Story image

Ovum: Cloud-native technologies improve cybersecurity

07 Nov 2016

Cloud-native computing is the end goal of a journey that starts with agile development, progresses to DevOps, adopts microservices and containers, makes effective use of cloud (everything as a service) including serverless computing, and takes a platform approach that decouples the business domain applications, products, and services from the infrastructure.

It no longer matters whether the code resides on a public cloud, on a private cloud, on-premise, on managed services, or on hybrid systems. One of the key concepts is moving from viewing servers as “pets” (cherished and long-lived) to viewing them instead as “cattle”, immutable objects (infrastructure as code) that can be swiftly replaced from a single source.

This paradigm is also providing a new approach to security in the data center. Advocated by Pivotal Software’s Justin Smith, his “Rotate, Repave, and Repair” (3Rs) recipe demonstrates how the flexibility that microservices and containers in production, coupled with a fast DevOps continuous delivery capability, can lead to innovations in data center security.

The idea is based on a continual refresh of the data center infrastructure environment to stem three categories of vulnerabilities: unpatched software (this is very common), the availability of time for malware to perform its intentions, and leaked credentials. Ovum sees the 3Rs as a security paradigm shift that cloud-native technologies make possible.

At its root is the DevOps philosophy of making changes a painless activity. 3Rs enhances security and changes the lifecycle of servers from slow-changing, long-lived instances that invite malware to flourish, to fast-changing, short-lived servers that nip malware in the bud.

The security benefits of rapidly swapping out servers in live production

Cloud-native computing offers improved security to enterprise IT. Applications are created in microservices architecture, packaged in containers, and made secure by default, to, for example, comply with the Payment Card Industry Data Security Standard (PCI DSS). These packages are then deployed as immutable objects.

To make a change, the service is terminated and the changed service is deployed as a new object. Production applications are no longer viewed as “pets”, but are instead broken into microservices and each service swiftly replaced as needed.

This approach reduces the mismatch and divergence that occurs between development and production versions. With the rapid change that DevOps continuous deployment offers, it is possible to adopt Smith’s 3Rs.

The idea is that every few minutes or hours, all credentials used in the data center are rotated, repaving every server and application (the aim is to minimise server lifetime and refresh it as often as possible, reducing the time in which malware has to operate), and repairing software with patches as soon as available.

With rapid continuous delivery in place it is possible to patch the whole software stack in live production with zero downtime. This approach will stop many of the IT security vulnerabilities that exist today. The overheads of this approach are negligible, and Pivotal has large-scale deployment customer examples that demonstrate the practice, which just adds an extra layer of automation.

Pivotal Cloud Foundry (PCF) is the first PaaS to implement the 3Rs security policy

Since joining Pivotal Software, Smith has helped bake the 3Rs security strategy into PCF. The first manifestation of this will be the availability of PCF Repave as a feature of OpsManager, a web application to deploy and manage a PCF PaaS. PCF Repave allows customers to regularly replace underlying VMs which essentially disallows malicious code to exist.

As a complete package for cloud-native computing, PCF now has a security policy that fits DevOps and addresses the many cyber-security issues and threats that enterprises have so far failed to deal with. With the 3Rs Pivotal has also added turnkey compliance, ensuring that PCF is compliant with security industry standards.

Ovum believes the 3Rs approach has significant security advantages over slow-changing server lifetime models. Ovum encourages other PaaS providers and data center owners to adopt cloud-native technologies that allow the 3Rs concepts to be applied and help overcome the cybersecurity weaknesses that pervade IT infrastructure in so many organisations today.

Article by Michael Azoff, principal analyst, Ovum Infrastructure Solutions Group.

Protecting data centres from fire – your options
Chubb's Pierre Thorne discusses the countless potential implications of a data centre outage, and how to avoid them.
Opinion: How SD-WAN changes the game for 5G networks
5G/SD-WAN mobile edge computing and network slicing will enable and drive innovative NFV services, according to Kelly Ahuja, CEO, Versa Networks
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
AMD delivers data center grunt for Google's new game streaming platform
'By combining our gaming DNA and data center technology leadership with a long-standing commitment to open platforms, AMD provides unique technologies and expertise to enable world-class cloud gaming experiences."
Inspur announces AI edge computing server with NVIDIA GPUs
“The dynamic nature and rapid expansion of AI workloads require an adaptive and optimised set of hardware, software and services for developers to utilise as they build their own solutions."
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
HPE launches 'right mix' hybrid cloud assessment tool
HPE has launched an ‘industry-first assessment software’ to help businesses work out the right mix of hybrid cloud for their needs.
ADLINK and Charles announce multi-access pole-mounted edge AI solution
The new solution is a compact low profile pole or wall mountable unit based on an integration of ADLINK’s latest AI Edge Server MECS-7210 and Charles’ SC102 Micro Edge Enclosure.