Cloud Native Application Architecture & Security

During your company’s modernisation, you will need to transition your monolithic applications towards a distributed Microservices architecture for portability which is a characteristic of Native Cloud Applications (NCA). Furthermore there are emerging patterns and technologies such as IoT and serverless computing that require new API economy architecture patterns. Security is a major concern and there is a lack of standardisation.

Powered by Kong, Istio, Envoy and Docker.

How do you authenticate (AuthN) and authorise (AuthZ) vertical (north-south) and horizontal traffic (east-west) in-and-out of a microservice? How do you maintain sessions across microservices, do you need to? How do you ensure that the identity context is perpetuated across microservices, on-prem, hybrid, cloud, cloud to cloud deployments to ensure security and non-repudiation?

East-West traffic has increased and will continue to increase due to rapid adoption of microservices. This means we cannot trust traffic within the organisation (behind the perimeter) like we used to. Bear in mind with microservices and DevOps, we use tools and partner libraries in our solutions to speed things up and for reuse. Automation is good and is bad, sometimes you can download a compromised partner library in you CI/CD pipeline without knowing and this can lead to a breach.

We have to adopt a zero-trust model within the intra-net and beyond.

Evolution of Deployment Architectures

I’Curity Microservices Architecture and Security

Zero trust model requires us to enforce container security (container and image scanning for malware) and code/CI pipeline security controls, transactional (L4 & L7 traffic) security controls.

We specialise in L4 and L7 Traffic Identity and Security Controls – Microservice architectures include Proxies, Containers and Service Orchestration platforms. Identity and other security controls can be applied at both the proxies and on the orchestration platforms.

Orchestrators

You can AuthN and AuthZ system accounts and normal users or workloads themselves on a orchestration (kurbenetes) platform using the following:

  • OAuth & OIDC tokens
  • X509 Client Certs
  • Other security tokens
  • Password files

Proxies

Proxies can be centralised or decentralised  in your API architecture landscape. In an on-premise  microservices deployment, a centralised proxy with a distributed cache, shared config and data store between different proxy nodes can be used.  You can apply RBAC, ABAC, Impersonation, OAuth tokens controls at this policy enforcement point. This is suitable for deployments that a simplistic and perhaps where a central ESB is still in place and the number of APIs or web services is relatively small thus manageable.

In hybrid, cloud to cloud, serverless/FAAS deployments, the microservice deployment is more complex. Thus a service mesh is often used for observability, resiliency, traffic control, policy enforcement and security. In a service mesh there is the data plane and the control plane. The data plane is fronted by a sidecar (workload proxy) which sits next to your workload. This results in a decentralised proxy deployment. The service mesh improves upon security/IAM model built into your kurbenetes pods and sometimes inside your code (results in duplication and maintenance problems). The sidecar and control plane are expected to:

  • Service Discovery: Microservices discovery and management across platforms (on-prem, cloud etc.).
  • Security: Encrypt end-to-end with mutual TLS. This is particularly crucial where PII information is sent from workload to another
  • Identity & Access Management
  • Observability: Telemetry data, Tracing & logging
  • Scalability, portability and interoperability, availability
    • Load balancing
    • Canary deployments
    • Rate limiting
    • Recovery
    • Circuit breaking

To achieve this we make use of KONG Service Mesh, Istio, Envoy , Apache Skywalking together with our ODIP platform to ensure identity and security is propagated throughout your microservices ecosystem.

We specialize in cyber-security solutions across different industry verticals. Our core value proposition is our ability to deliver robust, transformative and visionary identity platforms to enable and secure your digital transformation strategies.

Address

55, Spaces Broadacres, Willow Wood Office Park Cnr 3rd Ave &, Cedar Rd, Broadacres Park, 2021

}

Business Hours

Mon – Fri  9 am – 5 pm

Phone

Office: +27 (0) 11 065 9362
+27 (0)71 602 7492
+27 (0)72 727 8371

Email

info@icurity.co.za