TNS
VOXPOP
What news from AWS re:Invent last week will have the most impact on you?
Amazon Q, an AI chatbot for explaining how AWS works.
0%
Super-fast S3 Express storage.
0%
New Graviton 4 processor instances.
0%
Emily Freeman leaving AWS.
0%
I don't use AWS, so none of this will affect me.
0%
 
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Top 5 Trends in Cloud Native Software Testing in 2023
Dec 6th 2023 10:45am, by Bruno Lopes
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
Microsoft’s New .NET Dev Tool Draws Community Support
Nov 30th 2023 8:54am, by Darryl K. Taft
Amazon S3 Express One Zone Introduces Near-Real Time Object Storage
Nov 28th 2023 1:20pm, by Joab Jackson
Cloud Native Users Struggle to Achieve Benefits, Report Says
Nov 28th 2023 5:00am, by Charles Humble
Demystifying Container Security for Developers
Nov 28th 2023 12:21pm, by David Benas
Why Securing Containers Is Like Going to the Dentist
Nov 17th 2023 7:09am, by Neta Krakover
Dell GA's APEX Cloud Platform for Red Hat OpenShift
Nov 2nd 2023 11:00am, by Chris J. Preimesberger
Lynis: Run a Security Audit on Linux for Free
Oct 28th 2023 6:00am, by Jack Wallen
Why Capistrano Got Usurped by Docker and Then Kubernetes
Oct 25th 2023 1:53pm, by David Eastman
Arm Pushes AI into the Smallest IoT Devices with Cortex-M52 Chip
Nov 27th 2023 1:06pm, by Jeffrey Burt
TikTok to Open Source 'Cloud-Neutralizing' Edge Accelerator
Nov 20th 2023 8:30am, by Joab Jackson
Docker at the Edge: How Machine Learning Transformed Fowl Task
Nov 9th 2023 10:28am, by Loraine Lawson
The 2023 State of Kubernetes in Production
Nov 7th 2023 8:10am, by Jennifer Riggins
Edge AI: How to Make the Magic Happen with Kubernetes
Sep 14th 2023 4:00am, by Saad Malik
Why Testing Must Shift Left for Microservices
Dec 6th 2023 8:28am, by Arjun Iyer
Securing Microservices Communication with mTLS in Kubernetes
Nov 28th 2023 3:00am, by Robert Kimani
AppMap Releases Runtime Code Review as a GitHub Action
Nov 21st 2023 3:00am, by Susan Hall
Why Microservices Aren’t Working for You
Nov 20th 2023 6:34am, by Ned Harris
The Struggle for Microservice Integration Testing
Nov 10th 2023 6:30am, by Nočnica Mellifera
Why Is IPv6 Adoption Slow?
Nov 13th 2023 9:20am, by Tucker Preston
Effective Traffic Management with Kubernetes Gateway API Policies
Nov 7th 2023 3:00am, by Robert Kimani
Enhancing Kubernetes Networking with the Gateway API
Nov 3rd 2023 3:30am, by Robert Kimani
Cilium CNCF Graduation Could Mean Better Observability, Security with eBPF
Oct 13th 2023 4:00am, by B. Cameron Gain
Performant and Programmable Telco Networking with eBPF
Aug 11th 2023 10:00am, by Bill Mulligan
State of Serverless Computing and Event Streaming in 2024
Dec 4th 2023 7:17am, by Tun Shwe
Netlify Launches Composable Web Platform for Enterprise Devs
Oct 19th 2023 9:00am, by Richard MacManus
4 Factors of a WebAssembly Native World
Oct 12th 2023 9:00am, by Liam Crilly
Raising the Serverless Bar: Infrastructure APIs Unleash More Value for Enterprises
Oct 10th 2023 10:00am, by Tyson Trautmann
The Security-First Mindset to Unlocking the AWS Opportunity 
Aug 9th 2023 8:14am, by David Melamed
Amazon S3 Express One Zone Introduces Near-Real Time Object Storage
Nov 28th 2023 1:20pm, by Joab Jackson
How Epic Games Revs up Unreal Engine 'Cook Time' for Devs
Nov 28th 2023 7:20am, by Cynthia Dunlop
How to Get Data Warehouse Performance on the Data Lakehouse
Nov 20th 2023 9:00am, by Sida Shen
MongoDB vs. ScyllaDB: A Comparison of Database Architectures
Nov 13th 2023 1:06pm, by Daniel Seybold
