TNS
VOXPOP
Will real-time data processing replace batch processing?
At Confluent's user conference, Kafka co-creator Jay Kreps argued that stream processing would eventually supplant traditional methods of batch processing altogether.
Absolutely: Businesses operate in real-time and are looking to move their IT systems to real-time capabilities.
0%
Eventually: Enterprises will adopt technology slowly, so batch processing will be around for several more years.
0%
No way: Stream processing is a niche, and there will always be cases where batch processing is the only option.
0%
 
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Why Cloud Native Expertise Is so Hard to Hire for, and What to Do Instead
Sep 29th 2023 10:00am, by Michael Schmid
4 Benefits of Choosing a CNAPP for Cloud Security
Sep 28th 2023 11:12am, by Chris Tozzi
Oracle Touts New AppDev Tools, Distributed Cloud Support
Sep 20th 2023 9:18am, by Chris J. Preimesberger
Next-Gen Observability: Monitoring and Analytics in Platform Engineering
Sep 12th 2023 4:00am, by Robert Kimani
Is Policy as Code the Cure for Multicloud Config Chaos?
Sep 11th 2023 12:13pm, by Tzvika Shahaf
Harden Ubuntu Server to Secure Your Container and Other Deployments
Sep 16th 2023 6:00am, by Jack Wallen
Run GUI Applications as Containers with x11docker
Sep 9th 2023 6:00am, by Jack Wallen
Dive: A Simple App for Viewing the Contents of a Docker Image
Sep 2nd 2023 3:00am, by Jack Wallen
Kubernetes Isn't Always the Right Choice
Aug 21st 2023 7:02am, by Rak Siva
Monitor, Control and Debug Docker Containers with WhaleDeck
Aug 19th 2023 7:00am, by Jack Wallen
Edge AI: How to Make the Magic Happen with Kubernetes
Sep 14th 2023 4:00am, by Saad Malik
Cloud to Edge AI with a Mobile Database Platform
Aug 28th 2023 8:42am, by Mark Gamble
Dev News: React Still King, Vercel AI Tools, Netlify Connect
Jun 17th 2023 4:00am, by Loraine Lawson
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by Jason Myers
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by Chris J. Preimesberger
5 Best Practices for Securing Your API Gateway
Sep 29th 2023 11:51am, by David Sudia
The Basics of Event-Driven Architectures
Sep 22nd 2023 7:45am, by Jim Moffitt
A Microservices Outcome: Testing Boomed
Sep 15th 2023 11:15am, by Alex Williams
Event-Driven Microservices Offer Flexibility and Real-Time Responsiveness
Sep 13th 2023 10:00am, by Hugh McKee
Britive: Just-in-Time Access across Multiple Clouds
Sep 7th 2023 3:00am, by Susan Hall
Performant and Programmable Telco Networking with eBPF
Aug 11th 2023 10:00am, by Bill Mulligan
Create a Samba Share and Use from in a Docker Container
Jul 29th 2023 6:00am, by Jack Wallen
CIOs, Heed On-Premises App and Infrastructure Performance
Jul 5th 2023 1:21pm, by Gregg Ostrowski
Hasura Launches New Data Network for APIs Only
Jun 29th 2023 9:36am, by Chris J. Preimesberger
Unveiling the Future of Application Networking: Trends and Impacts
Jun 28th 2023 11:06am, by Bilgin Ibryam
The Security-First Mindset to Unlocking the AWS Opportunity 
Aug 9th 2023 8:14am, by David Melamed
3 Reasons Why Teams Move Away from AWS Lambda
Jul 18th 2023 10:00am, by Jonathan Michaux
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
How Goldsky Democratizes Streaming Data for Web3 Developers
Oct 2nd 2023 8:46am, by Yaroslav Tkachenko
NoSQL Data Modeling Mistakes that Ruin Performance
Sep 27th 2023 9:00am, by Felipe Cardeneti Mendes
Address High Scale Google Drive Data Exposure with Bulk Remediation
Sep 26th 2023 10:00am, by Adam Gavish
Battling the Steep Price of Storage for Real-Time Analytics
