Agile Security - A Reality in Today's World

Businesses are looking to optimize and accelerate their Software Development Lifecycle (SDLC), in order to improve their operational efficiency and gain a competitive edge.

Service mesh is the popular architecture where monolithic applications are broken down into microservices, becoming the common delivery model providing for better agility, elasticity and scale. Companies that deploy service mesh architecture require advanced automation and orchestration tools to help them achieve these business goals (agility, elasticity, and scale) and assemble an ecosystem that supports continuous deployment.

Such orchestration tools offer automated container deployment, scaling and management, time code scanning, provisioning, testing and even security in the CI/CD pipeline. The most popular orchestration tool is Kubernetes. It is so broadly used, that each public cloud vendor has introduced a special Kubernetes edition.

Naturally, these benefits drive the rapid adoption of the above model, with the ultimate goal of continuous deployment. Even if an application is changed multiple times a day, each version must go through the full SDLC phases before being pushed into production – with no delays and no human intervention, at all. If security doesn’t run at the same speed, it is usually left behind.

Normally, enterprises are forced to choose between agility and security. Most put agility first and try to retrofit security solutions into their deployments. But it’s worth noting that digital transformation doesn’t just come with new technologies; it also forces structural changes and adjustments of business processes.

Naturally, because it gives more decision-making power to those who understand, choose and implement the emerging solutions, DevOps have a growing influence on information security related decisions and eventually, the overall application security posture of their company.

As everything is moving fast, how can businesses be both agile and secure?

Unfortunately, emerging technologies are just that—emerging—and they do not come with best practices. Companies still look for the proverbial yellow brick road to secure microservices and containerized applications. What might that look like? Market leading application security that also provides advanced automation, auto-scale and elasticity required by today’s DevOps and Security teams. But often, the first line of defense is a WAF.

Can a WAF be agile?

WAFs are long known as showstoppers – they are slow, inaccurate, require a lot of tuning, exception handling and manual labor to maintain. Generating false positives and hurting the user experience, WAFs are by far the least favorite solution for information security teams. Can such an ancient animal adjust to the new ecosystem?

Yes, it can!

If organizations require agility first and foremost, then security must fit into that automated SDLC without disrupting continuous deployment.  However, organizations need more than just a “good enough” security solution. Their data is at stake. They require comprehensive protection.  Radware invested significant R&D efforts to solve this problem. The emphasis focused on finding the required level of automation, flexibility and elasticity.

Kubernetes WAF features many integration options into the CI/CD pipeline. For example, it is fully controlled by Kubernetes, so application security grows and scales with Kubernetes pods, including learned policies and configuration settings.

What’s more, visibility to both DevSecOps + Security teams via integration with common tools and platforms (like Grafana, Prometheus, etc.) is critical, as is a light footprint (an enforcement point in front of each pod while management, analytics and learning engine are run separately within the environment).

Lastly, and perhaps most importantly, security policies should be automatically generated and tuned. This can be accomplished by using machine learning with a unique auto policy-generation engine that studies the application/ microservice structure, analyzes potential threats and builds a security policy that is later adjusted whenever a change is introduced to the application.

And there you have it: Agile security!

As for security folks – you can maximize security for containerized applications with a unique combination of positive and negative security models for application protection in service mesh.

The author is Managing Director, India, SAARC & Middle East, Radware

Hombre