Application Storage, Data Storage
Article | July 12, 2023
We’re all hoping that 2022 will finally end the unprecedented challenges brought by the global pandemic and things will return to a new normalcy. For IT infrastructure and operations organizations, the rising trends that we are seeing today will likely continue, but there are still a few areas that will need special attention from IT leaders over the next 12 to 18 months.
In no particular order, they include:
The New Edge
Edge computing is now at the forefront. Two primary factors that make it business-critical are the increased prevalence of remote and hybrid workplace models where employees will continue working remotely, either from home or a branch office, resulting in an increased adoption of cloud-based businesses and communications services.
With the rising focus on remote and hybrid workplace cultures, Zoom, Microsoft Teams, and Google Meet have continued to expand their solutions and add new features. As people start moving back to office, they are likely to want the same experience they had from home. In a typical enterprise setup, branch office traffic is usually backhauled all the way to the data center. This architecture severely impacts the user experience, so enterprises will have to review their network architectures and come up with a roadmap to accommodate local egress between branch offices and headquarters. That’s where the edge can help, bringing it closer to the workforce.
This also brings an opportunity to optimize costs by migrating from some of the expensive multi-protocol label switching (MPLS) or private circuits to relatively low-cost direct internet circuits, which is being addressed by the new secure access service edge (SASE) architecture that is being offered by many established vendors.
I anticipate some components of SASE, specifically those related to software-defined wide area network (SD-WAN), local egress, and virtual private network (VPN), will drive a lot of conversation this year.
Holistic Cloud Strategy
Cloud adoption will continue to grow, and along with software as a service (SaaS), there will be renewed interest in infrastructure as a service (IaaS), albeit for specific workloads. For a medium-to-large-sized enterprise with a substantial development environment, it will still be cost-prohibitive to move everything to the cloud, so any cloud strategy would need to be holistic and forward-looking to maximize its business value.
Another pandemic-induced shift is from using virtual machines (VMs) as a consumption unit of compute to containers as a consumption unit of software. For on-premises or private cloud deployment architectures that require sustainable management, organizations will have to orchestrate containers and deploy efficient container security and management tools.
Automation
Now that cloud adoption, migration, and edge computing architectures are becoming more prevalent, the legacy methods of infrastructure provisioning and management will not be scalable.
By increasing infrastructure automation, enterprises can optimize costs and be more flexible and efficient—but only if they are successful at developing new skills. To achieve the goal of “infrastructure as a code” will require a shift in the perspective on infrastructure automation to one that focuses on developing and sustaining skills and roles that improve efficiency and agility across on-premises, cloud, and edge infrastructures. Defining the roles of designers and architects to support automation is essential to ensure that automation works as expected, avoids significant errors, and complements other technologies.
AIOps (Artificial Intelligence for IT Operations)
Alongside complementing automation trends, the implementation of AIOps to effectively automate IT operations processes such as event correlation, anomaly detection, and causality determination will also be important. AIOps will eliminate the data silos in IT by bringing all types of data under one roof so it can be used to execute machine learning (ML)-based methods to develop insights for responsive enhancements and corrections.
AIOps can also help with probable cause analytics by focusing on the most likely source of a problem. The concept of site reliability engineering (SRE) is being increasingly adopted by SaaS providers and will gain importance in enterprise IT environments due to the trends listed above. AIOps is a key component that will enable site reliability engineers (SREs) to respond more quickly—and even proactively—by resolving issues without manual intervention.
These focus areas are by no means an exhaustive list. There are a variety of trends that will be more prevalent in specific industry areas, but a common theme in the post-pandemic era is going to be superior delivery of IT services. That’s also at the heart of the Autonomous Digital Enterprise, a forward-focused business framework designed to help companies make technology investments for the future.
Read More
Hyper-Converged Infrastructure
Article | October 10, 2023
DApps (sometimes called Dapps) are from the blockchain universe and so, logically, the apps part stands for application (obviously) and the D part stands for decentralised (only obvious once you know that we’re talking distributed immutable language here). According to the guides section at blockgeeks, DApps are open source in terms of code base, incentivised (in terms of who validates it) and essentially decentralised so that all records of the application’s operation must be stored on a public and decentralised blockchain to avoid pitfalls of centralisation. So then, Cartesi is a DApp infrastructure that runs an operating system (OS) on top of blockchains. The company has now launched a more complete ‘platform-level’ offering, which is described as a layer-2 solution
Read More
Hyper-Converged Infrastructure, Windows Systems and Network
Article | July 11, 2023
Containers have emerged as a choice for deploying and scaling applications, owing to their lightweight, isolated, and portable nature. However, the absence of robust security measures may expose containers to diverse threats, thereby compromising the confidentiality and integrity of data and apps.
Contents
1 Introduction
2 IaaS Container Security Techniques
2.1 Container Image Security
2.2 Host Security
2.3 Network Security
2.4 Data Security
2.5 Identity and Access Management (IAM)
2.6 Runtime Container Security
2.7 Compliance and Auditing
3 Conclusion
1. Introduction
Infrastructure as a Service has become an increasingly popular way of deploying and managing applications, and containerization has emerged as a leading technology for packaging and deploying these applications. Containers are software packages that include all the necessary components to operate in any environment. While containers offer numerous benefits, such as portability, scalability, and speed, they also introduce new security challenges that must be addressed.
Implementing adequate IaaS container security requires a comprehensive approach encompassing multiple layers and techniques. This blog explores the critical components of IaaS container security. It provides an overview of the techniques and best practices for implementing security measures that ensure the confidentiality and integrity of containerized applications. By following these, organizations can leverage the benefits of IaaS and containerization while mitigating the security risks that come along.
2. IaaS Container Security Techniques
The increasing IAAS security risks and security issues associated with IAAS these days are leading to a massive data breach. Thus, IAAS security concerns are taken into consideration, and seven best techniques are drafted below.
2.1. Container Image Security:
Container images are the building blocks of containerized applications. Ensuring the security of these images is essential to prevent security threats. The following measures are used for container image security:
Using secure registries: The registry is the location where container images are stored and distributed. Usage of centrally managed registries on campus, the International Organization for Standardization (ISO) can scan them for security issues and system managers may simply assess package gaps, etc.
Signing images: Container images can be signed using digital signatures to ensure their authenticity. Signed images can be verified before being deployed to ensure they have not been tampered with.
Scanning images: Although standard AppSec tools such as Software Composition Analysis (SCA) can check container images for vulnerabilities in software packages and dependencies, extra dependencies can be introduced during the development process or even at runtime.
2.2. Host Security:
Host security is a collection of capabilities that provide a framework for implementing a variety of security solutions on hosts to prevent attacks. The underlying host infrastructure where containers are deployed must be secured. The following measures are used for host security:
Using secure operating systems: The host operating system must be safe and up-to-date with the latest high severity security patches within 7 days of release, and others, within 30 days to prevent vulnerabilities and security issues.
Applying security patches: Security patches must be applied to the host operating system and other software packages to fix vulnerabilities and prevent security threats.
Hardening the host environment: The host environment must be hardened by disabling unnecessary services, limiting access to the host, and applying security policies to prevent unauthorized access.
2.3. Network Security:
Network security involves securing the network traffic between containers and the outside world. The following measures are used for network security:
Using Microsegmentation and firewalls: Microsegmentation tools with next-gen firewalls provide container network security. Microsegmentation software leverages network virtualization to build extremely granular security zones in data centers and cloud applications to isolate and safeguard each workload.
Encryption: Encryption can protect network traffic and prevent eavesdropping and interception of data.
Access control measures: Access control measures can restrict access to containerized applications based on user roles and responsibilities.
2.4. Data Security:
Data stored in containers must be secured to ensure its confidentiality and integrity. The following measures are used for data security:
Using encryption: Data stored in containers can be encrypted, using Transport Layer Security protocol version 1.1. (TLS 1.1) or higher, to protect it from unauthorized access and prevent data leaks. All outbound traffic from private cloud should be encrypted at the transport layer.
Access control measures: Access control measures can restrict access to sensitive data in containers based on user roles and responsibilities.
Not storing sensitive data in clear text: Sensitive data must not be stored in clear text within containers to prevent unauthorized access and data breaches. Backup app data, atleast weekly.
2.5. Identity and Access Management (IAM):
IAM involves managing access to the container infrastructure and resources based on the roles and responsibilities of the users. The following measures are used for IAM:
Implementing identity and access management solutions: IAM solutions can manage user identities, assign user roles and responsibilities, authenticate and provide access control policies.
Multi-factor authentication: Multi-factor authentication can add an extra layer of security to the login process.
Auditing capabilities: Auditing capabilities can monitor user activity and detect potential security threats.
2.6. Runtime Container Security:
To keep its containers safe, businesses should employ a defense-in-depth strategy, as part of runtime protection.
Malicious processes, files, and network activity that deviates from a baseline can be detected and blocked via runtime container security.
Container runtime protection can give an extra layer of defense against malicious code on top of the network security provided by containerized next-generation firewalls.
In addition, HTTP layer 7 based threats like the OWASP Top 10, denial of service (DoS), and bots can be prevented with embedded web application and API security.
2.7. Compliance and Auditing:
Compliance and auditing ensure that the container infrastructure complies with relevant regulatory and industry standards. The following measures are used for compliance and auditing:
Monitoring and auditing capabilities: Monitoring and auditing capabilities can detect and report cloud security incidents and violations.
Compliance frameworks: Compliance frameworks can be used to ensure that the container infrastructure complies with relevant regulatory and industry standards, such as HIPAA, PCI DSS, and GDPR.
