Cloud Services / Security / Service Mesh / Contributed

Operationalizing Security in a Decentralized, Service-Based Architecture

10 Dec 2020 6:00am, by

Jonathan Holmes
Jonathan Holmes is the CTO overseeing Grey Matter, the universal mesh network platform. Grey Matter enhances hybrid operations with an insight first approach based on service mesh, security, and automation.

Multicloud and hybrid deployment models present security challenges that require more rigorous command, control, and policy mechanisms when compared to traditional IT strategies. Decentralized service-based architectures make the implementation of a perimeter difficult, while hybrid and multicloud deployments make it obsolete. Instead, these systems, made up of services, applications, and libraries, often rely on tight process and controls, granular access/authorization policies, and mutually trusted connections.

Cloud native security shouldn’t be separated from security for existing IT investments either. Most enterprises need to secure an entire applications ecosystem, including on-premises, monolithic applications that have probably been in production for years. These existing investments are often the main data providers driving any new cloud native capability. The principles behind operationalizing cloud native security revolve around embracing application-level network automation to reduce complexity. These principles apply to practically all aspects of cloud native development and operations, and cross-cut into existing investments. Implementing and operationalizing cross-environment security correctly requires embracing cloud native style automation and seamless mesh networking infrastructure applied across the entire IT security spectrum.

Here are a handful of things organizations should consider when thinking about how to approach security across cloud native applications, multicloud platforms, and existing infrastructure.

Organizational Maturity

Organizations need to understand that their ability to adopt certain cloud native tools will depend on both their current IT topology and their organizational maturity. When considering security tools and strategy, it’s important to be realistic about the maturity of your enterprise architecture and the skill level of your engineering team. Sometimes teams get excited to try out new software or open source projects without considering how they fit in ongoing projects and existing capabilities, and how challenging they are to implement and maintain at scale. Prematurely adopting such tools can increase your inherent risk, or worse-case, introduce catastrophic and costly failures.

Enterprise IT, often made up of multiple solutions, requires appropriate governance policies to ensure they are configured in accordance with best practices and your specific enterprise infrastructure requirements. They require technical sophistication to connect each decentralized microservice to each other and to other systems. For organizations considering how to manage a security model across both cloud native and existing IT investments, this becomes vitally important.

Connecting Greenfield and Brownfield Systems

Even organizations with highly mature cloud native systems often maintain a portfolio of existing IT investments consisting of on-premise, cloud, and SaaS applications, all processing and sharing information in use by the enterprise. These on-premise investments are often the most critical to the business, storing, processing, and providing key data and information to other enterprise IT assets. These investments cannot be ignored as they are equally important to cloud native applications or externally hosted SaaS solutions.

The key is to create an enterprise mesh networking layer that can offer security, control, compliance, and insight for all of your IT investments, regardless of deployment model, cloud, or platform vendor. This mesh networking layer can make the audit trail seamless across the network, services, and applications for your on-premise, cloud native, and SaaS IT ecosystem. Having this data accessible drives increased enterprise observability and eases the burden of application and service policy management. The implementation of an enterprise mesh networking layer also allows for the rapid introduction of enterprise-wide security rules and policies that can be tailored to decentralized endpoints. This makes it easier for teams to govern their solutions while giving risk insight and management at the enterprise level. Other side benefits of this approach include: surfacing a deep understanding of the componentry of any system running on your network, how the system connects together, and to other things, and what information is being shared throughout your decentralized IT space. Understanding each of these is critical to any company’s approach to modernization.

Reducing Cognitive Load

As you may have noticed while reading this article, there’s a big learning curve associated with securing decentralized workloads across cloud native and on-premise IT environments in a service-based architecture. Operators need to consider workload topologies and systems. More importantly, they need to understand how each system interacts with each other across clouds, data centers, and even continents. Organizations need to prepare for decentralized applications, services, and tools all running in distributed platforms on multiple cloud- and hybrid environments. They need new infrastructure layers to simplify operations, increase automation, and reduce cognitive load day-to-day. This makes it possible to decrease time to resolution and speed up the deployment process while minimizing security risk.

The new infrastructure layer should enable applications and service delivery to be seamless across the enterprise service-based architecture. It must be granular and close to the applications, APIs, services, and databases that run your enterprise; not only a perimeter “front door.”  It should be able to bridge networks regardless of cloud, implementation, or topology. The new infrastructure layer should normalize and capture telemetry, audits, logs, and statistics regardless of cloud or platform. It should allow for command and control, especially in terms of security Auth N / Auth Z across cloud native, on-premise, and even SaaS solutions being used by your enterprise. Most importantly, this new layer should help you make sense of the policies implemented, and assist in analysis of IT Operations data captured, across your decentralized IT infrastructure.

Conclusion

Bringing all of the relevant information together into a world-class “overwatch” system makes it easier to spot anomalies and identify the best corrective actions. Surfacing this information into comprehensive visualizations and allowing operators to interact with the underlying components will not only reduce cognitive load, but increase confidence in your IT organization’s ability to meet business needs. This can be accomplished through the use of a managed mesh networking infrastructure, and organized, for example, as a common operational picture that includes security telemetry, audits, and click-stream information.

This type of system eliminates a number of security issues in a service-based architecture. Two issues are particularly relevant to this article. One is human limitation. If humans need to check dozens of dashboards and back-end data sets in order to get information about a potential security incident or to monitor the system for vulnerabilities, they will surely miss something. The second risk comes from the misalignment of signal data gleaned from sys logs and developer-driven instrumentation. Both automated systems and humans may miscorrelate a signal as it moves between environments, erroneously thinking there is a vulnerability when there isn’t, or missing a critical vulnerability when there is.

Security is about protecting the entire IT portfolio. Organizations shouldn’t think of security for cloud native apps and platforms, SaaS services, and existing systems as separate concerns. A security breach is a security breach, and customers ultimately won’t care whether or not it happened in a cloud native app or in an existing one. Successfully managing security for the entire IT portfolio requires starting with a realistic assessment of the organization’s maturity level, skill sets, and the application’s relationship to other parts of the infrastructure. Organizations should focus on automating as much as possible and collecting data from sources, networks, and environments together into a new set of IT information that can be used to gauge true security enterprise awareness. Doing so will greatly enhance the organization’s overall security posture.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.