Enterprise architects walk the tightrope between tradition and innovation. On the one hand, they have aging technology that still powers the business, and on the other hand they realize the technological advancement that needs to permeate the enterprise applications they oversee. The world inside their enterprise seems disconnected from the world outside where innovation is all around.
Add to this demanding business expectations, complex team structures and emergencies that come up when there’s a security breach, and it’s quite clear that being an enterprise architect is not for the fainthearted.
Of course, being an enterprise architect is easier when you have fewer security breaches to worry about. Toward that end, this article discusses what enterprise architects should know in order to help maximize enterprise security.
Security challenges for enterprise applications
The term “enterprise” is thrown around these days to mean anything from a large traditional corporation to anything B2B. But what do we mean by the term “enterprise application?” Here are a few defining characteristics that may help clarify:
It’s all about the data
With enterprise applications, the data is more valuable than the apps that consume the data. This is because the datasets are large, and often go back decades. They’re mostly stored in SQL databases, but in recent times, in NoSQL alternatives as well. The data is multifaceted and can be presented in many different ways within a single application or across multiple applications.
Because of how valuable this data is, attackers target access to data first and foremost. One look at the biggest recent data breaches confirms this. The Equifax data breach in 2017 resulted in the private details of 143 million customers being leaked. Additionally, 209,000 customers’ credit card data was exposed. This was caused by a vulnerability in one of the Equifax websites.
Similarly, the IRS suffered a breach in its Get Transcript app which led to some 700,000 users’ social security numbers being exposed. These were subsequently used to file for fake refunds—and all because the IRS avoided securing the app with two-factor authentication. They had to take down the app, and release it a few months later with security upgrades.
For an enterprise architect, securing data is priority number one. How the data is stored, accessed and used is what matters. Traditionally, this data was stored on physical disks, accessed via simple internal networks and protected via peripheral firewalls. The problems with this are numerous. Data loss is common, as disks malfunction frequently; firewalls are not the best defense, as they leave the entire system open once it’s breached, and in the case of a data breach, it’s hard to investigate the origin and extent of the breach. Today, cloud providers offer various cloud storage options like Amazon Elastic File System (EFS), Elastic Block Store (EBS) and Simple Storage Service (S3), which provide storage for multiple purposes. These storage services are secure, protected against data loss and easy to access.
Deeply integrated with other apps
Enterprise applications need to talk to each other to function as they were meant to. Applications for each team (like IT, HR, finance, sales and marketing) are all separate, but integrated for a more holistic view of the customer or employee. Integration projects typically span months and are often handled by a vendor.
When apps are integrated, it’s important to ensure only authorized apps and users have access to the data. Leaving API endpoints open, and badly configured access controls are the bane of integration projects.
Legacy apps alongside modern apps
Enterprises are stuck in that awkward space between their legacy apps that just about get the job done, and modern alternatives that go beyond the required task, and do it 10x faster with fewer resources. Any step to modernize the applications should take into account backward compatibility.
The way traditional apps are secured is very different from how cloud-native apps are secured. When everything comes down to hardware in a private datacenter, security is simpler. But with the cloud, and especially with modern container technology, security is very different. Cloud vendors have their own tools for security, monitoring and logging. Additionally, there are specialized tools for container security.
Security for modern cloud-native applications
Cloud-native applications, though more complex than legacy applications, can be much more secure if it’s done the right way. There are many nuances to securing these applications. Let’s take a look at a few.
Kernel security features
Docker inherits some core security features from Linux. These are features like namespaces, cgroups, AppArmor, SELinux and Seccomp. They enforce isolation between containers, limit what a container can see, and how many resources a container can use. In the case of a compromised container, they limit the damage done to only that container.
The most common cause of vulnerabilities in a containerized app is images downloaded from public registries. While this is a cause for concern, container registries today are armed with image scanning tools that check for common vulnerabilities. They are a must-have when running containers in production.
With numerous components in a container stack, and each needing authorized access to the others, there is a lot of secure information like passwords, tokens, API keys and more. These pieces of data should never be hardcoded into a container image, and need to be handled by a separate secrets management feature. The data is encrypted, and made accessible only on an as-needed basis.
Peripheral firewalls aren’t enough to secure networks for microservice applications. Instead, microservices use policy-based networking to secure each service. This way, even if one service is compromised, the others remain secure. Additionally, as services and underlying containers are updated or replaced, they don’t need to have security configurations applied to them from scratch. The same security policies can be applied. Tools like Weave, Linkerd and Calico are ushering in this new wave of policy-based network security.
When running containerized apps in production, there are numerous access points through which vulnerabilities can enter the system. It’s impossible to manually crawl through logs to find breaches. What’s needed is threat detection during runtime. Additionally, this threat detection needs to be powered by machine-learning algorithms that can crawl large quantities of data and draw patterns between the various parts of the system. This way, when there is any suspicious activity, the threat detection tool can find it before it becomes an incident.
There is a lot at stake when securing enterprise applications. However, traditional security measures fall short when it comes to real-world attacks. Only modern, cloud-native applications have what it takes to secure the data in enterprise applications while enabling more powerful user experiences. Enterprise architects today should take advantage of the robust security features of containers and microservices as they build enterprise applications that strike the right balance between tradition and innovation.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Serverless Comparison: Lambda vs. Azure vs. GCP vs. OpenWhisk
Serverless computing adoption is growing at exponential rates. As with...
DevSecOps in Practice
If you understand DevOps, you probably also intuitively understand Dev...
Squaring the Circle: Making CI/CD Fast and Secure
Today, most DevOps teams place priorities on software delivery speed a...
Securing Istio with Twistlock
This article is about Istio, a new service mesh management platform th...
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...