physical firewall appliance, but “where security exists in a software-based segmentation model is right there on the workload,” Sullivan said.

In that cloud-native model, each container when spun up into a workload invokes an agent according to a tag or multiple tags, he explained. These include both static tags that persist, inherited from the inception of the service, as well as dynamic tags that query the workload for vulnerabilities encountered in production.

“The security decision would be made right there on the workload,” Sullivan said.

API protection is also an important element of zero trust in cloud-native environments, he added. That’s because containers interact with one another via APIs.

“API’s have their own attack surface,” Sullivan said. “The Open Web Application Security Project list of Top 10 vulnerabilities is slightly different for an API than it would be for a web attack surface. A lot of that is just due to the more direct exposure of business logic that you see with [container] APIs.”

Gaining needed visibility to reduce risks

The explosion of APIs from developing containerized applications running in microsegmented networks changes the job of the security staff, he said. “The primary challenge for the security team is visibility, understanding where all of those API’s exist.”

The way to gain that visibility is through a development governance process that gives the security team an opportunity to review APIs, he said. Then it becomes a matter of risk management and dealing with the riskiest APIs first. Enabling this approach, Sullivan said, are the emergence of web app and API protection (WAAP) platforms.

Security in the zero trust model — at the API and micro-service level — lessens the need to worry about threat vectors such as phishing and bot attacks. There’s no soft interior behind a hardened perimeter, Sullivan said and likened the new approach to the resiliency and damage-limiting design of ship hulls.

“You design the hull to be as robust as possible, but there is always compartmentalization beyond that. So that even in that worst-case scenario, where there’s a compromise of the hull, it doesn’t have to be catastrophic. You can restrict the exposure to a limited area of the vessel.”

To listen and watch other Industry Exchange Cloud sessions, visit our event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.