Security Technology Executive

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 13 of 59

14 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2018 • www. Continued from page 10 Continued from page 9 Continued from page 12 Protect Your Login Process Smart Buildings and Security Tech How-To Secure Microservices and Containers TECH TRENDS CYBERTECH CONVERGENCE Q&A Access control to the sub-network may be inadequate and network changes can be challenging – leading to inadequate security and application provisioning delays. This is all part of the larger picture of virtualization. Rather than terming this Software-defined networks, VMware terms it Software- defined Data Center (SDDC), recognizing the co-habitation of multiple applications along with the required network infrastructure in virtual environments. It uses the principle of VXLAN (Virtual Extensible LAN) protocol to provision a virtual overlay network. This is a virtual network that is built on top of existing network Layer 2 and Layer 3 technologies – i.e. existing switches and routers – to support flexible and scal- able network architectures. Network virtualization technology is hardware agnostic and decouples network services from underlying hardware. Think of this as a software-defined "super network" sitting above various existing networks with the ability to tie pieces of these together, without a limitation of physical location (think enterprise networks). Enhanced switching, routing, firewalling and load balancing is provisioned in soft- ware. Network and security services in software are distributed to hypervisors virtual machine (VM) managers, such as VMware, and "attached" to individual VMs in accor- dance with networking and security policies defined for each application. When a VM is moved to another physical host, its networking and security services move with it, and security policies can be extended to new VM's provisioned for new applications. Network virtualization creates, provisions, and manages virtual networks, utilizing the underlying physical network as a simple packet forwarding backplane. Communication within a virtual network never leaves the virtual environment. Further, network configurations can be replicated across multiple clouds for resiliency. • Protection: A much more robust solution is created when exer- cising both zero trust and least privilege access control across all three layers, greatly reducing the probability of a complete attack. For example, a code injection attack followed by an attempted remote shell and data exfiltration encompass mul- tiple layers of the security stack. • Detection: Anomalies across all three layers can be better cor- related greatly improving the signal-noise ratio for detecting attacks. Signals from all three layers provide a better view of the potential kill chain an attack will use versus a single layer. For example, one is able to correlate a runtime violation with run- ning port scans or brute force attempts to determine open API's on a microservice. 2. Identity-drivers: Is the solution based on the Zero Trust principles of authentication and authorization for all trans- actions? Identity paves the path for scalable encryption across all microservices. A popular encryption technique – Mutual TLS (transport layer security) – is part of the TLS negotiation process used to authenticate and authorize both microservice ends. When an identity is assigned to a microservice, it may now be an integral part of the authorization process during the TLS session. Authentication and authorization policies are strength- ened when they are identity-driven because the more context available to identify a microservice, the stronger it makes it. Security Tech Scenario-Based Design For any building , but especially for a smart building , there are several components to security technology design thinking: • Building and area security • Personal safety • Building convenience • An enhanced building experience This is why it is important to have early discussions about the building experience, all the building technologies involved, and to thoroughly describe the intended building experience for building occupants, visitors, building management and the technology stakeholders. That full vision is the only sound basis for developing security technology use cases whose descriptions establish the secu- rity technology requirements. When design- ing the security systems and their integrations, remember to include the technology infra- structure management tools needed, such as Viakoo (, to assure system uptime and high performance. Identity enhancement considerations include: • Leverage vulnerability data from container image scans. • Use metadata from containers to become a multi-attribute identity. Containers are most often auto-generated as part of a CI/CD pipeline and possess a significant amount of meta- data. This metadata can include a type of container, type of image it is running or even a reference identifier back to the code commit that triggered the creation of this container. 3. Heterogeneous: Can it be deployed across heterogeneous environments? Typically stared as a small initiative, most microservice and cloud-native adoption projects have specific scopes — there is always a brownfield deployment where microservices have dependencies on monoliths. A microservice security solution needs to be capable of operat- ing in multiple environments, which services can be hosted in both public and private environments. Additionally, they can use a variety of orchestration capabilities such as Kuber- netes, VMWare or EC2 Container Services. In general, within a microservice environment, it is vital to address all aspects of core protection and visibility use cases of a distributed application. With challenges facing both, the develop- er and the security practitioner, the rapidly growing need for secu- rity teams to understand the full set of requirements is crucial for a successful implementation. Proper hygiene, monitoring, logging and compliance are required for a comprehensive microservice security solution. At all layers of a security stack, it is important to keep these three principles top of mind to ensure success: is it comprehensive, identity-driven and heterogeneous.

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2018