When it comes to microservices security, automation is critical. That's because a traditional perimeter approach...
-- where security tool protection compensates for application faults -- won't scale to meet the needs of a microservices architecture. And manual methods leave the stack prone to errors and unable to scale.
Security automation comes with the following benefits for applications:
- It enables more complete and comprehensive security because it catches problems missed by humans.
- It is more accurate than a manual human review.
- It may help to reduce conflict between various internal departments, such as engineering and compliance.
- It provides better visibility and control and eases the ability to report and document what happens at each application step.
- It places security policies in the software delivery pipeline initially and then distributes where necessary. This breaks silos and helps promote DevSecOps
A modern application stack has four layers: infrastructure, data, networking and application code. At each of these layers, containers and microservices introduce a new way to deliver apps. As a result, container orchestration tools like Kubernetes are central to microservices management.
While many security tools that work for standard applications produce effective results when applied to a microservices application, two aspects of microservices require additional attention and protection: application security and container security. Fortunately, there are plenty of advanced automation tools that support the fast and agile requirements of microservices security.
Testing and protection
Microservices application security is important because it involves multiple services rolled into one app. Those multiple services all work together to deliver a unified experience, and that means it's essential to perform dynamic testing on the services at the application level.
In a microservices system, networking occurs between the services, as well as at the instance level. Tools like Project Calico use an automated policy-based networking method to protect services using microfirewalls, which aims to keep healthy services safe when another service is compromised. The tool also registers new instances automatically and applies appropriate security policies.
Working with open source
Open source components make up large portions of the application stack. Many container tools, such as Docker, Kubernetes, Prometheus, Istio, Linkerd, gRPC and Spinnaker, are open source. However, to some, it can appear daunting to ensure these open source components are secure and up to date.
Microservices security tools, like WhiteSource, manage security for open source components. This utility automatically detects open source components at the code level, performs a usage review, consults the respective licensing models and then identifies possible risks.
Secure your container images
Containers changed the game for software delivery, but simply asking if Docker is secure is no longer enough. You need to secure each layer of the container system appropriately.
Remember to set up automatic scans of container images you download from public registries for vulnerabilities. Also, try to use private container registries that contain approved container images. This type of registry gives developers better access to needed container images and provides ops teams with assurance that automated security tools scanned and approved the container images.
A tool like Twistlock brings all these security measures into a single utility and provides threat detection during runtime. With its Cloud Native Application Firewall feature, Twistlock scans and filters traffic from external sources and then routes it to the appropriate containers. It uses machine learning to detect suspicious traffic sources and prevent them from reaching and infecting live containers.
Automation fosters the type of security that modern microservices applications require, and there are many tools to consider. At the application level, specialized tools must secure the networking layer and open source components. Thankfully, this new breed of tools automates security in a way that was never possible at the container level.