Sep 22nd 2023 6:00am, by B. Cameron Gain
Unlock Data’s Full Potential with a Mature Analytics Strategy
Sep 8th 2023 10:16am, by Venkat Ramakrishnan
AI Frontend Development Software Development TypeScript WebAssembly Cloud Services Data Security
GitLab's Security Officer on an Easier Path to App Security
Oct 2nd 2023 5:00am, by
The Pinnacle of Real-Time Data Analysis: Stream Processing
Oct 2nd 2023 3:00am, by
Ghost in the IDE: Testing Replit's AI Helper, Ghostwriter
Sep 30th 2023 7:00am, by
Dev News: Deno's New Queues, AI Plays at Cloudflare, MongoDB
Sep 30th 2023 4:00am, by
How Generative AI Can Support DevOps and SRE Workflows
Sep 28th 2023 7:00am, by
GitLab's Security Officer on an Easier Path to App Security
Oct 2nd 2023 5:00am, by
Dev News: Deno's New Queues, AI Plays at Cloudflare, MongoDB
Sep 30th 2023 4:00am, by
Angular, Qwik Creator on How JS Frameworks Handle Reactivity
Sep 29th 2023 11:12am, by
The Goldilocks CDE: Gitpod Fits Between SaaS and Self-Hosted
Sep 29th 2023 7:57am, by
The Angular Renaissance: Why Frontend Devs Should Revisit It
Sep 26th 2023 8:15am, by
How Goldsky Democratizes Streaming Data for Web3 Developers
Oct 2nd 2023 8:46am, by
Microsoft Releases Its Own Distro of Java 21
Oct 2nd 2023 7:59am, by
Why Staying Updated with Your Software Stack Matters
Oct 2nd 2023 6:56am, by and
GitLab's Security Officer on an Easier Path to App Security
Oct 2nd 2023 5:00am, by
Ghost in the IDE: Testing Replit's AI Helper, Ghostwriter
Sep 30th 2023 7:00am, by
The Angular Renaissance: Why Frontend Devs Should Revisit It
Sep 26th 2023 8:15am, by
Dev News: A 'Nue' Frontend Dev Tool; Panda and Bun Updates
Sep 16th 2023 4:00am, by
Dev News: Svelte 5 vs. VanillaJS and Google’s Project IDX
Aug 12th 2023 8:00am, by
Dev News: Dart Frog Now Stable, Redwood Updates Bundler
Aug 4th 2023 7:00am, by
Dev News: Spotify's TypeScript SDK, Retool Tools, Deno 1.35
Jul 15th 2023 7:00am, by
What Is WebAssembly?
Sep 25th 2023 4:00am, by
Can WebAssembly Get Its Act Together for a Component Model?
Sep 14th 2023 9:33am, by
WebAssembly Reaches a Cloud Native Milestone
Sep 11th 2023 7:50am, by
Is It too Early to Leverage AI for WebAssembly?
Sep 6th 2023 10:28am, by
Rust and C++ Work Better for WebAssembly
Aug 9th 2023 6:50am, by
The Goldilocks CDE: Gitpod Fits Between SaaS and Self-Hosted
Sep 29th 2023 7:57am, by
Install Cloud Foundry on Azure Kubernetes Clusters
Sep 22nd 2023 1:13pm, by
MySQL HeatWave Gets Generative AI and JavaScript, Slew of New Features
Sep 21st 2023 10:18am, by
Oracle Introduces New App Analytics Platform, Enhances Analytics Cloud
Sep 21st 2023 6:47am, by
OpenAI Chats about Scaling LLMs at Anyscale's Ray Summit
Sep 19th 2023 8:58am, by
How Goldsky Democratizes Streaming Data for Web3 Developers
Oct 2nd 2023 8:46am, by
The Pinnacle of Real-Time Data Analysis: Stream Processing
Oct 2nd 2023 3:00am, by
How We Built the New JSON API for Cassandra and Astra DB
Sep 29th 2023 9:01am, by and
An Introduction to Stream Processing
Sep 29th 2023 6:15am, by
How LLMs Helped Me Build an ODBC Plugin for Steampipe
Sep 28th 2023 10:50am, by
GitLab's Security Officer on an Easier Path to App Security
Oct 2nd 2023 5:00am, by
5 Best Practices for Securing Your API Gateway
Sep 29th 2023 11:51am, by
Secure Go APIs with Decentralized Identity Tokens, Part 3
Sep 29th 2023 8:02am, by
Demo: How Codefresh and Its Argo Core Improve Security
Sep 29th 2023 4:00am, by
4 Benefits of Choosing a CNAPP for Cloud Security
Sep 28th 2023 11:12am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Making the Leap: Ops Roles Evolve into Platform Engineers