Doing DynamoDB Better, More Affordably, All at Once
Oct 30th 2023 11:00am, by Tzach Livyatan and Felipe Cardeneti Mendes
AI Frontend Development Software Development TypeScript WebAssembly Cloud Services Data Security
AI Will Create Demand and Empower Developers, Not Replace Them
Dec 6th 2023 8:54am, by
2024 Forecast: What Can Developers Expect in the New Year?
Dec 6th 2023 7:38am, by
Decoding Amazon’s Generative AI Strategy
Dec 6th 2023 5:00am, by
4 Key Tips for Building Better LLM-Powered Apps
Dec 5th 2023 10:44am, by
From RAG to Riches: Dispelling AI Hallucinations
Dec 5th 2023 9:58am, by
Vercel Adds New Features Designed to Support Monorepos
Dec 6th 2023 1:01pm, by
The Pros and Cons of Using React Today
Dec 4th 2023 8:48am, by
Dev News: Astro 4.0 Beta, Rust / Kotlin AWS SDKs, Deno Cron
Dec 2nd 2023 7:00am, by
Tackling AI's Black Box: Howso Challenges PyTorch and JAX
Nov 30th 2023 3:00am, by
The State of the Open Web: 3 Takeaways Heading into 2024
Nov 29th 2023 10:26am, by
Vercel Adds New Features Designed to Support Monorepos
Dec 6th 2023 1:01pm, by
AI Will Create Demand and Empower Developers, Not Replace Them
Dec 6th 2023 8:54am, by
Why Testing Must Shift Left for Microservices
Dec 6th 2023 8:28am, by
2024 Forecast: What Can Developers Expect in the New Year?
Dec 6th 2023 7:38am, by
Think Like a Developer to Help Dev Teams Ship Faster
Dec 6th 2023 5:57am, by
How to Get Advantages of TypeScript in JavaScript
Oct 27th 2023 10:51am, by
Dev News: Udemy's New Docker Program, Plus TypeScript Beta
Oct 7th 2023 5:01am, by
The Angular Renaissance: Why Frontend Devs Should Revisit It
Sep 26th 2023 8:15am, by
Dev News: A 'Nue' Frontend Dev Tool; Panda and Bun Updates
Sep 16th 2023 4:00am, by
Dev News: Svelte 5 vs. VanillaJS and Google’s Project IDX
Aug 12th 2023 8:00am, by
JetBrains Developer Survey Tracks Rapid Adoption of AI
Dec 5th 2023 8:30am, by
Why WebAssembly Is a Good Fit for Extensible Control Planes
Nov 29th 2023 1:36pm, by
Dev News: Vite Rust-ifies, Roc Language, JS Framework SDKs
Nov 24th 2023 7:30am, by
WebAssembly's Status in Computing
Nov 14th 2023 11:14am, by
Who's Leading WebAssembly Adoption? So Far, Vendors
Nov 6th 2023 6:00am, by
Decoding Amazon’s Generative AI Strategy
Dec 6th 2023 5:00am, by
State of Serverless Computing and Event Streaming in 2024
Dec 4th 2023 7:17am, by
4 Guidelines to Tame Your Hybrid Cloud Migration
Nov 30th 2023 8:00am, by
Amazon Q, a GenAI to Understand AWS (and Your Business Docs)
Nov 29th 2023 8:47am, by
VMware Unveils a Pile of New Data Services for Its Cloud
Nov 22nd 2023 8:44am, by
What Is Operational Resilience?
Dec 5th 2023 9:57am, by
How DoorDash Migrated from Aurora Postgres to CockroachDB
Dec 5th 2023 3:00am, by
Baserow: A No Code, Open Source Alternative to Airtable
Dec 2nd 2023 6:00am, by
Tackling AI's Black Box: Howso Challenges PyTorch and JAX
Nov 30th 2023 3:00am, by
Docker CTO Explains How Docker Can Support AI Efforts
Nov 28th 2023 10:09am, by
2024 Forecast: What Can Developers Expect in the New Year?
Dec 6th 2023 7:38am, by
Stytch Takes the Hassle out of Passkey Authentication
Dec 5th 2023 5:00am, by
Akin to SBOM, Trivy Adds KBOM Vulnerability Scanning to K8s
Dec 4th 2023 12:16pm, by
Mitigate OWASP Security Top Threats with an API Gateway
Nov 29th 2023 10:40am, by
How Cilium’s Mutual Authentication Can Compromise Security
Nov 29th 2023 9:14am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
The Hype Train Is Over. Platform Engineering Is Here to Stay
Dec 4th 2023 10:07am, by Carrie Tang
