Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by Guilherme (Gui) Alvarenga
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How to Containerize a Python Application with Packeto Buildpacks
May 29th 2023 5:00am, by Sylvain Kalache
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Scan Container Images for Vulnerabilities with Docker Scout
May 20th 2023 6:00am, by Jack Wallen
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
How to Optimize Queries for Time Series Data
Apr 27th 2023 12:00pm, by Robert Kimani
Calyptia Core 2.0 Tackles Fleet Management for Observability
Apr 26th 2023 6:49am, by Jelani Harper
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by Susan Hall
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by Joab Jackson
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by Doug Flora
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by Rick Houlihan
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by Casey Samulski
Boost DevOps Maturity with a Data Lakehouse
May 17th 2023 10:20am, by Guido Deinhammer
Vercel Offers Postgres, Redis Options for Frontend Developers
May 1st 2023 9:00am, by Loraine Lawson
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Bluesky vs. Nostr — Which Should Developers Care About More?
May 30th 2023 7:51am, by
Bad by Design: The World of Intentionally Awful User Interfaces
May 28th 2023 6:00am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
4 Anti-Patterns That Microsoft Recommends Web Devs Avoid
May 26th 2023 6:56am, by
New Image Trends Frontend Developers Should Support
May 25th 2023 6:00am, by
How AI Can Learn from Open Source Struggles
May 30th 2023 11:43am, by
Oracle Support for MySQL 5.7 Ends Soon, Key Upgrades in 8.0
May 30th 2023 10:35am, by
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by
Building AI-Driven Applications with a Multimodal Approach 
May 30th 2023 8:44am, by
Cloud Security: Don’t Confuse Vendor and Tool Consolidation
May 30th 2023 6:24am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
JavaScript or WebAssembly: Which Is More Energy Efficient and Faster?
Jan 30th 2023 9:51am, by
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by
New Image Trends Frontend Developers Should Support
May 25th 2023 6:00am, by
Could WebAssembly Be the Key to Decreasing Kubernetes Use?
May 22nd 2023 6:00am, by
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by
Dev News: Dart 3 Meets Wasm, Flutter 3.10, and Qwik ‘Streamable JavaScript’
May 13th 2023 9:00am, by
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by
Oracle Support for MySQL 5.7 Ends Soon, Key Upgrades in 8.0
May 30th 2023 10:35am, by
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by
Building AI-Driven Applications with a Multimodal Approach 
May 30th 2023 8:44am, by
Alteryx Announces AiDIN for AI-Powered Features
May 26th 2023 8:06am, by
Proprietary AI Models Are Dead. Long Live Proprietary AI Models 
May 26th 2023 6:13am, by
Alteryx Announces AiDIN for AI-Powered Features
May 26th 2023 8:06am, by
Proprietary AI Models Are Dead. Long Live Proprietary AI Models 
May 26th 2023 6:13am, by
AI Talk at KubeCon
May 24th 2023 1:36pm, by
Better Data Logistics Is the Key to Effective Machine Learning
May 24th 2023 10:00am, by
FAQ: What Is Automated Incident Response?
May 24th 2023 6:04am, by
How to Integrate OpenShift with Keycloak
May 30th 2023 11:00am, by
Cloud Security: Don’t Confuse Vendor and Tool Consolidation
May 30th 2023 6:24am, by
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by
Better Security with ChatGPT: Using AI's Defensive Strengths
May 26th 2023 6:00am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Take a Platform Engineering Deep Dive at PlatformCon 2023
May 26th 2023 10:00am, by Carrie Tang
Developer Platforms: Key Findings from a Forrester Snapshot
May 19th 2023 10:52am, by Aeris Stewart
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
IBM Cloud CTO: Pros Outweigh the Cons with Platform Engineering
May 5th 2023 6:00am, by Loraine Lawson
Infrastructure as Code or Cloud Platforms — You Decide!
May 2nd 2023 9:34am, by Venkat Thiruvengadam
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
Meet The Hobbyists Building Their Own DIY Cyberpunk Devices
May 29th 2023 6:00am, by David Cassel
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by Jeff Martens
AI Talk at KubeCon
May 24th 2023 1:36pm, by Alex Williams
Better Data Logistics Is the Key to Effective Machine Learning
May 24th 2023 10:00am, by Michael Tanenbaum
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
Bluesky vs. Nostr — Which Should Developers Care About More?
May 30th 2023 7:51am, by Richard MacManus
Meet The Hobbyists Building Their Own DIY Cyberpunk Devices
May 29th 2023 6:00am, by David Cassel
Bad by Design: The World of Intentionally Awful User Interfaces
May 28th 2023 6:00am, by David Cassel
Is Open Source the Original Product-Led Growth?
May 25th 2023 7:32am, by Kim McMahon
AppSec 'Worst Practices' with Tanya Janca 
May 24th 2023 8:08am, by Taylor Armerding
Cloud Security: Don’t Confuse Vendor and Tool Consolidation
May 30th 2023 6:24am, by Rani Osnat
Take a Platform Engineering Deep Dive at PlatformCon 2023
May 26th 2023 10:00am, by Carrie Tang
Developer Guide: A New Way to Build on the Slack Platform
May 26th 2023 8:30am, by Lauren Gil
Better Security with ChatGPT: Using AI's Defensive Strengths
May 26th 2023 6:00am, by Jeff Goldman
Is Open Source the Original Product-Led Growth?
May 25th 2023 7:32am, by Kim McMahon
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Overcoming the Kubernetes Skills Gap with ChatGPT Assistance
May 23rd 2023 11:00am, by Dev Nag
Could WebAssembly Be the Key to Decreasing Kubernetes Use?
May 22nd 2023 6:00am, by Loraine Lawson
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
Security

