Continuous Application Security

Shift Left & Right: 5 Cornerstones of Cloud Application Security Observability

10 July 2015 — the day distributed systems changed forever. On this day, Kubernetes 1.0 was released and there has been no turning back since then. Among the many, many beautiful things about Kubernetes, the most novel idea has been the abstraction of lifecycle management, networking, and storage. In one clean scoop, K8s erased these concerns from the minds of application architects.

What got left behind however was security: shouldn’t security come first?

Abstractions are good. Dynamic runtime is good. An Agile and fungible platform is good.

but …

they also take away control; they introduce catastrophic security blind spots.

Blind Spots

Blind Spots — Platform

Blind spots creep in because of the platform behavior itself, primarily because:

1. You don’t have control over where the applications run.
2. You don’t have control over what else runs in the same node as your application
3. You don’t have control over when your application environment can change

… just to name a few.

To be fair, K8s does provide knobs and levers for you to have tight leash on the application, but these come at the cost of application runtime rigidity that K8s was created to solve, in the first place.

Blind Spots — Development Cycle

The CI/CD pipeline has adapted to this new normal.

A flexible and dynamic platform invites a vibrant development cycle. What used to take days to deploy in production, is now done in minutes. Such a speed is only possible by trusting that developers, working together with the platform, will do things right and that the platform will mitigate and minimize the net fallout of the mistakes made by Dev.

Such an argument is reasonable for lifecycle management and the availability of the application. However, when it comes to security, this argument falls flat.

Remember, you only need to make a mistake once, for the entire castle to come crashing down.

Blind Spots — Zero-Day Vulnerabilities

By now we all know that our applications have bugs. It is there. There is no denying it.

Just that we don’t know about it yet — in other words — Blind Spots.

Blind Spots — Runtime

This is the million/billion dollar question (depending on the success of the application of course).

Is your application being used that way you architected — intended — hoped that it would be used as.

What if that is not the case?

How is it being used?

Do I even know?

Some Shift Left, Others Shift Right

The industry has tried to sleep at night, by trying to mitigate these risks by adopting security solutions that “Shift left” or “Shift right”.

Shifting Left

“Left” is the blueprint of your application. This captures your intent, what you set out to do and why you did what you did. So it makes sense to incorporate security solutions early on in the software lifecycle. This has the potential to greatly reduce vulnerabilities from seeping in.

Remember: software is imperfect

So while “shifting left” does mitigate security risks early on to a reasonable degree, it still leaves the door open to some significant blind spots.

How will these solutions react to unknown threats and foes? How about the platform itself? Your application is only as safe as your platform. So should we not test the heck out of the platform? If yes, why even adopt platforms like K8s.

When it comes to security, is reasonable, really reasonable?

Shifting Right

“Right” is the runtime battlespace that is to be protected vigorously. No questions there. There is no dearth of security solutions/products/architectures / best practices to protect applications at runtime.

However, security at runtime is an ever expanding horizon, as threats are ever-expanding. Most security solutions today play catch up when it comes to runtime security. They win most of the time. We don’t get to hear about them at all. And rightly so; for they are doing what they are supposed to do. But then we get to hear about that one time when they fall short. What appeared like a solid security sphere implodes, when hit at the right spot, at the right time.

Remember: these security solutions have to get it wrong only once. The damage is done.

Continuous Application Security with Mesh7

For Mesh7, application security is continuous.

Continuous security:

• Baselines the desired and intended behavior of an application.
• Alerts any deviations from the desired baseline while in CI/CD.
• Integrates seamlessly with the platform in which the application runs.
• Monitors for deviations from known/intended baseline.
• Blocks deviations from known/intended baseline.

Continuous security spans the entire application lifecycle, left to right; learning/baselining on the “left” and monitoring/enforcing the learned baseline at the “right”. Continuous security thus enforces what is known and desired, while monitoring and securing against the unknown.

Mesh7 Cloud Application Security Observability

Mesh7’s continuous security model Cloud Application Security Observability implements 5 essential cornerstones aspects to application security:

Application Security Graph

It is pivotal that the security insights given to the user is reflective of the actual application structure and deployment. Mesh7 Application Security Graph is a real-time view of your applications, their current state and behavior.

Mesh7 implements a Zero-Touch / Zero-Latency observability solution to construct this security graph that implements, among other things:

• Auto-discovery of workloads and services by seamless integration with the underlying platform.
• Security observability of L4 to L7+ interactions between workloads.
• Security observability of L4 to L7+ between workloads, external, and 3rd party services.
• Security observability of flow of sensitive information among workloads and between workloads and external services.

If it’s on the network, we know it and we see it.

Proactive Baselining & Anomaly Detection

Baselining the intent and behavior is the rock bed of future anomaly and drift detection. Mesh7 Zero-Touch, automated discovery allows for an organic baselining of your application based on current runtime state, network interactions, and behavior.

Mesh7 baseline configuration layer provides a simple and elegant set of knobs and levers to:

• Fine-tune auto-discovered baseline
• Configure custom baseline
• Bootstrap from pre-determined baseline

This baseline can be versioned and incorporated with your CI-CD pipeline, so as to detect, react and enforce dev workflow, thus shifting “left”.

This baseline will be used to detect, alert and prevent deviations at runtime, thus shifting “right”

Intelligent Data Correlation

Real security is impossible without context. Without context, a signal is nothing but just noise. Data noise is the prelude to a breach.

Network security as a standalone solution is inadequate at best and fails miserably at worst when it comes to application security.

This understanding is ingrained in every line of code, in Mesh7. Every signal, alert and call to action from Mesh7 is contextualized and with enriched data. Zero false positives. The context is derived from:

• Network interactions
• Deep L7+ analysis of application data.
• Out of band / non-intrusive Cloud monitoring.
• Host access and usage monitoring
• Integrations with well-known, real-time threat feeds

Preventive Security Controls

Visibility and observability are the first key steps to secure an application. While this is a giant leap by itself, the ability to not just detect but prevent an anomaly from baseline and dangerous runtime interactions is an absolute and fair expectation from a security solution.

While there are different camps at this point, some advocating a pure observability aspect to their security, while others advocate a “fire and forget” approach to secure their application, the answer is somewhere in between.

Mesh7 empathizes with this sentiment and provides intuitive levers to configure your desired security posture. You are empowered with enough tools and context to express the desired outcome of anomalous behavior, which may include, block, redact, rate control, etc.

Deep Forensics — AI / ML

Deep forensics is possible only with ‘deep’ data. With contextualized data and deep insights from network, platform, and behavior, advanced forensics and analytics open up a whole new world of possibilities to build domain specific modeling to secure applications.

Conclusion

We live in a new realm. Innovations in platforms have opened up frontiers that once were out of reach for many applications. There is no excuse anymore for applications to not adopt a true microservice, distributed architecture.

Don’t let your security posture lag behind this innovation curve.

Cloud Application Security Observability is here to secure your application lifecycle, from “left” to “right”.

At Mesh7, we wish you a safe and pleasant ride. Email us info@mesh7.com if you would like to see how we are different and how API Security Mesh works.