Demo: Self-Service Kubernetes with Rafay’s Backstage Plugins
Dec 4th 2023 6:44am, by Richard Gall
Cloud Migration and Platform Engineering at Large Organizations
Dec 4th 2023 3:00am, by Jennifer Riggins
Measuring the Impact of Your Platform Engineering Strategy
Nov 30th 2023 9:30am, by David Williams
How to Mature Your DevOps Automation Practices
Nov 30th 2023 6:32am, by Saif Gunja
What Is Operational Resilience?
Dec 5th 2023 9:57am, by Robert Kimani
JetBrains Developer Survey Tracks Rapid Adoption of AI
Dec 5th 2023 8:30am, by Lawrence E Hecht
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
How Meta Patches Linux at Hyperscale
Dec 1st 2023 3:00am, by Steven J. Vaughan-Nichols
How a Popular Combo Provides DDoS Protection
Nov 29th 2023 8:12am, by Andrey Slastenov
How to Observe Your CI/CD Pipelines with OpenTelemetry
Nov 28th 2023 7:40am, by Adriana Villela and Reese Lee
How to Use Databases Inside GitHub Actions
Nov 9th 2023 9:40am, by Gerald Venzl
Securing CI/CD Pipelines: A Comprehensive Approach Is Vital
Oct 25th 2023 6:06am, by Noah Simon
Continuous Release: Move Faster without Breaking Things
Oct 19th 2023 10:55am, by Karishma Irani
No Workflow Is an Island
Oct 13th 2023 7:09am, by Mark Fussell
Hundreds of Employees Face Layoffs in Wake of Broadcom-VMware Merger
Dec 5th 2023 10:58am, by Chris J. Preimesberger
As a Manager, You’re the Referee, Not the Coach
Dec 5th 2023 7:43am, by Kevin Clark
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
2023's Gift Ideas for the Programmer in Your Life
Dec 3rd 2023 6:00am, by David Cassel
Tech Works: How to Build a Life-Long Career in Engineering
Dec 1st 2023 5:00am, by Jennifer Riggins
AI Will Create Demand and Empower Developers, Not Replace Them
Dec 6th 2023 8:54am, by Tony Graham
The Hype Train Is Over. Platform Engineering Is Here to Stay
Dec 4th 2023 10:07am, by Carrie Tang
Breaking Down the Wall in DevOps
Dec 1st 2023 5:30am, by Laura Santamaria
Top 5 Best Practices for Naming OpenTelemetry Attributes
Dec 1st 2023 4:00am, by Carl Brahms
Thinking in Systems: A Sociotechnical Approach to DevOps
Nov 30th 2023 8:22am, by Tao Hansen
Reimagining Multicluster Kubernetes with k0s/k0smotron
Dec 6th 2023 10:00am, by Jussi Nummelin
Akin to SBOM, Trivy Adds KBOM Vulnerability Scanning to K8s
Dec 4th 2023 12:16pm, by Itay Shakury
HPC Kubernetes: AI Training on 3,500 GPUs
Dec 4th 2023 10:20am, by Joab Jackson
Demo: Self-Service Kubernetes with Rafay’s Backstage Plugins
Dec 4th 2023 6:44am, by Richard Gall
Microsoft’s New .NET Dev Tool Draws Community Support
Nov 30th 2023 8:54am, by Darryl K. Taft
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
Top 5 Best Practices for Naming OpenTelemetry Attributes
Dec 1st 2023 4:00am, by Carl Brahms
Hey Programming Language Developer — Get over Yourself
Nov 30th 2023 12:30pm, by Alex Williams
OpenTelemetry for Go Is Almost a Go
Nov 29th 2023 7:22am, by B. Cameron Gain
How to Observe Your CI/CD Pipelines with OpenTelemetry
Nov 28th 2023 7:40am, by Adriana Villela and Reese Lee
Using JWTs to Authenticate Services Unravels API Gateways
Nov 8th 2023 6:53am, by Christian Posta and Peter Jausovec
Enhancing Kubernetes Networking with the Gateway API
Nov 3rd 2023 3:30am, by Robert Kimani
Linkerd Enterprise Creators: Keep the Sidecar Mesh
Oct 31st 2023 7:05am, by B. Cameron Gain
Scaling Environments with OpenTelemetry and Service Mesh
Oct 17th 2023 11:13am, by Anirudh Ramanathan
Kubernetes 1.28 Accommodates the Service Mesh, Sudden Outages
Aug 18th 2023 10:08am, by Joab Jackson
Security