Security in the Modern Data Center

Feb 27th, 2018 8:55am by
Featued image for: Security in the Modern Data Center

Nitzan Niv
Nitzan Niv is a 20-year veteran of the software industry. He is currently the system architect at Alcide, as well as leading its security research. Previously he worked for eight years at Imperva creating the internal web-application security research platform and contributing to various Web Application Firewall research projects and publications. He holds an M.Sc. in Computer Science, M.E. in Systems Engineering and B.Sc. in Computer Engineering from The Technion – Israel Institute of Technology.

In recent years there have been drastic changes in the way enterprise data centers are designed and implemented. Driven by business demands, data centers are adapted to the prevailing software architecture and DevOps methodologies and built using new technologies. The use of public and private clouds is on the rise, and virtualization technologies now play a major role in every organization’s infrastructure. These trends promise benefits like infrastructure scale and elasticity, a better match between applications’ software structure (distributed microservices) and deployment (containers and virtual machines), operational costs savings and fast development and release cycles.

At the same time, securing the data center has never been more important. Highly-publicized data breaches and other successful cyberattacks that occurred in the last year impacted thousands of organizations, affected hundreds of millions of people and cost billions of dollars. As the data center becomes more complex and dynamic, growing in scale to match the business requirements and relying heavily on diverse and relatively new cloud and virtualization technologies, the task of securing it is going to become even more difficult.

Virtual Environments and Application Security

The National Institute of Standards and Technology, a division of the U.S. Department of Commerce, is well known in the security community for its standards and recommendations that guide many organizations towards secure culture, policies and technological infrastructure. Its recently publicized guidance, the Application Container Security Guide, analyzes the unique risks posed by containerized applications and advises organizations how to secure them. The first recommendation, “Tailor the organization’s operational culture and technical processes to support the new way of developing, running, and supporting applications made possible by containers,” sets the tone for analysis, implying that modern data centers require a major shift in enterprise strategy and means of securing them, in order to keep pace with the new methodologies of developing and running applications.

The document goes on to emphasize that securing the data center requires tools that were designed from the ground up for this purpose. The authors explain that existing security tools are simply not up for the task of securing the virtualization-based infrastructure, as they were designed before such an environment was envisioned.

The NIST document identifies several areas in which the use of containers introduces new elements into the data center, each with its own security risks:

  1. Images: The static archives that include all the components used to run an application.
  2. Registry: The service that allows developers to store images as they are created, and to tag and catalog images for identification, version control, discovery and reuse.
  3. Orchestrator: The service that enables DevOps personas or automation tools working on their behalf to pull images from registries, deploy those images into containers and manage the running containers. This deployment process is what results in a usable version of the app, running and ready to respond to requests.
  4. Container Runtime: The virtualization layer that isolates different application components from each other and from the host’s operating system, while enabling them to utilize the local resources like CPU, memory, file system and network interfaces.
  5. Host Operating System: The operating system of the “actual” computer on which the container runtime is executing.

