How-tos

How to scale security while innovating applications fast

Share this post:

CISOs are notoriously risk-averse and compliance-focused, providing policies for IT and App Dev to enforce. On the contrary, serving business outcomes, App Dev leaders want to eliminate DevOps friction wherever possible.

What approach to security satisfies those conflicting demands?

Establishing a chain of trust

A hardware-rooted chain of trust verifies the integrity of every relevant component in the cloud platform, giving you security automation that flexibly integrates into the DevOps pipeline. A true chain of trust would start in the host chip firmware and build up through the container engine and orchestration system, securing all critical data and workloads during an application’s lifecycle.

 

Hardware is the ideal foundation because it is rooted in silicon, making it difficult for hackers to alter.

The chain of trust would be built from this root using the measure-and-verify security model, with each component measuring, verifying and launching the next level. This process would extend to the container engine, creating a trust boundary, with measurements stored in a Trusted Platform Module (TPM) on the host.   

So far, so good—but now you must extend this process beyond the host trust boundary to the container orchestration level.

Attestation software on a different server can verify current measurements against known good values. The container orchestrator communicates with the attestation server to verify the integrity of worker hosts, which in turn setup and manage the containers deployed on them. All communication beyond the host trust boundary is encrypted, resulting in a highly automated, trusted container system. 

Extending the benefits of a chain of trust  

What do you get with a fully implemented chain of trust?  

  • Enhanced transparency and scalability:Because a chain of trust facilitates automated security, DevOps teams are free to work at unimpeded velocity. They only need to manage the security policies against which the trusted container system evaluates its measurements.  
  • Geographical workload policy verification:Smart container orchestration limits movement to approved locations only.  
  • Container integrity assurance:When containers are moved, the attestor checks to ensure that no tampering occurred during the process. The system verifies that the moved container is v the same as the originally created container. 
  • Security for sensitive data:Encrypted containers can only be decrypted on approved servers, protecting data in transit from exposure and misuse.  
  • Simplified compliance controls and reporting:A metadata audit trail provides visibility and auditable evidence that critical container workloads are running on trusted servers. 

The chain of trust architecture is designed to meet the urgent need for both security and rapid innovation. Security officers can formulate security policies that are automatically applied to every container being created or moved. Beyond maintaining the policies themselves in a manifest, each step in the sequence is automated, enabling DevOps teams to quickly build and deploy applications without manually managing security. 

As your team evaluates cloud platforms, ask vendors to explain how they establish and maintain trust in the technology that will host your organization’s applications. It helps to have clear expectations going in.  

 

 

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More How-tos stories

How to build confidence in cloud security

From authentication to API access, public cloud platform providers are hardening every aspect of their systems to ensure greater security and scalability. And this strategy is paying off: the number of surveyed organizations who distrust clouds dropped from 50% to 29% in a 2017 survey. But how does one gain the assurance needed to confidently […]

Continue reading

Twilio expands the number of services on IBM Cloud

Twilio is very happy to announce our expanded partnership with IBM, bringing five new custom integrations to IBM Cloud. With Twilio and IBM, you’ll be able to build communications into your Web app without worrying about provisioning and maintaining servers.

Continue reading

Getting started with TradeIt’s SDK and API

By integrating TradeIt’s core products - TradingTicket and PortfolioView - developers can bring portfolio management and order management tools to their end users. RIA and Wealth Management platforms that integrate our SDK or standardized API have higher engagement and a simplified workflow to manage across a clients portfolio and have the ability to place orders seamlessly through the same safe, secure API connections to the underlying broker. TradeIt understood that consumers were increasingly engaged on apps and social networks for the business of their lives. TradeIt brings the top Financial Institutions’ customer journey - account opening, account management and securities trading - to the apps where the action happens in a safe, secure and compliant way.

Continue reading