Securing continuous deployment for applications in the cloud

Container orchestration tools lack the necessary security controls but attribute based access control (ABAC) can help.

cloud computing - connections - apps - network

Application containers have quickly gained popularity as businesses continue to build and deploy applications in the cloud or on-premise. In fact, according to a recent study conducted by 451 Research, application containers will be a $2.7 billion market by 2020. This trend toward “containerization” is due to container simplicity, consistency, modularity and portability.

Modern businesses are utilizing application containerization to deploy and run applications both in the cloud and in on-premise data centers, without being forced to launch an entire virtual machine (VM) for every individual app. VMs do offer easy maintenance, application provisioning and simple recovery, but they are difficult to build, large, non-portable and rely on an operating system (OS) package manager, resulting in entangled apps, executables, configuration, libraries and life cycles with the host OS.

Since containers are detached from the underlying infrastructure and the host OS, they are portable on-premise and across cloud environments. In addition, because they are small and fast, they lend themselves to a continuous deployment cycle. VM’s will still play a key role as containers often run in within them, but containers provide consistency of runtime from development of testing, to production, which is a huge win for app developers and is essential for devops. However, with a single application per container, effective management of the containers is crucial.

The containerization trend has also hit the identity and access management (IAM) market, where IAM products are available via container marketplaces, such as the Docker store. With IAM and security tools deployable in containers, enterprises have more flexibility to automate infrastructure components along with their business application containers.

The importance of container orchestration tools

As the number of containers grow, it becomes increasingly important to automate the process of deploying multiple containers to implement and manage an application. This is where container orchestration tools can play a key role.

Container orchestration tools (such as Kubernetes and others) are management tools that help automate the deployment cycle, scale as applications grow in size and number, and manage all containerized applications. Container orchestration tools sort containers that make up applications into necessary groups, so they are easy to find and manage.

With container orchestration tools organizations can automate the deployment and replication of containers, balance loads over groups of containers, scale container clusters, automate the rescheduling of failed containers and easily upgrade application containers.

Still, organizations must also examine the security capabilities of their orchestration tools so that potential attack vectors are locked down.

Incorporating access control into container orchestration tools

It is critical to ensure that users are only able to access and manage the containerized applications in the cloud they are authorized to. Access control for container orchestration tools can be accomplished with attribute based access control (ABAC) because it manages access to automation functions from a centrally managed authorization service and controls capabilities to a more granular level.

With ABAC, organizations can authorize access to containerized applications based on fine-grained policies to consider variables like geo-location, time, date, device, etc. In addition, ABAC lends itself to a continuous development cycle. This means it can be deployed in containers and managed in the same manner as any application code.

Since the ABAC system itself is deployed in containers and managed similar to the application, organizations can automate access policy changes the same way they can automate application code changes. The ABAC service itself can also be managed like a microservice, giving it the same flexibility, deployment and automation characteristics as application microservices. 

Eventually, the life cycle of redeploying containerized applications and security components can be fully automated and any changes to policies can be part of the automation process. In addition, organizations can automate the activation of additional authorization servers for peak load conditions and remove them when less capacity is required.

The benefits of automation for continuous development

Automation is critical to devops. With an automated approach, organizations realize a multitude of benefits including:

  • Less pressure on developers because they no longer must write security rules into their code.
  • Developers can spend their time on business functionality and not worry about access security.
  • Access rules are enforced consistently across applications, APIs, microservices and data resources, reducing the risk of overexposure to information and security breaches.

Security technologies like ABAC are critical to secure access to containerized applications in the cloud and ensure a continuous deployment cycle. With ABAC embedded directly into devops, organizations can automate a variety of access control challenges across the enterprise and add an additional layer of security around containerized applications.

Copyright © 2018 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.