If the security risks related to the new elements of the container-based data center are not enough, all virtualization technologies and cloud deployments also impose new risks on the traditional elements of the data center. Unless the existing security and operations methodologies and tools are adapted to the new reality, these new security gaps leave the data center vulnerable to attacks.

Critical Applications in Your Data Center

As the architecture of the data center, as well as the applications running in it, are inherently distributed, a crucial element to the operation of the applications is the network that enables all their components to interact with each other. At first glance, security risks related to the network are well known and there are good traditional practices and tools to alleviate these risks. However, in a virtual-deployments world those risks are exacerbated.

In the modern data center, different applications share the same virtual network. At the same time, in most container and virtualization runtimes, by default, individual application components can access each other and the host OS over the network. For example, a public-facing web server and an internal database containing sensitive information are using the same virtual network. Therefore, sensitive internal applications may be exposed to greater risk from network attack: If the web server is compromised by an attacker, the attack can be extended over the internal network of the cluster to infect the database and access the data in it. It is not enough to secure the perimeter of the data center, as malicious traffic may be directed to critical applications from other applications and containerized components inside the data center.

A well-established security practice to address this issue is to create and enforce network segmentation through policies that prohibit connectivity between different sets of applications. However, in a modern data center with a large and continuously changing collection of applications and microservices, this becomes a difficult task. It is hard to identify and keep track of thousands of applications’ services that are being added, removed or modified at the fast rate expected of DevOps teams. Rogue (unplanned or unsanctioned) containers and virtual machines may become a common occurrence, especially in development environments, where developers may launch containers as a means of testing their code. If these hosted components are not scanned for vulnerabilities and checked for proper configuration, they may be susceptible to exploits. They may persist in the environment without the awareness of development teams and security administrators, be swallowed in the sea of other containers and virtual machines and become a foothold for attackers inside the organization.

Egress network access is also more complex to manage in a virtualized environment than in the traditional data center because so many of the connections between applications components are virtualized. Thus, traffic from one container to another may appear simply as encapsulated packets on the network without directly indicating the ultimate source, destination or payload. Tools and operational processes that are not aware of the virtualization context are not able to inspect this traffic or determine whether it represents a threat.

Principles for an Updated Security Methodology

The NIST security recommendations for application container security emphasizes that containers represent a transformational change in the way applications are built and run. They do not necessitate dramatically new security best practices; however, well-established techniques and principles should be updated and expanded to take the risks particular to container technologies into account. These necessary changes apply equally well to other forms of virtualization environments and cloud-based infrastructure.

Security processes and tools must be able to work effectively at the scale of the virtualized data center. Security teams faced with a high rate of change in the environment must be assisted with tools that have full visibility into the detailed data center structure and the network interactions between its components while simplifying the human experts’ task of creating, maintaining and enforcing security policies. Some of the burdens of creating such policies may shift to the application developers, who have the best understanding of the necessary communication patterns of specific applications, while operations and security teams must still ensure conformance to global policies. This implies that a shared view of the data center must be presented to, and understood by, all stakeholders.

Security must be as portable as the containers and virtual machines themselves, so organizations should adopt techniques and tools that are open and work across platforms and environments (for example, with different cloud providers and virtualization technologies).

The security challenges in the new data center are an opportunity to improve its security.

Alcide sponsored this post.

Group Created with Sketch.
Nitzan Niv is a 20-year veteran of the software industry. He is currently the system architect at Alcide, as well as leading its security research. Previously he worked for eight years at Imperva creating the internal web-application security research platform...
Read more from Nitzan Niv
SHARE THIS STORY
RELATED STORIES
Six Security Considerations for Serverless Environments Beautiful Visualization: Towards a Deeper Visualization for the Data Center Why a Firewall Can’t Protect Against a Memcache DDoS Attack CPX 2018: Sizing Up Cloud Security Fallout from Spectre and Meltdown How to Protect Containerized Workloads at Runtime
RELATED STORIES
Six Security Considerations for Serverless Environments Beautiful Visualization: Towards a Deeper Visualization for the Data Center Why a Firewall Can’t Protect Against a Memcache DDoS Attack CPX 2018: Sizing Up Cloud Security Fallout from Spectre and Meltdown Socket Adds ChatGPT to Its Vulnerability Detection Arsenal
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.