Sep 29th 2023 8:30am, by Pravanjan Choudhury
Humanitec: The Golden Path to Platform Engineering
Sep 28th 2023 8:11am, by Joab Jackson
The Pillars of Platform Engineering: Part 6 — Observability
Sep 27th 2023 6:12am, by Michael Fonseca
Software Delivery Enablement, Not Developer Productivity
Sep 26th 2023 7:00am, by Jennifer Riggins
The Pillars of Platform Engineering: Part 5 — Orchestration
Sep 26th 2023 6:14am, by Michael Fonseca
The Insider’s Guide to Building a Multi-Arch Infrastructure
Oct 2nd 2023 12:05pm, by Cheryl Hung
Why Staying Updated with Your Software Stack Matters
Oct 2nd 2023 6:56am, by Andrei Kuiukov and Aleksei Iakovlev
Deploy the Latest Version of the Nextcloud with Just Two Commands
Sep 30th 2023 6:00am, by Jack Wallen
Why Cloud Native Expertise Is so Hard to Hire for, and What to Do Instead
Sep 29th 2023 10:00am, by Michael Schmid
How Generative AI Can Support DevOps and SRE Workflows
Sep 28th 2023 7:00am, by Kevin Casey
Demo: How Codefresh and Its Argo Core Improve Security
Sep 29th 2023 4:00am, by Heather Joslyn
Dev News: Svelte 5, AI Bot for Android Studio, and GitHub Tools
Sep 23rd 2023 4:00am, by Loraine Lawson
The 6 Pillars of Platform Engineering: Part 2 — CI/CD & VCS Pipeline
Sep 21st 2023 8:07am, by Michael Fonseca
CloudBees Scales Jenkins, Redefines DevSecOps
Sep 21st 2023 5:00am, by Darryl K. Taft
Lessons IT Can Steal from Hackers
Aug 31st 2023 3:00am, by Loraine Lawson
Microsoft Releases Its Own Distro of Java 21
Oct 2nd 2023 7:59am, by Darryl K. Taft
How 2023's 'Ig Nobel' Prize Ceremony Celebrates Curiosity
Oct 1st 2023 9:00am, by David Cassel
Why Cloud Native Expertise Is so Hard to Hire for, and What to Do Instead
Sep 29th 2023 10:00am, by Michael Schmid
Bad Documentation, Bad Documentation
Sep 29th 2023 3:00am, by B. Cameron Gain
How Listening to the Customer Can Boost Innovation
Sep 28th 2023 8:54am, by Sean Scott
The Insider’s Guide to Building a Multi-Arch Infrastructure
Oct 2nd 2023 12:05pm, by Cheryl Hung
Why Staying Updated with Your Software Stack Matters
Oct 2nd 2023 6:56am, by Andrei Kuiukov and Aleksei Iakovlev
How We Built the New JSON API for Cassandra and Astra DB
Sep 29th 2023 9:01am, by Jeff Carpenter and Aaron Morton
Making the Leap: Ops Roles Evolve into Platform Engineers
Sep 29th 2023 8:30am, by Pravanjan Choudhury
Demo: How Codefresh and Its Argo Core Improve Security
Sep 29th 2023 4:00am, by Heather Joslyn
What Happens to DevOps When the Kubernetes Adrenaline Rush Ends?
Sep 28th 2023 8:05am, by Martin Thwaites
A Microservices Outcome: Testing Boomed
Sep 15th 2023 11:15am, by Alex Williams
Edge AI: How to Make the Magic Happen with Kubernetes
Sep 14th 2023 4:00am, by Saad Malik
WebAssembly Reaches a Cloud Native Milestone
Sep 11th 2023 7:50am, by B. Cameron Gain
Kubernetes Building Blocks: Nodes, Pods, Clusters
Sep 11th 2023 6:00am, by Robert Kimani
Bad Documentation, Bad Documentation
Sep 29th 2023 3:00am, by B. Cameron Gain
What Happens to DevOps When the Kubernetes Adrenaline Rush Ends?
Sep 28th 2023 8:05am, by Martin Thwaites
Build a Home Internet Speed Test with Grafana and InfluxDB
Sep 19th 2023 9:24am, by Jessica Wachtel
Top Ways to Reduce Your Observability Costs: Part 2
Sep 12th 2023 9:38am, by Amanda Mitchell
Next-Gen Observability: Monitoring and Analytics in Platform Engineering
Sep 12th 2023 4:00am, by Robert Kimani
Kubernetes 1.28 Accommodates the Service Mesh, Sudden Outages
Aug 18th 2023 10:08am, by Joab Jackson
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
DevOps / Security

