In an ideal scenario, security would be baked into the development process from the very beginning. Security teams would primarily exist to verify that best practices have been followed at every step in the process.
In practice, security is an enormous challenge for most organizations. This challenge is compounded by the increasingly complex and fast-paced nature of modern service-oriented architectures, such as Kubernetes. The number of places things can go wrong expands exponentially as applications become increasingly complex, and it becomes more difficult for security teams to keep track of everything that needs to be configured to ensure constant security.
Microservice-oriented, containerized applications are much more dynamic than traditional monolithic applications. Data moves around more, nodes shift around clusters and individual services have to communicate with each other. Ensuring security means making sure that:
In a perfect environment, security would be a top priority for developers but this isn’t usually the case. Across an entire organization, there will be developers who are more or less disciplined about ensuring all the communication between services is secure. If you depend on the individual developers to get it right every time, security lapses are inevitable.
One of the advantages of monolithic applications, from a security perspective, was that it had clear borders around which you could build a protective firewall and keep intruders out. In modern, distributed applications made of up microservices, that approach doesn’t work anymore, because the application’s perimeters are no longer well-defined.
Shifting IP addresses likewise render traditional logging methods like 5-Tuple useless, since IP addresses are changing every few minutes.
In an enterprise setting, most applications are not pure microservice architectures, but rather a hybrid, with some parts of the application working on the old monolith while others are deployed in a cloud-native environment using containerized services. The enterprise might use a mix of public cloud, private cloud, and on-prem data centers.
For security teams, this translates to an incredibly complex environment to keep secure, especially because security teams have to secure the entire technology stack, down to the operating system of the server. Security teams are asked to keep track of best practices and configuration protocols for multiple environments and multiple application types, each with its own set of configuration tools, naming conventions, and best practice checklists. They have to ensure everything is updated properly, as well as keep track of the complex upstream and downstream dependencies that applications have so that they understand in advance the security ramifications of updating one piece of the application.
Keeping up with the security requirements in the modern software development ecosystem is a super-human task—and security specialists are humans, usually overworked ones. Without using tools to help security teams manage the application complexity and get a single interface to ensure consistent configurations, to automate the security monitoring process and allow self-healing, security flaws are almost impossible to avoid.
Ensuring consistent, continual security and compliance require bringing the complex application landscape into a different approach for managing security. The approach needs to be portable between clouds and on-prem, leverages security policies that ensure teams can collaborate while still ensuring maximum security, and logging that provides Kubernetes context to makes sense of the data. Network security is impossible to achieve without this approach that strips away the modern application complexity.
Free Online Training
Access Live and On-Demand Kubernetes Tutorials
Calico Enterprise – Free Trial
Solve Common Kubernetes Roadblocks and Advance Your Enterprise Adoption
Get updates on blog posts, new releases and more!