DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. Securing Kubernetes From Within and Without

Securing Kubernetes From Within and Without

The answer lies within next-generation firewalls with east-west traffic monitoring and security policy enforcement.

Gadi Naor user avatar by
Gadi Naor
·
May. 27, 19 · Analysis
Like (2)
Save
Tweet
Share
6.55K Views

Join the DZone community and get the full member experience.

Join For Free

Overlaying security solutions to protect converged infrastructure and cloud-native environments can be tricky.

Enterprises using Kubernetes in hybrid cloud environments are reaping the benefits of development velocity and scalability, but they are also finding that traditional security measures are not able to address the challenges of cloud-native applications built of containers and hosted on virtualized infrastructure. Especially when migrating traditional software to containers and hybrid cloud environments, enterprises are at a loss for how to secure their applications.

On the one hand, virtualized infrastructure is difficult to surround with traditional firewalls that require hardware choke-points to restrict access to the internal workings of web applications. Yet, on the other hand, containerized microservices are exposed to unique vulnerabilities, so as the implicit level of trust required between microservices, and the rapidity with which containers are deployed, these microservices might be exploited to compromise the entire application cluster.

Looking at this challenge, it becomes apparent that this is a situation new to software. As a new kind of security challenge, one born out of the need for flexibility and scale, security teams must go beyond existing security paradigms to find new solutions and consider how to simultaneously secure north-south and east-west traffic in web applications.

Extending Security Across Containers, Kubernetes, and Service-Mesh Architectures

Traditional firewalls were excellent at protecting the digital perimeter of an organization by following the outline of physical hardware. North-south traffic entered and left online applications through clearly defined paths. Today, virtually defined storage and compute, and rapidly scalable containers and microservices make the perimeter of web-native applications challenging to define, and impossible to control through simple hardware gates.

Likewise, east-west traffic between components of a web-native application can be difficult to manage as DevOps speeds drive multiple updates a week or even multiple updates a day. Amazon famously deploys new code every 12 seconds. At these development speeds, it can be difficult to detect and remediate security vulnerabilities in containers and microservices, especially if they’ve already been deployed.

To Protect Against Threats, Foreign, and Domestic

If hardware alone can no longer protect data because that data is sprawled across infrastructure and evolving too quickly, one must look toward solutions that can morph to follow the changing shape of software in production.

Next Generation Firewalls (NGFWs) go beyond traditional firewalls by adding network inspection and intrusion prevention capabilities. NGFWs make no assumptions about what ports or traffic are appropriate and apply deep scans of packets and identity-based security, among other techniques, to secure network traffic to the perimeter of an application and even beyond.

And yet, Next Generation Firewalls will still miss the kind of subtle malicious traffic that can travel between servers, containers, and microservices already within the security perimeter of the NGFW. As hackers turn more toward exploiting flaws in the design of applications, enterprises also need a solution that can continuously monitor east-west traffic and enforce security rules on that traffic.

Enterprises looking to migrate their applications to a hybrid cloud model are rightfully concerned about the challenges and complexity such an endeavor represents. Existing tools, processes, and practices were not engineered for the on-demand, elastic nature of the cloud. It has become increasingly challenging to define, monitor, and enforce security for the entire stack, so enterprises are in dire need for a security solution tailored for this new environment.

The answer is, therefore, to combine complementary solutions: next-generation firewalls with east-west traffic monitoring and security policy enforcement. In this way, enterprises can protect web-native applications from threats foreign and domestic, as it were, more comprehensively than when using only one of these security solutions.

Kubernetes application security East-west traffic

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • A Brief Overview of the Spring Cloud Framework
  • ChatGPT: The Unexpected API Test Automation Help
  • How To Check Docker Images for Vulnerabilities
  • Express Hibernate Queries as Type-Safe Java Streams

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: