The New Stack | January 27, 2016

The Pillars of Security for the Cloud-Native PaaS

BY MATT AMMERMAN

In this sponsored post, Matt Ammerman, Global Client CTO for enterprise platform-as-a-service Apprenda, discusses how an enterprise platform-as-a-service can help organizations ensure their workloads are secured. 

Docker makes lots of things easier, but nothing about Docker containers makes them easier than virtual machines to throw over the fence to IT operations. For large organizations moving to cloud, developers are granted self-service access to resources from internal data centers and public IaaS, but central IT is saddled with figuring out new methods to ensure security and compliance for the containers. The latest platforms to deliver enterprise features for container orchestration need to help organizations create a more secure, transparent, and controllable operating environment.

Enterprise Platform-as-a-Service (PaaS) is next-generation middleware that delivers the features needed to implement container strategies in large existing organizations, including Docker container orchestration, brokering, security, and compliance.

Today’s data center is defined by various pillars of security at all levels, from app isolation and containerization down to physical infrastructure partitioning. Below are the three pillars of cloud security for cloud-native platforms:

  • Limit Platform Attack Vectors: Whether malicious behavior is internal or external in origin, the platform is shared and attacks should be isolated by default and easy to lock down.
  • Implement Standards: Application design does not end at the last line of code, and platforms need to take on the role of ensuring standards for security, patching, licensing, and compliance.
  • Leverage Existing Operations: Large organizations have designed role specification and expertise over the years to ensure, among other things, compliance and security. The news keeps suggesting that perhaps developers are not always great database administrators. In addition, operations continuously invest in best-of-breed tools to enhance security. Cloud platforms need to integrate and use those features.

While these three pillars are incredibly important, we must dive a little deeper to explain what an enterprise PaaS can do to secure the data center and how it achieves this goal.

What Enterprise PaaS Brings to the Data Center

Employing a PaaS that configures the encryption of guest application traffic (ingress, egress, and internal) is an opportunity for data center operators to control and standardize their encryption strategy. This has the added benefit of removing the onus of understanding and properly implementing encryption from the applications’ developers, a risk mitigation strategy for IT organizations through removal of human error.

Criticality continues further down the data center stack.  A zero-trust model within a highly regulated environment is often established through software-defined networking (SDN). Essentially, these are software-based rules engines within networking equipment that dictate when, where, and how packets can flow across a network. A zero-trust model starts with the expectation that no application workload can communicate with another unless it is explicitly allowed. This effectively “zones” applications.

Sponsor Note

Apprenda is the leading enterprise Platform as a Service (PaaS) powering the next generation of enterprise software development in public, private and hybrid clouds. As a foundational software layer and application run-time environment, Apprenda removes the complexities of building and delivering modern software applications, enabling enterprises to innovate faster.

When enterprise PaaS is the mechanism by which application workloads run on this infrastructure, it is imperative that the platform has knowledge of the underlying network topology and workload rulesets enforced by SDN. PaaS should use this knowledge to inform application workload placement policies, completing the loop on a holistic software-defined placement and traffic model. This happens through direct integration of PaaS and SDN, such as Apprenda’s integration with Cisco’s Application Centric Infrastructure. The ultimate goal of this strategy is to mitigate risk through reduced attack surface area and the containment of any such attack.

On the subject of attack surface area, one fungible ingredient in the fortified data center is the operating system.

I’ve written previously about the Trusted Computing Base (TCB), which is an effective measure of a system’s vulnerability surface area. The operating system has a place in the data center TCB and vendors are constantly working to decrease their OS risk profiles.

Over the years, IT organizations have honed processes around hardening server OS and application server images and applying security patches, with the intent to address TCB and mitigate risk. PaaS’s relationship to the operating system should not be one built upon strict dependence because that undermines these efforts.

In fact, the exact opposite is ideal: a PaaS should abstract away OS and application server details from apps, but it can’t do that if it is itself tightly coupled to the OS and application servers.  Part of PaaS’s job is to add freedom to an organization’s ability to roll out OS or applications server updates or entirely new versions such as RHEL 7, Windows Server 2012 R2, WebSphere, JBoss, and Tomcat and the security enhancements that come with them. This holds true at the level of application servers as well.

Security is, of course, multi-faceted. While much of it centers on environmental configuration and technology choices, other aspects of security focus entirely on process control. This is the who, what, when, why, where, and how of data center operations. The purpose of process control is not only to establish guidelines for actions but to enforce accountability.

Accountability through Logging and Auditing

Two mechanisms for accountability that PaaS can have a direct impact on are logging and auditing. The first, logging, is a construct by which PaaS operators gain insight into the runtime of their environment. By centralizing logging into a common aggregator across the data center, warnings of active or impending failures, troubleshooting, and incident resolution all become easier.

Logging also creates a record of environmental and application conditions for historical analysis.

A PaaS should not only log its own actions, but it should provide a uniform way for guest applications in its purview to actively and passively participate in logging either through explicit APIs or by instrumenting into the application workloads the ability to log information into a persistent store.

Auditing platform operations is another way to enforce process control. Most organizational security policies include auditing rulesets defining what information needs to be captured about systemic state changes. The parameters of who took an action, what action they took, and the differential between states (effectively, the change) should be captured. This helps with replaying actions while troubleshooting operational issues, as well as providing predictive analytics about the effects of making changes to an environment

Final Words

Sound technological choices, proper implementation, and process control combine to make up a part of a comprehensive security strategy in the enterprise. PaaS’s position in the cloud stack gives it not only the opportunity but also the responsibility, to provide tools that address a significant portion of this strategy.