April 12, 2018 By Douglas Paris-White 2 min read

Scale security while innovating microservices fast

CISOs are notoriously risk-averse and compliance-focused, providing policies for IT and App Dev to enforce. In contrast, serving business outcomes, app dev leaders want to eliminate DevOps friction wherever possible in continuous integration and development of applications within a cloud native, microservices architecture.  What approach satisfies those conflicting demands while accomplishing the end goal: scale security?

Establishing a chain of trust to scale security

As the foundation of information security, a hardware-rooted chain of trust verifies the integrity of every relevant component in the cloud platform, giving you security automation that flexibly integrates into the DevOps pipeline. A true chain of trust would start in the host chip firmware and build up through the container engine and orchestration system, securing all critical data and workloads during an application’s lifecycle.

Hardware is the ideal foundation because it is rooted in silicon, making it difficult for hackers to alter.

The chain of trust would be built from this root using the measure-and-verify security model, with each component measuring, verifying and launching the next level. This process would extend to the container engine, creating a trust boundary, with measurements stored in a Trusted Platform Module (TPM) on the host.   

So far, so good—but now you must extend this process beyond the host trust boundary to the container orchestration level. You must continue to scale security.

Attestation software on a different server can verify current measurements against known good values. The container orchestrator communicates with the attestation server to verify the integrity of worker hosts, which in turn setup and manage the containers deployed on them. All communication beyond the host trust boundary is encrypted, resulting in a highly automated, trusted container system. 

How to scale security management for the enterprise

What do you get with a fully implemented chain of trust?  

  • Enhanced transparency and scalability: Because a chain of trust facilitates automated security, DevOps teams are free to work at unimpeded velocity. They only need to manage the security policies against which the trusted container system evaluates its measurements.  

  • Geographical workload policy verification: Smart container orchestration limits movement to approved locations only.  

  • Container integrity assurance: When containers are moved, the attestor checks to ensure that no tampering occurred during the process. The system verifies that the moved container is v the same as the originally created container. 

  • Security for sensitive data: Encrypted containers can only be decrypted on approved servers, protecting data in transit from exposure and misuse.  

  • Simplified compliance controls and reporting: A metadata audit trail provides visibility and audit-able evidence that critical container workloads are running on trusted servers. 

The chain of trust architecture is designed to meet the urgent need for both security and rapid innovation. Security officers can formulate security policies that are automatically applied to every container being created or moved. Beyond maintaining the policies themselves in a manifest, each step in the sequence is automated, enabling DevOps teams to quickly build and deploy applications without manually managing security. 

As your team evaluates cloud platforms, ask vendors to explain how they establish and maintain trust in the technology that will host your organization’s applications. It helps to have clear expectations going in.  

For a broader look at security, read the 5 fundamentals of information security every cloud platform should provide.

More from Cloud

Sensors, signals and synergy: Enhancing Downer’s data exploration with IBM

3 min read - In the realm of urban transportation, precision is pivotal. Downer, a leading provider of integrated services in Australia and New Zealand, considers itself a guardian of the elaborate transportation matrix, and it continually seeks to enhance its operational efficiency. With over 200 trains and a multitude of sensors, Downer has accumulated a vast amount of data. While Downer regularly uncovers actionable insights from their data, their partnership with IBM® Client Engineering aimed to explore the additional potential of this vast dataset,…

Best practices for hybrid cloud banking applications secure and compliant deployment across IBM Cloud and Satellite

10 min read - Financial Services clients are increasingly looking to modernize their applications. This includes modernization of code development and maintenance (helping with scarce skills and allowing innovation and new technologies required by end users) as well as improvement of deployment and operations, using agile techniques and DevSecOps. As part of their modernization journey, clients want to have flexibility to determine what is the best “fit for purpose” deployment location for their applications. This may be in any of the environments that Hybrid…

Level up your Kafka applications with schemas

4 min read - Apache Kafka is a well-known open-source event store and stream processing platform and has grown to become the de facto standard for data streaming. In this article, developer Michael Burgess provides an insight into the concept of schemas and schema management as a way to add value to your event-driven applications on the fully managed Kafka service, IBM Event Streams on IBM Cloud®. What is a schema? A schema describes the structure of data. For example: A simple Java class…

SSD vs. NVMe: What’s the difference?

7 min read - Recent technological advancements in data storage have prompted businesses and consumers to move away from traditional hard disk drives (HDDs) towards faster, lower-latency solid-state drive (SSD) technology. In this post, we’re going to look at this new technology, as well as the fastest and most popular protocol available to connect it to a computer’s motherboard—non-volatile memory express (NVMe). While the terms SSD and NVMe are often used to describe two different types of drives, they are actually different data storage…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters