Sponsored: The Zero Trust Future: Using DevSecOps and Containerization to Secure Cloud Infrastructure

Zero Trust, a strategic security model to “never trust, always verify,” centers on preventing successful breaches by eliminating the whole concept of trust from an organization’s digital environment; instead, everything must be proven. 

Traditionally, trust was conferred to known, inventoried devices that were reconnecting to networks, or to the use of valid login credentials. Under Zero Trust, however, familiar devices and valid accounts no longer qualify for an express lane that uses lighter security screening. Given that widespread cloud adoption and distributed users, devices and applications are now commonplace, Zero Trust has to be proliferated across an entire computing environment for every transaction—either everything is safe or nothing is.

It’s important to note that Zero Trust is not a product; it is a methodology and doctrine on how to create a secure architecture. Often perceived as an expensive undertaking, it is actually built on existing architecture, so doesn’t require DOD IT leaders to rip and replace any technology already in use. Rather, the methodology is supported by new application development approaches like DevSecOps and containerization that provide unique opportunities to do more stringent security better and faster. These innovative methods for software development are fast becoming essential to meeting DISA and DOD security guidelines.

Embed Security from the Beginning

DevSecOps is a powerful, innovative way to reorient how software is built to a consistent and expedited process. Moving security “upstream” (shifting left) as a core part of the overall software development process ensures that security is baked into coding, software is security-tested before deployment, and issues arising after deployment can be resolved quickly. By automating the full development workflow, the same security policy can be embedded at each step along the way even into production, and enforced through policy that mandates vulnerabilities be addressed as they are discovered. 

Using containerization in that DevSecOps process keeps the entire development and security stack inside of a discrete image. By their nature, containers provide unique opportunities for doing security better. They are minimalistic; unlike a host that has dozens of network-connected services, a container just has one. Hosting discrete services provides for a more predictable network and host activity at runtime. Artifacts remain consistent, application management is simplified and security is independent of the supporting infrastructure. 

While implementing microservices (small steps to building large applications) hosted on containers reduces the attack surface, it doesn't eradicate all threats. To securely implement a microservices-based architecture, it’s important to adopt a strategic security approach like Zero Trust.

Using DevSecOps and Container Flexibility to Drive Zero Trust Principles

The whole notion of the Zero Trust model is to constrict the “blast radius” if the front end of an application gets compromised so that the compromise is limited to only a very specific component that the workload needs to perform its function in the larger topology. Cloud computing is well suited to enable that protection. 

Among cloud computing’s biggest transformational shifts are the rise of fluid virtualization and container infrastructures that can be configured to permit or deny crucial access, processes and workload functions. These work according to fine-grained, policy-driven attributes and activities, which include things as detailed as a user’s network history, account behavior and compliant or non-compliant requests. 

With storage, applications and processing power abstracted into the cloud, segmentation and security checks can be built in to more closely monitor what looks risky or suspicious from compliance and security perspectives. Cloud systems’ tremendous capacity allowing for more fundamentally compartmentalized containers means access to databases, storage and other functions no longer needs to be granted writ large—processes can be spun up, shuttered or access revoked when specific actions violate an organization’s policies or risk tolerance.

Cloud-Enabled Organizations Require Cloud-Delivered Security

Prisma Cloud delivers the networking and security that DOD organizations need in a purpose-built, secure, cloud-delivered infrastructure.

Prisma Cloud uses a deep level of visibility at the application layer to autonomously create a model of how all the various containers and services within an environment communicate with each other. Developers can actively enforce policy to ensure that only authorized connections are allowed.

Instead of doing microsegmentation based on IP address to IP address, Prisma Cloud works at an established point to determine that a particular machine either has a secure identity for accessing a particular service or does not have that access, irrespective of what authorizations an IP address happens to have. That’s very powerful because using containerization means developers build and tear down environments on demand. A finite number of zones are used instead of manually assigning an IP address to a particular container or host.

This is particularly important because many applications will not already be in containers. Some will be in different data centers; there will be others that a given organization doesn’t directly control but still has a backup to. That’s where Prisma Cloud functionality is key; it’s not based on IP addresses but instead on provider metadata—a specific tag associated with a specific image ID, or a given cluster able to talk to other specific entities, regardless of what IP address they happen to have at any given point in time.

Prisma Cloud levels the advances in the underlying platform around containerization in a way that makes attaining Zero Trust a far less manually intensive and actually practical capability for DOD organizations to utilize. With threats continually increasing, that true posture of “trust but verify” has never been more critical to defense of the warfighter and the nation.

Email us at FedDevSecOps@paloaltonetworks.com.