Shifting Zero Trust Left with Cloud Native Software

A guideline for setting security policies to cloud native software.
Aug 12th, 2019 3:00am by
Featued image for: Shifting Zero Trust Left with Cloud Native Software

Gadi Naor
Gadi Naor brings 15 years of experience in leading the development of cybersecurity products to his role as CTO and co-founder of Alcide. Gadi has blended his management and technological background in various positions. Gadi worked at CheckPoint where he served as business development manager and senior developer, leading the development of CheckPoint’s Firewall core security engine and VPN software. He then served as a senior software engineer at Altor Networks, a pioneer in virtualized data center security that was later acquired by Juniper Networks, where he continued to serve as a senior software engineer. Prior to co-founding Alcide, Gadi was the co-founder and CTO of Fitfully, a microservice-based system.

As companies seek to reduce the time required to deliver new features in cloud native applications, the use of off-the-shelf and third-party code, particularly open source, is altering the scope of cybersecurity for developers. Estimates go as high as 80 to 90 percent of the code in cloud native applications originates from open source components.

This change in the composition of code forces a shift in the territory that today must be protected by DevOps professionals. Rather than focusing solely on the software development lifecycle, DevOps professionals must now expand their perspective on how to secure the entire software supply chain.

“Combining Zero Trust and continuous scanning allows enterprises to balance performance needs with security requirements.”

The software supply chain represents all of the contributed software components (whether the source code or as pre-packaged components) as well as the delivery systems, channels and processes that eventually deploy code into a staging or production environment. The unknown development skills and motivations of third parties create a challenging security risk, which can lead to inadvertent security flaws, or deliberate injection of malware. Security and DevOps teams must now protect against components that were produced, and sometimes integrated into the application code, without supervision or proper security vetting.

Apply Zero Trust to Kubernetes and Container Environments

The natural response to the substantial scope of software supply chain risk is to trust no one and nothing, and to expand the notion of Zero Trust to include other risk vectors. While Zero Trust is an excellent place to establish a baseline of security, it must be done in a way that does not compromise the business’ agility or innovation.

Begin with a foundation of best practices:

  1. Ensure the start environment for clusters are initially configured for “full hygiene” in accordance with best practices recommended by platforms such as Kubernetes and Istio. The default configuration is sometimes optimized to make the system easily accessible to development teams, but does not necessarily represent a production-ready, hardened and locked-down configuration.
  2. Make sure the infrastructure software has the latest patches and updates, with the increasing number of vulnerabilities being disclosed around container runtime.

Deploy the cluster and fine-tune access controls:

  1. Use admission control in production to enforce policies and prevent resources that violate policies and hygiene level from being admitted to the cluster.
  2. Unless explicitly approved and required, reduce the runtime privileges of your workloads, and avoid running them as root or at any elevated privileges; use AppArmor/seccomp profiles to control the risk surface.
  3. Run workloads with an immutable file system, to reduce the risk if the system is compromised.
  4. Apply segmentation and isolation policies based on the workload at runtime.
  5. Watch the configuration to avoid leaking secrets, passwords and keys.
  6. Ensure network policies are applied.
  7. Control network access to worker nodes.

These guidelines will establish a strong initial baseline for the security of our applications, but it’s not all that can be done.

Continuous Kubernetes Hygiene — From Continuous Deployment

Total application of Zero Trust is a process that enterprises may take longer to adopt and implement. Enterprises may want to balance that effort against delivery velocity. The result is that within Kubernetes access controls for less critical components — and sometimes the entire cluster — are loosened. While this creates security gaps from a network and access control perspective, applying guard rails to risks introduces an important mitigation layer. These guard rails can be plugged into the CD part of CI/CD. This extended version of Zero Trust can work in harmony with DevOps, acting as an enabler for velocity and security.

Just as traditional image vulnerability scanning served as a workload pre-flight risk analysis that may be employed at runtime, we can apply similar policy and risk-driven checks for each and every deployment event to achieve a continuous scanning of the workload to see what is running and to understand the levels of integrity and hygiene. Whether the trigger is a single code commit or a batch, we can catch drifts before they end up in production.

For example, we look for embedded secrets or secrets wired into the wrong locations that an astute intruder, internal user or other system component could leverage to access sensitive data. Applying these guard rails on the test cluster can yield immediate results.

Continuous scanning enables DevOps to monitor the evolving security state of the application. Rather than depending on stale knowledge of the security state of the application at deployment time, scanning detects new vulnerabilities that appear after deployment. DevOps monitors the evolving security status and reacts to changes in the security situation.

Balance the Guard Rails and Delivery Velocity

Enterprises must now protect their cloud native applications from security risks introduced by the software supply chain. Combining Zero Trust and continuous scanning allows enterprises to balance performance needs with security requirements. Critical components are hardened and less critical components are freed to perform under careful supervision. In this way, companies can implement a Zero Trust approach to security that addresses the complexities of new, accelerated development models and empower DevOps teams to employ continuous security practices in a balanced way that doesn’t hinder agility or speed.

Feature image via Pixabay.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
How Generative AI Can Support DevOps and SRE Workflows Software Delivery Enablement, Not Developer Productivity DevOps, DevSecOps, and SecDevOps Offer Different Advantages Don't Listen to a Vendor about AI, Do the DevOps Redo Making the Leap: Ops Roles Evolve into Platform Engineers
TNS owner Insight Partners is an investor in: Velocity.
RELATED STORIES
Why Staying Updated with Your Software Stack Matters How to Create an Internal Developer Portal MVP Can ChatGPT Save Collective Kubernetes Troubleshooting? What Happens to DevOps When the Kubernetes Adrenaline Rush Ends? DevOps, DevSecOps, and SecDevOps Offer Different Advantages
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.