Security Experts:

Adopt Insertion Point Security for a Microservices World

In the old world, applications generally consisted of a web server, an app server and a database. Traffic went from router to switch to firewall. There was a network perimeter, which was our ingress. 

That was then, this is now. With the cloud, containers and microservices, we’re navigating an environment that includes clients, proxies, web servers, app servers, ingress controllers, containers, sidecars, and a range of microservices performing more and more specialized functions—a whole world purely intrinsic to applications. The complexity involved in the presentation of an app today rivals that of the internet itself 10 years ago. 

In an attempt to describe the security priority for this reality, the industry has been saying that “the app is the new perimeter.” But that description fails to capture the scope and sophistication of what’s really going on. 

Applications have been deconstructed to the point where we need to think about them with a new level of abstraction to understand how security needs to evolve. All of the layers and components that go into an application create insertion points for app security, and as a collective whole, those application insertion points are the new perimeter.  

With that in mind, securing an app today is not like building a fortification around your asset—it’s more like shooting a rocket into space. There are thousands of possible components and permutations, and a failure at any point could cause its own unique consequence. The app equivalent of a faulty ignition circuit could mean the rocket sits idle on the launch pad until it’s fixed. And something as similarly minor as a frozen O-ring could have disastrous ramifications. 

Adding even more layers to this situation is the fact that most organizations were not born yesterday. They’re running applications built on technologies that span their organization’s history, with some decades-old technologies working alongside modern DevOps apps. 

In many cases these multi-generational apps may be dependent on each other as part of the same business function. Think of the labyrinth of processes and touchpoints involved in shipping a package from Branson, Missouri, to Barcelona. The package must interact with a wide variety of scanners, scales, apps, tracking services and payment systems, across offices and warehouses supported by sometimes dramatically different technologies. 

To truly understand your application and the risks to it in such an environment, a comprehensive Failure Mode Effect Analysis approach is required, just as it would be for a major mechanical system. You have to look at the sum of all the parts to understand an application and its effect on a business process—and you have to look at every single permutation of interactions across that process, because the smallest component failure could cause the entire system to fail. 

This kind of analysis allows you to evaluate the likelihood of a particular failure and its potential severity. Determining which security measures are critical will depend on the particular insertion points your application has. Each insertion point will require a distinctly different policy, since the context of each component is different. Yet appropriate security must be implemented for every insertion point for every application across the entire business process. 

The key to appropriately applying security across the entire system is to stretch out the application structure and look at all insertion points as those applications evolve. Ideally this could also involve building a risk dashboard that enables visibility into all of the various risks, taking into consideration how modern a particular application is and what components it leverages.

It’s important to remember that, even as organizations move to a modern DevOps model and build more and more apps “to the left,” they will continue to build and maintain more traditional apps to the right. Companies that fall the farthest to the left happen to be dealing with threats associated to Kubernetes and sidecars and containers. And the ones building to the right are still dealing with those old-school perimeter challenges and vulnerabilities that exist within the application, the network and the perimeter. 

Mastering the ability to address all those threats, and to insert security in every tier within your applications, is the next frontier. The application insertion point is the new perimeter.  

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.