Security in the Modern Data Center

Feb 27th, 2018 8:55am by
Featued image for: Security in the Modern Data Center

Nitzan Niv
Nitzan Niv is a 20-year veteran of the software industry. He is currently the system architect at Alcide, as well as leading its security research. Previously he worked for eight years at Imperva creating the internal web-application security research platform and contributing to various Web Application Firewall research projects and publications. He holds an M.Sc. in Computer Science, M.E. in Systems Engineering and B.Sc. in Computer Engineering from The Technion – Israel Institute of Technology.

In recent years there have been drastic changes in the way enterprise data centers are designed and implemented. Driven by business demands, data centers are adapted to the prevailing software architecture and DevOps methodologies and built using new technologies. The use of public and private clouds is on the rise, and virtualization technologies now play a major role in every organization’s infrastructure. These trends promise benefits like infrastructure scale and elasticity, a better match between applications’ software structure (distributed microservices) and deployment (containers and virtual machines), operational costs savings and fast development and release cycles.

At the same time, securing the data center has never been more important. Highly-publicized data breaches and other successful cyberattacks that occurred in the last year impacted thousands of organizations, affected hundreds of millions of people and cost billions of dollars. As the data center becomes more complex and dynamic, growing in scale to match the business requirements and relying heavily on diverse and relatively new cloud and virtualization technologies, the task of securing it is going to become even more difficult.

Virtual Environments and Application Security

The National Institute of Standards and Technology, a division of the U.S. Department of Commerce, is well known in the security community for its standards and recommendations that guide many organizations towards secure culture, policies and technological infrastructure. Its recently publicized guidance, the Application Container Security Guide, analyzes the unique risks posed by containerized applications and advises organizations how to secure them. The first recommendation, “Tailor the organization’s operational culture and technical processes to support the new way of developing, running, and supporting applications made possible by containers,” sets the tone for analysis, implying that modern data centers require a major shift in enterprise strategy and means of securing them, in order to keep pace with the new methodologies of developing and running applications.

The document goes on to emphasize that securing the data center requires tools that were designed from the ground up for this purpose. The authors explain that existing security tools are simply not up for the task of securing the virtualization-based infrastructure, as they were designed before such an environment was envisioned.

