当前位置:网站首页>If the "Maginot defense line" fails, how to do a good job in container cloud security?

If the "Maginot defense line" fails, how to do a good job in container cloud security?

2021-09-15 04:52:15 TechWeb

After the first World War , To prevent a German raid , France spent a lot of money and spent more than ten years to build a continuous bridge on the German French border 390 Kilometers of fortifications , Built in Cannon 、 Trenches 、 Fortress , Even the kitchen 、 The hospital 、 factory , deep trenches and high ramparts 、 lead in all directions —— This is the famous “ Maginot Line ”. But as we know , This line of defense, which was supposed to be unbreakable, did not allow France to block the German army in the end , By contraries , Because of the blind confidence and over reliance on the Maginot defence , It led to the slackness of France's preparations for the war , World War II , The Germans made a detour through Belgium , Over the natural danger Arden heights , From the rear of the line of defense, directly under the city of Paris .

Militarists believe that , The reason why the Maginot Line failed is “ Total defense ” The failure of military thought . Unlike World War I , World War II emphasized mobility and flexibility , But France did not take the initiative to organize an attack through the Maginot Line , But chose to guard against , When the Germans drove straight to Paris from the gap , The soldiers of the defense line are still waiting for others to attack from the front , And the people in the city are even addicted to lights and wine .

Actually , image “ Maginot Line ” such , It looks like a thick wall outside , In fact, it is in a very loose state , It's like the concept of computer “ A firewall ”. In the past , Most enterprises believe in “ Intranet security ”, I think just put the data in “ Inside the wall ” You can be safe —— But obviously , Such a security strategy seems to have failed in World War II “ Maginot Line ” The same is out of date .

New challenges to container safety ,“ Intranet Security ” No longer exists

Similar to World War II , Nowadays, the external economic environment of enterprises is volatile , It requires everyone to respond flexibly and efficiently in the process of business development , That's why in recent years , An important reason for the popularity of container applications . Because it can meet the rapid response of enterprises 、 The requirements of agile development , Container has become the mainstream form of enterprise application delivery .

however , Compared with traditional applications , Natural containers have problems in isolation and safety “ defects ”, these “ defects ” Run along with the container in the so-called enterprise intranet , If it can't be well identified and repaired , Minutes will be “ Maginot Line ” The gap in the , Bring immeasurable losses to the enterprise .

In the face of this situation , Lean masonry “ A wall ” The security you have is gone , let me put it another way , Enterprises must re-examine and adjust their security policies .

First , Let's take a look at the security challenges that containers bring to enterprises .

We know , at present Kubernetes It has become a standard platform for application innovation , and DevOps It has also become the mainstream practical methodology supporting cloud native application development and operation and maintenance . Under such a development concept , Enterprise applications often need to be deployed and interact synchronously in the local data center and cloud , It means , The physical security boundary will disappear , Security risks have become ubiquitous , In traditional security policy, by building a “ Security boundary ”, Block things in the untrusted domain “ wall ” The practice of outside is naturally inappropriate .

therefore , Enterprises want to promote and use containers , There are several issues that must be considered :

First of all , Security of software supply chain . Because there is a lot of code in container applications 、 Components come from the open source community or third-party outsourcing development , If the high-risk vulnerabilities cannot be effectively identified , Or used by people with ulterior motives , It is equivalent to providing the problematic code to the user , Make the safety system on the whole chain “ Collapse ”;

second , Security of infrastructure . Now , Many enterprises still tend to use “DIY” Of Kubernetes platform , Plus some security scanning tools , In fact, such infrastructure is difficult to meet and evaluate the requirements of enterprises in terms of security compliance , It will expose the whole platform or business to risk . On the other hand ,Kubernetes The safety responsibilities of are relatively scattered , Unclear full responsibility will also lead to loose management , It is not conducive to the implementation of security policy ;

Third , Security of application load . Container has changed the traditional application deployment mode , Not only has the application life cycle been significantly shortened , The deployment density is also getting higher and higher , Traditional security policies are difficult to meet the needs . in addition , In the application of ( Especially third-party applications ) After packaging the container , Whether its behavior is normal 、 Whether the safety standards can be met , It is also difficult to conduct comprehensive monitoring with the past security system , If there is a problem, it will have a direct impact on the business .

In other words , Enterprises need to change more than just a certain security technology means , It's the whole security policy .

safety consciousness “ Move forward ”, From passive defense to active protection

If you learn from France “ Maginot Line ” The lesson of being content with defense , It means , The first thing an enterprise should do is to “ passive ” by “ Take the initiative ”, Take the initiative first , Instead of waiting for the attack to happen . Put it on the safety of the container , in other words , Enterprises must put safety awareness and means “ Move forward ”.

A relevant survey shows that , From application development 、 structure 、 Deploy to different stages of operation , The safety cost incurred during the period is increasing step by step . for instance : If vulnerabilities are found in the R & D phase , Just fix it directly by the developer , Low cost and high efficiency ; If the vulnerability is not detected until after release , Then the security personnel need to give a plan , Communicate with R & D personnel , Then verified by the tester , Not only is the relative cost high , And there are some online risks ; And if the vulnerability is not discovered until the application has been running for a period of time , Then it's not just a matter of remedy , On the one hand, enterprises need to pay extra money 、 Communicate cost and repair time , On the other hand, it also needs operation and maintenance 、 Release 、 The involvement of a large number of personnel such as business , The risk and cost pressure brought to enterprises are tens of times .

