Microservices security requires an entirely different mindset from security for legacy applications, and IT pros say it starts with a zero-trust model and proper data classification.
The term zero-trust — like microservices and DevOps — means different things to different people, but at its most basic level, it refers to a security architecture in which all users and services on a network must authenticate to all endpoints, rather than one that allows access freely once users and services have passed a hardened network perimeter.
It calls for new tools and processes to establish more granular security shells around individual microservices and data stores, as well as real-time security monitoring. It also means that IT ops and security teams must learn new skills. But most of all, those with experience setting up practical microservices security in fast-moving zero-trust environments say it requires that IT pros understand the data they must protect, those from whom they must protect it and where the most important data assets lie.
“Start with one thing — what is the number one most important data that you feel is highest priority to protect and where is that stored?” said Kathy Wang, CISO at digital marketing analytics firm FullStory, who also served as CISO at GitLab until last month.
“Often, [IT has] trouble getting the budget, they have trouble getting the buy-in [from management for security],” Wang added. “If you start with one piece, you have a better chance of success, because you’ll be able to demonstrate the efficacy of that one, and then move out from there.”
Data classification for zero-trust more art than science
Even this first step, however, requires DevSecOps teams to identify their most sensitive data and where it resides in the microservices infrastructure, and such asset inventory and data classification must still be customized to each environment using human expertise, Wang said.
Kathy WangCISO, FullStory
“Tools vary depending on the environment and the data classification policy — there’s no one size that fits all or silver bullet,” she said. In Linux environments, teams can use Osquery, a tool developed by Facebook to gather data such as IP address, MAC address and OS version from all endpoints under management in a microservices security environment. Osquery also reports on specific attributes such as performance parameters, and when an endpoint was last restarted, installed or re-imaged.
While this tool is handy to gather data, the classification itself calls for human expertise, and is captured in relatively non-technical tools such as Excel spreadsheets and text documents, Wang said.
Zero-trust data classification for microservices security at SaaS providers such as FullStory and GitLab is complex enough, but in highly regulated industries it’s an IT discipline unto itself.
Risk analysis and threat modeling are so critical for healthcare companies that Omada Health, a digital healthcare provider specializing in behavior modification, created a proprietary threat model for its systems and published a whitepaper on it.
“We can use it to analyze any system, and look at all the threats to security, privacy and compliance,” said William Dougherty, VP of IT and security at the San Francisco-based healthcare provider. “With just a bunch of easy to understand yes-or-no questions, that lets us know what it’s going to take to defend that system.”
Zero-trust requires defense in depth
With microservices security priorities in place, the next order of business to establish a zero-trust model is to create multiple layers of security. These should cover DevOps application delivery processes as well as the IT infrastructure, through methods such as network microsegmentation using web application firewalls, practitioners said.
Omada Health, for example, uses a Cloudflare web application firewall to cordon off personal user data, separating out patient data from the data that belongs to patients’ employers, who are Omada’s primary customers. It ties together information about the network and firewall performance with Threat Stack’s security monitoring tool, as well as its host intrusion detection agents. These agents are built into the automated infrastructure deployment process at Omada, which is done with Ansible and Terraform infrastructure-as-code tools.
“It’s looking at running processes and system calls — looking at what the server is actually doing, not what the log says is being done,” Dougherty said. Omada has a small SecOps staff, so it leans on Threat Stack’s security operations center (SOC) service to escalate alerts as well.
Some tech futurists believe a zero-trust model will eventually mean that security is primarily the domain of applications, and that microservices security will rely on app functions that decide in real time whether to use a certain piece of infrastructure. But for now, zero-trust practitioners say sound security calls for proactive and reactive defenses at both the application and infrastructure level.
FullStory is still building up its zero-trust model and microservices security practice, but at GitLab, Wang said the company used all the cybersecurity practices available, from code scanning to developer training to red teaming and bug bounties, and that full spectrum will be necessary for the foreseeable future.
Addressing the human factor in microservices security
For both Dougherty and Wang, defense in depth also includes security awareness and training for all employees, both inside and outside of IT.
“It’s important to have security awareness training on a regular basis, starting at the point of onboarding new employees,” Wang said. “And then, every quarter or so, just to keep it fresh in people’s minds that if they get an email asking for information and it looks like it’s coming from the CEO, don’t reply.”
Dougherty said he worries about phishing more than technically sophisticated hacks, especially because in a strictly regulated environment, a security breach can come as the result of an honest mistake.
“It’s almost always a mistake,” Dougherty said. “Someone is asked to send a file to somebody, and misunderstood the request — they wanted 100 records and I sent them 10,000. And now, those 10,000 records would be a breach, unless we have a way to pull them back.”