DevOps and Microservices – a Security View

Publish date:

Most organisations I work with have complex, laborious procedures for installing applications into a production environment.  These can be very frustrating when you’re working to a deadline, but they do perform some valuable functions from the security point of view: they protect the integrity of the production environment, and they separate the operations staff from […]

Most organisations I work with have complex, laborious procedures for installing applications into a production environment.  These can be very frustrating when you’re working to a deadline, but they do perform some valuable functions from the security point of view: they protect the integrity of the production environment, and they separate the operations staff from the developers.

However, these procedures are oriented towards organisations that deploy a code change once a quarter.  They’re not workable if, like many modern organisations, you need to deploy a code change once a day, or once an hour.

The DevOps movement is intended to address this new requirement.  DevOps brings development, operations and QA staff together to streamline and unify deployment processes.  DevOps makes heavy use of automation to achieve this.

DevOps works closely with micro service architectures such as Docker.  Micro services are small, independently deployable services that communicate using lightweight protocols.  Micro services are deployed automatically and hosted using containerised virtualisation.

Like conventional virtual machines, micro services are isolated within containers so that they cannot interfere with each other.  Containers in Linux use a number of specialised features to provide isolation:

  • Namespaces, which provide separate process spaces, network instances, IPC resources, mount points etc. for each container.

  • Cgroups (control groups), which manage the use and sharing of physical resources.

  • Union file systems, which allow file structures from different sources to overlay each other.

How secure is a micro service architecture?  The concept is too new to give a definitive answer, here are my thoughts:

  • Containers are a new technology so we can assume (without the need to consider any actual evidence) that they contain numerous security bugs.

  • We can also assume that these bugs will be discovered and corrected rapidly over time as containers are subjected to more scrutiny.

  • Containers are more lightweight than virtual machines and present a much smaller attack surface.

  • It will always be difficult to protect a UNIX type OS against a process running as root.

  • The high degree of automation when installing a micro service will bring significant security benefits.  It will become much easier to deploy standard hardening and to avoid error-prone manual install steps.

In conclusion: I wouldn’t put anything sensitive on a multi-tenanted micro service platform today.  But in a couple of years it should be a different story.

Related Posts

Cybersecurity

Insider Threats: Getting to the left of Boom!

Dan Leyman
Date icon February 15, 2021

Mature, effective insider risk programs take the necessary next step to prevent insider...

Cybersecurity

IAM’s role within your enterprise cyber framework

Chris Williams
Date icon February 10, 2021

A strong IAM infrastructure can help the organization effectively apply its policies and...

Cybersecurity

Cybersecurity in 2021: Four predictions

Geert van der Linden
Date icon February 10, 2021

COVID-19 has heightened the importance of cybersecurity as a business enabler, giving...