Agile Security Is Now A Reality

1
32120

Businesses are looking to optimize and accelerate their Software Development Lifecycle (SDLC), in order to improve their operational efficiency and gain a competitive edge.

Service mesh is the popular architecture where monolithic applications are broken down into microservices, becoming the common delivery model providing for better agility, elasticity and scale. Companies that deploy service mesh architecture require advanced automation and orchestration tools to help them achieve these business goals (agility, elasticity, and scale) and assemble an ecosystem that supports continuous deployment.

Such orchestration tools offer automated container deployment, scaling and management, time code scanning, provisioning, testing and even security in the CI/CD pipeline. The most popular orchestration tool is Kubernetes. It is so broadly used, that each public cloud vendor has introduced a special Kubernetes edition.

Naturally, these benefits drive the rapid adoption of the above model, with the ultimate goal of continuous deployment. Even if an application is changed multiple times a day, each version must go through the full SDLC phases before being pushed into production – with no delays and no human intervention, at all. If security doesn’t run at the same speed, it is usually left behind.

[You may also like: Application Security in the Microservices Era]

Normally, enterprises are forced to choose between agility and security. Most put agility first and try to retrofit security solutions into their deployments. But it’s worth noting that  digital transformation doesn’t just come with new technologies; it also forces structural changes and adjustments of business processes.

Naturally, because it gives more decision-making power to those who understand, choose and implement the emerging solutions, DevOps have a growing influence on information security related decisions and eventually, the overall application security posture of their company.

As everything is moving fast, how can businesses be both agile and secure?

Unfortunately, emerging technologies are just that—emerging—and they do not come with best practices. Companies still look for the proverbial yellow brick road to secure microservices and containerized applications. What might that look like? Market leading application security that also provides advanced automation, auto-scale and elasticity required by today’s DevOps and Security teams. But often, the first line of defense is a WAF.

[You may also like: Application Delivery Challenges for DevOps]

Can a WAF Be Agile?

WAFs are long known as showstoppers – they are slow, inaccurate, require a lot of tuning, exception handling and manual labor to maintain. Generating false positives and hurting the user experience, WAFs are by far the least favorite solution for information security teams. Can such an ancient animal adjust to the new ecosystem?

Yes, it can!

If organizations require agility first and foremost, then security must fit into that automated SDLC without disrupting continuous deployment.  However, organizations need more than just a “good enough” security solution. Their data is at stake. They require comprehensive protection.  Radware invested significant R&D efforts to solve this problem. The emphasis focused on finding the required level of automation, flexibility and elasticity.

Enter Radware’s new Kubernetes WAF, which features many integration options into the CI/CD pipeline. For example, it is fully controlled by Kubernetes, so application security grows and scales with Kubernetes pods, including learned policies and configuration settings.

[You may also like: Threats on APIs and Mobile Applications]

What’s more, visibility to both DevSecOps + Security teams via integration with common tools and platforms (like Grafana, Prometheus, etc.) is critical, as is a light footprint (an enforcement point in front of each pod while management, analytics and learning engine are run separately within the environment).

Lastly, and perhaps most importantly, security policies should be automatically generated and tuned. This can be accomplished by using machine learning with a unique auto policy-generation engine that studies the application/ microservice structure, analyzes potential threats and builds a security policy that is later adjusted whenever a change is introduced to the application. (Fun fact: Radware Kubernetes WAF does this).

And there you have it: Agile security!

As for security folks – you can maximize security for containerized applications with a unique combination of positive and negative security models for application protection in service mesh.

Read “Radware’s 2019 Web Application Security Report” to learn more.

Download Now

Previous articleApplication Security in the Microservices Era
Next articleThe Evolution of Application Development
Ben Zilberman is a product-marketing manager in Radware’s security team. In this role, Ben specializes in application security and threat intelligence, working closely with Radware’s Emergency Response and research teams to raise awareness of high profile and impending attacks. Ben has a diverse experience in network security, including firewalls, threat prevention, web security and DDoS technologies. Prior to joining Radware, Ben served as a trusted advisor at Checkpoint Software technologies where he led partnerships, collaborations, and campaigns with system integrators, service, and cloud providers. Ben holds a BA in Economics and a MBA, from Tel Aviv University.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here