The NIST document identifies several areas in which the use of containers introduces new elements into the data center, each with its own security risks:

  1. Images: The static archives that include all the components used to run an application.
  2. Registry: The service that allows developers to store images as they are created, and to tag and catalog images for identification, version control, discovery and reuse.
  3. Orchestrator: The service that enables DevOps personas or automation tools working on their behalf to pull images from registries, deploy those images into containers and manage the running containers. This deployment process is what results in a usable version of the app, running and ready to respond to requests.
  4. Container Runtime: The virtualization layer that isolates different application components from each other and from the host’s operating system, while enabling them to utilize the local resources like CPU, memory, file system and network interfaces.
  5. Host Operating System: The operating system of the “actual” computer on which the container runtime is executing.

If the security risks related to the new elements of the container-based data center are not enough, all virtualization technologies and cloud deployments also impose new risks on the traditional elements of the data center. Unless the existing security and operations methodologies and tools are adapted to the new reality, these new security gaps leave the data center vulnerable to attacks.

Critical Applications in Your Data Center

As the architecture of the data center, as well as the applications running in it, are inherently distributed, a crucial element to the operation of the applications is the network that enables all their components to interact with each other. At first glance, security risks related to the network are well known and there are good traditional practices and tools to alleviate these risks. However, in a virtual-deployments world those risks are exacerbated.

In the modern data center, different applications share the same virtual network. At the same time, in most container and virtualization runtimes, by default, individual application components can access each other and the host OS over the network. For example, a public-facing web server and an internal database containing sensitive information are using the same virtual network. Therefore, sensitive internal applications may be exposed to greater risk from network attack: If the web server is compromised by an attacker, the attack can be extended over the internal network of the cluster to infect the database and access the data in it. It is not enough to secure the perimeter of the data center, as malicious traffic may be directed to critical applications from other applications and containerized components inside the data center.

A well-established security practice to address this issue is to create and enforce network segmentation through policies that prohibit connectivity between different sets of applications. However, in a modern data center with a large and continuously changing collection of applications and microservices, this becomes a difficult task. It is hard to identify and keep track of thousands of applications’ services that are being added, removed or modified at the fast rate expected of DevOps teams. Rogue (unplanned or unsanctioned) containers and virtual machines may become a common occurrence, especially in development environments, where developers may launch containers as a means of testing their code. If these hosted components are not scanned for vulnerabilities and checked for proper configuration, they may be susceptible to exploits. They may persist in the environment without the awareness of development teams and security administrators, be swallowed in the sea of other containers and virtual machines and become a foothold for attackers inside the organization.

Egress network access is also more complex to manage in a virtualized environment than in the traditional data center because so many of the connections between applications components are virtualized. Thus, traffic from one container to another may appear simply as encapsulated packets on the network without directly indicating the ultimate source, destination or payload. Tools and operational processes that are not aware of the virtualization context are not able to inspect this traffic or determine whether it represents a threat.

Principles for an Updated Security Methodology

The NIST security recommendations for application container security emphasizes that containers represent a transformational change in the way applications are built and run. They do not necessitate dramatically new security best practices; however, well-established techniques and principles should be updated and expanded to take the risks particular to container technologies into account. These necessary changes apply equally well to other forms of virtualization environments and cloud-based infrastructure.

Security processes and tools must be able to work effectively at the scale of the virtualized data center. Security teams faced with a high rate of change in the environment must be assisted with tools that have full visibility into the detailed data center structure and the network interactions between its components while simplifying the human experts’ task of creating, maintaining and enforcing security policies. Some of the burdens of creating such policies may shift to the application developers, who have the best understanding of the necessary communication patterns of specific applications, while operations and security teams must still ensure conformance to global policies. This implies that a shared view of the data center must be presented to, and understood by, all stakeholders.

Security must be as portable as the containers and virtual machines themselves, so organizations should adopt techniques and tools that are open and work across platforms and environments (for example, with different cloud providers and virtualization technologies).

The security challenges in the new data center are an opportunity to improve its security.

Alcide sponsored this post.

TRENDING STORIES
Group Created with Sketch.
Nitzan Niv is a 20-year veteran of the software industry. He is currently the system architect at Alcide, as well as leading its security research. Previously he worked for eight years at Imperva creating the internal web-application security research platform...
Read more from Nitzan Niv
SHARE THIS STORY
TRENDING STORIES
TRENDING STORIES
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.