Cloud Native Ecosystem / Security / Service Mesh

Curiefense, an Open Source, Envoy-Based Cloud Native Security Platform

8 Mar 2021 8:11am, by

Reblaze, an Israeli cloud native, managed application security solution provider, has released a commercial version of Curiefense, a Cloud Native Computing Foundation (CNCF) sandbox security project.  Its job is to protect cloud native applications and APIs from such threats as SQL injection, cross-site scripting (XSS), application-layer Distributed Denial of Service (DDoS), and API abuse.

How? By building on top of Lyft’s open source Envoy high-performance C++ distributed proxy.

Envoy is an open source edge proxy, designed to be used with cloud native applications. Envoy can also be used as a communication bus and universal data plane for large microservice service mesh architectures. Curiefense works on top of this as an Envoy Filter. You can use it anywhere you have Envoy running, whether as an ingress gateway, a sidecar or reverse proxy, a load balancer, or other situations. Curiefense attaches directly to Envoy and can start protecting your platform immediately.

Curifense itself is licensed under the Apache 2.0 license. But, while it’s still in the CNCF sandbox, Reblaze feels its production-ready.

Besides building on top of Envoy, it also uses GitOps and native security support for Kubernetes and service meshes such as Istio. Its programmers claim that Curifense if an API-first security platform that’s “for developers, by developers.: Curiefense full specifications include:

  • Supports DevOps/Infrastructure as Code/GitOps
  • Driveable by UI, cURL, and Swagger
  • Configurations are imported/exported in JSON/YAML
  • All data and configurations versioned in Git
  • Supports branched environments (e.g., Prod/DevOps/QA)
  • Real-time analytics/metrics, integrated with Prometheus/Grafana and ELK stack
  • Built-in automated threat feeds + bring your own
  • Advanced bot detection/biometric human verification
  • Premium services including machine learning-based, automated security configuration, and 24/7 support

The program is also platform agnostic. It can run on cloud VMs and as an Envoy plugin. Your deployment options include Docker Compose, Helm chart, Terraform, with more approaches on the way.

All the data Curifense collects and the analysis it does is kept within your systems. It’s not exported to any third-party sites nor databases.

“Modern cloud native deployments need sophisticated edge networking security and, historically, open solutions have lacked in this space,” said Matt Klein, creator of Envoy Proxy, in a statement. “Curiefense takes a new open approach to an age-old problem and I am very excited to see this unique solution on the market. The Envoy community looks forward to working with the Curiefense team to iterate and collaborate on this critical initiative.”

You can certainly use Curiefense as is. Besides being open source it comes with a full API. But Reblaze will offer its own commercial automation layer to make it easy to deploy, maintain, and use. This version of the program will also be updated more often.

Reblaze will also offer Curiefense as a fully hosted and managed SaaS offering. This version will be available on most of the popular public clouds. This will include Amazon Web Services (AWS), Azure, Digital Ocean, and the Google Cloud Platform.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker, Real.