Secure your micro services-based architecture

Tight security controls and configurations along with third party security reviews will ensure that your container application environment cannot be easily breached. Entersoft offers Cloud Configuration Review that includes microservices based architectures for small and large deployments.

If you are a tech geek, then ‘microservices-based architecture with containers’ is all too familiar. In layman terms, this refers to dividing a large application into chunks of operations, each built into a different ‘container’. This makes operation easier, simplifies management and is highly scalable. In banking, for example, you will have to input your account number, IFSC code, beneficiary account number etc. to execute a funds transfer. This comprises a single operation, housed and run in one container.

An enterprise can have multiple containers to run different operations, based on the size of the organisation. To give you an idea, seven years ago, a Google honcho mentioned that the company starts over two billion containers per week!

Monolithic, microservices – what’s the difference?

In monolithic applications, the entire set of application source codes is built and deployed on the same server, with a dedicated database. There are load balances based on the requests you get from clients to scale up the number of users for applications.

services-based architecture
Aerial photography of container terminal

In microservices architecture, every operation is divided and deployed on individual containers.

How does a container work?

A container, usually Docker, is a mini version of a Virtual Machine (VM). It trims all the unnecessary or ‘junk’ portions of the OS, providing the bare minimum essential to run your application. Depending on the functionality you want to achieve from an application perspective, you build that code into the container. Different levels of operations can be categorised into smaller pieces.

If you consider an enterprise having 1,000 operations, you can have 1,000 containers deployed on a production instance. Based on requests from the client’s side, the number of containers scan scale up. If a container is unable to service all the requests, then such requests can be directed to other containers wherein the exact same functionality is replicated. That’s how organisations scale up their applications to accept any number of requests received.

It makes good business sense to have an automated process for container management. A container can automatically be put on hold for a certain time period unti lit receives a sizable number of requests.

Advantages of microservices

  • Easy maintenance:The architecture of microservices is such that developers can carry out any changes or maintenance activity on an operation, targeting a particular container. The remaining containers continue to interact with clients, as opposed to restricting the entire application or carrying out maintenance activity across the website.

In contrast, there are chances that the entire application might crash while carrying out changes in one operation in monolithic applications. The testing teams must run through every test case thoroughly to identify an issue.

  • Easily scalable: If a heavy load of requests come in with regard to a particular operation or at a certain point in time, containers can be easily scaled up. The functionality is replicated to another container so that traffic can be seamlessly diverted with no lag in processes.
  • Intuitive container management solutions: Orchestration solutions to manage multiple containers, such as Kubernetes, act as ‘monitoring personnel’. They keep an eye on the health map of every microservice. Kubernetes enables easy configuration for individual operations, offering quick scalability based on the requirement.

How do I secure my containers?

Security and compliance are a growing concern with increased adoption of microservices-based architecture. Cyber attackers are constantly on the look-out to exploit vulnerabilities within permissions and containers. Most companies are unaware of how to deal with the security of containers.

There are two models to deploy microservices when you consider managing applications on cloud:

  • On-prem:Servers and infrastructure required are set up on premises, and then application production is deployed.In this scenario,cybersecurity is the responsibility of the application provider.
    • Managed service providers: Cloud service providers such as Google Kubernetes Engine (GKE), Azure Kubernetes Service (AKS) and Elastic Kubernetes Service (EKS) provide managed services with readily-available solutions for development teams to work on. The code built into these containers has to be secured. The responsibility for security is shared between the cloud service provider and customer. This is because although it is a managed service, the application functionality still rests with the customer.

There are three ways to secure containers. These are mandatory checks to ensure that applications are secure before you push changes to production instances.

  • Static Application Security Testing (SAST) tools: SAAS tools can be used to identify any source code level security issues
    • Dynamic Application Security Testing (DAST) tools: It is critical to ensure that the container application in runtime doesn’t have any kind of security threats before trying to push changes to the container. This can be done with DAST tools.
    • Software Composition Analysis: Companies must ensure that a Software Composition Analysis check is conducted. This can help identify vulnerabilities in third-party components.

Moreover, there should be an image-level scan. These image repositories contain images of applications for ease of future development. Qualys is a great tool to perform a holistic image scan. It notifies administrative teams of any security loopholes in containers. Azure, Google and Amazon also carry out such scans to ensure images don’t carry vulnerabilities.

A Cloud Configuration Review is also necessary if it is a managed service. This ensures that security controls and configurations have been properly defined. Hackers can take advantage of and exploit weak controls. They look for certain patterns to easily identify misconfigurations in Kubernetes.

What’s the hitch: security challenges

Lately, many organisations have been getting on the microservices bandwagon. The biggest challenge? Their sole focus is only on developing the application. There is no awareness of responsibility for the security aspect. Especially when deploying cloud-native apps, organisations believe that since they are consuming a managed service from Azure, Google or Elastic, the solution providers will handle the entire security operations for them.

It is important to know that this is a shared security responsibility model.

Cloud service providers handle the ‘control plane’ in Kubernetes. The remaining activities are the responsibility of the client’s development or operations teams. They will have to define all the controls and implement necessary restrictions to ensure that the environment is secure.

The challenge is that they don’t know which tools to use or what process to follow as this is an entirely new technology. The first step is to follow the same set of tried and tested processes – SAST, DAST and Software Composition Analysis.

There is a specific set of configurations which the customer’s operations team should be aware of and a specific set of configurations which the Kubernetes team should be aware of. Based on the container or the orchestration solution deployed, the teams should ensure they have the skillsets required to deliver the activity in a secure manner. An alternative is to opt for a security service provider.

Looking for a container security review? Entersoft Security can help

Vulnerabilities can arise during development, deployment or configuration on the cloud service provider.

At Entersoft Security, we perform Cloud Configuration Review for customers, including for microservices-based architectures.

In the instance of large microservices-based architecture, many complexities may exist. Some of the microservices may be configured on one cloud service provider and the rest may rely on an entirely different set of operations. Some aspects may be handled by partners as a managed service. At times, challenges for microservices-based architecture come up when applications have been built by different teams or different vendors for a big customer or enterprise.

Based on these aspects, and depending on the scope of the project, Entersoft conducts a full assessment and review, enabling enterprises to secure their containers in microservices architectures.