Because of this , Run the safety concept through DevOps In the whole process ,“ Hybrid development 、 Security and operations concepts to create new solutions ”, It has increasingly become the consensus of the industry —— This is it. DevSecOps, Its basic idea , That is “ Development security moves left (SHIFTLEFT)”.

It's understandable , So-called “ Move left ” In fact, it is to change the safety awareness from the operation stage , Front to container construction and CI/CD Stage , So as to avoid irreparable losses and high remedial costs after operation .

for instance , For example, in the past application development process , Generally, programmers write code and put it into the source code base , And then through CI The tool packages the code into an image , At the same time, call the static scanning tool for security scanning , Pass after confirmation CD Push tools to the test cloud , Finally, it will be delivered to the production cloud for online . You can see , The whole process depends on static scanning . however , Nowadays, many network malicious behaviors are dynamic , There are obvious short boards in static scanning . And the solution is , Existing CI/CD In the assembly line , Add a security compliance test cloud link —— in other words , After completing the functional test , First deploy to the security compliance test cloud for dynamic and static security compliance testing , Finally, push it to the production cloud .

Especially for applications provided by third-party outsourcing manufacturers , This idea is particularly useful , Because more and more manufacturers are packaging applications in the form of containers , However, the development process of these applications is a challenge for enterprises “ Black box ”, If you still use the traditional image file static scanning , Then it is difficult to ensure the safety of the container platform .

however , Look at this problem from another angle . We know , Most enterprises choose to use open source technology or container applications , All to avoid “ Repeat the car ”, Accelerate agile development , If this makes enterprises worry about security vulnerabilities everywhere , Enterprises are required to equip themselves with a very complex safety supervision mechanism , It's not realistic . For enterprises , What is needed is an out of the box security policy , also , I hope to be able to customize the multi factor policy for the actual running container environment .

Through visibility and consistency , Escort the safe operation in the open mixed environment

obviously , As an enterprise Kubernetes solution-based “ Core players ”, Red hat's consideration of this issue is forward-looking . stay OpenShift On , Red hat provides a starting point for container and cloud native applications 、 Continuous security deployed to run , also , From the container cloud platform itself and multi cluster management , Meet the multi-dimensional security needs of enterprises .

To be good, miss any piece “ Puzzle ”, Red hat also acquired... At the beginning of this year Kubernetes Native security domain service providers StackRox, By entering its capabilities into OpenShift, Achieve complementary advantages , Based on this, a red hat container safety management platform RHACS(Red Hat Advanced Cluster Security). Through this platform , Red hat can help enterprises move security design forward to container construction and CI/CD Stage , Thus for the whole IT Stack and the whole life cycle to achieve higher security and provide a unified solution .

say concretely ,RHACS You can ensure the safe use of container applications in the following scenarios : First , It's vulnerability management , Through the identification of vulnerabilities 、 classification 、 The report , Prioritize and repair in a timely manner , Protect the system from known vulnerabilities in potential mirrors and operating containers ; second , It's configuration management , Ensure that the process of application deployment and configuration complies with best security practices ; third , It's risk analysis , That is, through the comprehensive safety index analysis of an object , Identify the most serious problems and give priority to them ; Its 4 , Network fine-grained security management , The network isolation and access control strategy of application is realized through network monitoring , Monitor the abnormal network behavior of applications in real time ; Fifth , In terms of compliance ,RHACS It can help enterprises meet regulatory and enterprise safety requirements , Easily generate reports and audit and rectify as required ; Six , Detect threats in the running environment in real time , And according to the risk level , Provide relevant personnel with active and timely response .

It is worth mentioning that , This series of security management operations can be realized visually . in other words , Relevant personnel can intuitively see how many high-risk vulnerabilities are in the system through the platform 、 Whether the compliance requirements are met 、 Which locations are at high risk , And the impact of application deployment on Security compliance . In this way , Can greatly reduce the time and effort required to implement security , Simplify security analysis 、 Investigation and remedial work .

Of course , These abilities are not limited to red hat OpenShift, After acquisition ,StackRox Will continue to support multiple Kubernetes platform , Include Amazon Elastic Kubernetes Service(EKS)、Microsoft Azure Kubernetes Service(AKS) as well as Google Kubernetes Engine(GKE) wait . It means , Enterprise users will be able to truly live in an open hybrid cloud environment , structure 、 Deploy 、 Running various applications , And enjoy a higher level 、 More comprehensive security .

To make a long story short ,“ Build high walls to resist foreign enemies ” The era of has passed , future , Enterprise applications will become ubiquitous , Security risks are everywhere . For businesses , Development must change 、 Operational and security policies , Through the overall situation 、 Take the initiative ; For technical service providers , Whether the enterprise can reach this goal , Realize open and secure operation across environments , Will become competitive .

 

版权声明
本文为[TechWeb]所创,转载请带上原文链接,感谢
https://chowdera.com/2021/09/20210909113919079w.html

随机推荐