Enabling data access logs on AWS S3 buckets containing high-risk Confidential Data is one such example.
3. Conclusion
IaaS container security is critical for organizations that rely on containerization technology for deploying and managing their applications. There is likely to be an increased focus on the increased use of AI and ML to detect and respond to security incidents in real-time, the adoption of more advanced encryption techniques to protect data, and the integration of security measures into the entire application development lifecycle.
In order to stay ahead of the challenges and ensure the continued security of containerized applications, the ongoing process of IaaS container security requires continuous attention and improvement. By prioritizing security and implementing effective measures, organizations can confidently leverage the benefits of containerization while maintaining the confidentiality and integrity of their applications and data.
Read More
Application Infrastructure
Article | November 11, 2021
The rollout of 5G networks coupled with edge compute introduces new security concerns for both the network and the enterprise. Security at the edge presents a unique set of security challenges that differ from those faced by traditional data centers. Today new concerns emerge from the combination of distributed architectures and a disaggregated network, creating new challenges for service providers.
Many mission critical applications enabled by 5G connectivity, such as smart factories, are better off hosted at the edge because it's more economical and delivers better Quality of Service (QoS). However, applications must also be secured; communication service providers need to ensure that applications operate in an environment that is both safe and provides isolation. This means that secure designs and protocols are in place to pre-empt threats, avoid incidents and minimize response time when incidents do occur.
As enterprises adopt private 5G networks to drive their Industry 4.0 strategies, these new enterprise 5G trends demand a new approach to security. Companies must find ways to reduce their exposure to cyberattacks that could potentially disrupt mission critical services, compromise industrial assets and threaten the safety of their workforce. Cybersecurity readiness is essential to ensure private network investments are not devalued.
The 5G network architecture, particularly at the edge, introduces new levels of service decomposition now evolving beyond the virtual machine and into the space of orchestrated containers. Such disaggregation requires the operation of a layered technology stack, from the physical infrastructure to resource abstraction, container enablement and orchestration, all of which present attack surfaces which require addressing from a security perspective. So how can CSPs protect their network and services from complex and rapidly growing threats?
Addressing vulnerability points of the network layer by layer
As networks grow and the number of connected nodes at the edge multiply, so do the vulnerability points. The distributed nature of the 5G edge increases vulnerability threats, just by having network infrastructure scattered across tens of thousands of sites. The arrival of the Internet of Things (IoT) further complicates the picture: with a greater number of connected and mobile devices, potentially creating new network bridging connection points, questions around network security have become more relevant.
As the integrity of the physical site cannot be guaranteed in the same way as a supervised data center, additional security measures need to be taken to protect the infrastructure. Transport and application control layers also need to be secured, to enable forms of "isolation" preventing a breach from propagating to other layers and components. Each layer requires specific security measures to ensure overall network security: use of Trusted Platform Modules (TPM) chipsets on motherboards, UEFI Secure OS boot process, secure connections in the control plane and more. These measures all contribute to and are integral part of an end-to-end network security design and strategy.
Open RAN for a more secure solution
The latest developments in open RAN and the collaborative standards-setting process related to open interfaces and supply chain diversification are enhancing the security of 5G networks. This is happening for two reasons. First, traditional networks are built using vendor proprietary technology – a limited number of vendors dominate the telco equipment market and create vendor lock-in for service providers that forces them to also rely on vendors' proprietary security solutions. This in turn prevents the adoption of "best-of-breed" solutions and slows innovation and speed of response, potentially amplifying the impact of a security breach.
Second, open RAN standardization initiatives employ a set of open-source standards-based components. This has a positive effect on security as the design embedded in components is openly visible and understood; vendors can then contribute to such open-source projects where tighter security requirements need to be addressed.
Aside from the inherent security of the open-source components, open RAN defines a number of open interfaces which can be individually assessed in their security aspects. The openness intrinsically present in open RAN means that service components can be seamlessly upgraded or swapped to facilitate the introduction of more stringent security characteristics, or they can simultaneously swiftly address identified vulnerabilities.
Securing network components with AI
Monitoring the status of myriad network components, particularly spotting a security attack taking place among a multitude of cooperating application functions, requires resources that transcend the capabilities of a finite team of human operators. This is where advances in AI technology can help to augment the abilities of operations teams. AI massively scales the ability to monitor any number of KPIs, learn their characteristic behavior and identify anomalies – this makes it the ideal companion in the secure operation of the 5G edge. The self-learning aspect of AI supports not just the identification of known incident patterns but also the ability to learn about new, unknown and unanticipated threats.
Security by design
Security needs to be integral to the design of the network architecture and its services. The adoption of open standards caters to the definition of security best practices in both the design and operation of the new 5G network edge. The analytics capabilities embedded in edge hyperconverged infrastructure components provide the platform on which to build an effective monitoring and troubleshooting toolkit, ensuring the secure operation of the intelligent edge.
Read More