DevOps and Microservices – a Security View

Publish date:

Most organisations I work with have complex, laborious procedures for installing applications into a production environment.  These can be very frustrating when you’re working to a deadline, but they do perform some valuable functions from the security point of view: they protect the integrity of the production environment, and they separate the operations staff from […]

Most organisations I work with have complex, laborious procedures for installing applications into a production environment.  These can be very frustrating when you’re working to a deadline, but they do perform some valuable functions from the security point of view: they protect the integrity of the production environment, and they separate the operations staff from the developers.

However, these procedures are oriented towards organisations that deploy a code change once a quarter.  They’re not workable if, like many modern organisations, you need to deploy a code change once a day, or once an hour.

The DevOps movement is intended to address this new requirement.  DevOps brings development, operations and QA staff together to streamline and unify deployment processes.  DevOps makes heavy use of automation to achieve this.

DevOps works closely with micro service architectures such as Docker.  Micro services are small, independently deployable services that communicate using lightweight protocols.  Micro services are deployed automatically and hosted using containerised virtualisation.

Like conventional virtual machines, micro services are isolated within containers so that they cannot interfere with each other.  Containers in Linux use a number of specialised features to provide isolation:

  • Namespaces, which provide separate process spaces, network instances, IPC resources, mount points etc. for each container.

  • Cgroups (control groups), which manage the use and sharing of physical resources.

  • Union file systems, which allow file structures from different sources to overlay each other.

How secure is a micro service architecture?  The concept is too new to give a definitive answer, here are my thoughts:

  • Containers are a new technology so we can assume (without the need to consider any actual evidence) that they contain numerous security bugs.

  • We can also assume that these bugs will be discovered and corrected rapidly over time as containers are subjected to more scrutiny.

  • Containers are more lightweight than virtual machines and present a much smaller attack surface.

  • It will always be difficult to protect a UNIX type OS against a process running as root.

  • The high degree of automation when installing a micro service will bring significant security benefits.  It will become much easier to deploy standard hardening and to avoid error-prone manual install steps.

In conclusion: I wouldn’t put anything sensitive on a multi-tenanted micro service platform today.  But in a couple of years it should be a different story.

Related Posts

Cybersecurity

Empowering our employees to become cyber savvy in the new normal

Date icon October 14, 2021

Celebrating Cybersecurity Awareness Month at Capgemini

Cybersecurity

Capgemini Named a MSSP Leader in Everest Group Report

Geert van der Linden
Date icon September 6, 2021

Capgemini has continued to make significant investments to ensure its customers are able to...

Cybersecurity

Cybersecurity: the linchpin of sustainable infrastructure

Geert van der Linden
Date icon July 7, 2021

It’s critical that infrastructure organizations mitigate these risks by placing cybersecurity...