Software-defined perimeter architecture is key to security “Shifting Left” in CI/CD
A recent article in Data Center Knowledge – What Containers and Kubernetes Mean for Colocation Data Centers – described how flexibility associated with containerizing applications is accelerating the trend of companies moving workloads between clouds and colocation centers, while lessening the level of commitment that comes with deploying applications on one type of platform or the other.
In fact, 87% of enterprises are now using containers to facilitate rapid delivery of applications, and of that 87%, 90% are using Kubernetes in production. This rapid growth supports IT adoption of DevOps and suggests a “shift left” for considering security earlier in the CI/CD process. This has the potential to alleviate the lengthy waiting period at the end of the build while the applications are inspected by the Security Review teams. This move could accelerate the final stage – release to production.
The DCK article reflects the trend that containers are now opening important opportunities for the colocation industry, and that those opportunities could drive more organizations to migrate from the public cloud to colocation data centers while also increasing competition between colocation providers.
What the article did not address was the continuing concern that agile development processes don’t always address the security required by high risk applications, those having complex regulatory requirements. These applications are often developed to access a VPN and the VPN continues to be a major attack surface.
Some of these applications rely on SDN leaving them vulnerable to Distributed Denial of Service (DDoS) attacks that disrupt service by consuming resources. A DDoS attack that ramps up CPU or memory consumption on a virtual machine can actually steal resources from other VMs on the same physical infrastructure, having a broader effect than just the targeted system.
As organizations assess and adopt virtualization, containerizing and therefore SDNs, there are still questions around how to authenticate devices and authorize users to a specific application BEFORE granting access to the network. Software Defined Perimeter solves this by hiding an application from the internet and enabling authorization before access.
A university team analyzed the performance of Software Defined Perimeter (SDP) in conjunction with the SDN architecture. Based upon experimentation with Waverley Lab’s Open Source SDP, the team found ways where SDP adds an extra measure of security in the authentication process during a DDoS attack. The Waverley “deny all” gateway interrupts the DDoS attack allowing application access to only authorized users on authenticated devices. Users continue work, uninterrupted, by the DDoS attack.
The team led by professors, Ahmed Refaey of Manhattan College and Abdallah Shami of Western University, detailed findings and conclusions in a new paper titled, “On the Security of SDN: A Completed Secure and Scalable Framework Using the Software-Defined Perimeter.”
Figures 8 and 9 from the paper (and shown below), detail SDP’s ability to mitigate the flood of DDoS attacks at both the client and server. It is noted that with SDP enabled within the SDN architecture, 75% of network throughput is without interruption or loss of connection. An additional bonus that SDP provides is that the services on premises or in the cloud are totally hidden from all but authorized users/devices.
Data centers, particularly multi-tenant data centers with hundreds of enterprise and government customers, must protect against DDoS attacks. Data centers are also increasingly enabling DevOps teams as they seek to automate and optimize service delivery through use of containers and advanced software-defined platforms.
As DevOps teams move towards cloud environments (such as AWS or IBM) and/or on premise containerizing (using Docker, Kubernetes and RedHat OpenShift), SDP enables them to shift left earlier in CI/CD delivery methodologies that is becoming critical to achieving agile build and ship timelines.
The results of the study clearly illustrate this and how SDP is effective in slowing down DDoS attacks on critical network functions. To read the detailed findings in the paper, Click here to download it.