By Ran Ilany, co-founder and CEO for Portshift

Organizations that implement containers often ask about using a service mesh layer. While this isn’t obligatory by any means, there are many benefits to running a service mesh that makes it the sensible choice for organizations seeking security, efficiency, and reliability.

In this article, we will explore the impact of service mesh, discuss the three main ways that a service mesh raises your security profile, and explain how to best implement a service mesh in a way that maximizes benefits while minimizing your DevSecOps time and labor cost.

What is a service mesh?

Service mesh is a networking model that forms an infrastructure layer within your architecture. It’s made up of a data plane, which contains the proxies that manage network traffic, and a control plane, which configures the rules that control the data plane. The advent of cloud-native applications and containers created a need for a lightweight and agile service that can deliver vital application services such as load balancing, traffic management, routing, health monitoring, security policies, service and user authentication, and protection against intrusion and DDoS attacks.

The concept of the mesh comes from the numerous proxies in the data plane that connect the many disparate containers, clusters, and layers that make up the complex cloud-native environment. These proxies communicate between services, deliver application services, and monitor the constantly-changing state of service instances, spreading the load across the dynamic service mesh layer, while the control plane tracks and records all of these interactions.

What are the security benefits of service mesh?

1. Increased transparency into complicated interactions:

It’s difficult to follow the complex flow of traffic behavior within a dense and murky cloud-native environment. Each message takes such a winding path through the topology, moving between layers of the infrastructure and journeying from pod to pod on a unique track. Service mesh brings transparency to the way in which vital application services are delivered, enabling you to track their behavior.

2. Better security in service to service communication:

An increase in microservices means a parallel increase in network traffic, opening up more opportunities for hackers to break into the flow of communication. Service mesh helps to secure interactions within the network by offering mutual TLS as a full-stack solution to solve the following:

• Authenticating services
• Encrypting traffic between services
• Enforcing security policies

Service mesh providers generate, authorize, and authenticate security certificates in the proxies, enabling the validation of requests and ensuring access controls. Service mesh enables the creation of authorization rules based on the identities in the certificate that are exchanged using mutual TLS protocol.

However, it’s important to remember that service mesh is not a magic wand. There’s a risk that security teams could be lulled into a false sense of security by the existence of a service mesh and end up relaxing other security efforts. A hacker that can compromise the control plane or avoid proxies in the data plane can access immense vulnerabilities in service mesh.

3. Encryption:

With so much communication between microservices, solid encryption becomes a pillar of network security. Service meshes manage keys, certificates, and TLS configuration to ensure continual encryption that doesn’t fail on you. They also provide policy-based authentication that allows two services to establish mutual TLS configuration for secure service-to-service encrypted communication, as well as end-user authentication. With a service mesh, the user no longer needs to implement encryption or manage certificates; these responsibilities are moved from the app developer to the framework layer.

The introduction of microservices, containers, and a cloud-native environment has produced an increasingly disparate environment, which allows for greater flexibility and agility, but also risks leading to fragmentation and dissolution. The service mesh holds these discrete components together, so they can communicate and cooperate. What’s more, the service mesh brings significant security advantages. You can use service mesh to increase network security through encryption, improved service-to-service communication, and enforcement of security policies.

About the Author

Ran Ilany is the founder and CEO of Portshift, a leader in cloud-native application security. Prior to Portshift, he was head of security infrastructure for Check Point Technologies and has held executive positions with Blade Fusion and MainControl (IBM). Ran holds a Bachelor of Science in Computer Science and Robotics from the Technion.

Many security professionals run personal labs. Trying to create an environment that includes fairly modern Windows systems can be a challenge. In the age of "infrastructure as code," there should be a simpler way to deploy systems in a repeatable, virtualized way -- right?

Enter

, a project by

. Briefly, Chris built a project that uses

and

to create an instrumented lab environment. Chris explained the project in late 2017 in a

, which I recommend reading.

I can't even begin to describe all the functionality packed into this project. So much of it is new, but this is a great way to learn about it. In this post, I would like to show how I got a version of DetectionLab running.

My build environment included a modern laptop with 16 GB RAM and Windows 10 professional. I had already installed

with the appropriate VirtualBox Extension Pack. I had also enabled the

and performed all DetectionLab installation functions over an OpenSSH session.

My first step was to install

, a package manager for Windows. I wanted to use this to install the Git client I wanted to use to clone the DetectionLab repo. Commands I typed at each stage are in bold below.

With Chocolatey installed, I could install Git.

With Git installed, I can clone the DetectionLab repo from Github.

Before going any further, I needed to install Vagrant.

Now we are finally at the point where we can install DetectionLab. Note that in my example, I downloaded boxes already built by Chris. I did not build my own, in order to save time. You can follow his instructions to build boxes yourself.

I saw an error regarding the win10 host, but that did not appear to be a real problem.

I used the Virtualbox command line program to check the status of the new VMs.

Next I decided to use Vagrant to check on the status of the boxes, and to interact with one if I could. I wanted to find the Bro and Suricata logs.

Chris is using Docker to provide some of the Logger host functions, e.g.:

One of the issues I encountered involved the IP addresses to which VMs bound their Virtualbox Remote Display Protocol servers. The default configuration bound them to localhost on my Windows laptop. That was ok if I was interacting with that laptop in person, but I was doing this work remotely.

I could RDP to the laptop, and then RDP from the laptop to the VMs. This works, but it was a slight hassle to log into the Windows 2016 server which required a ctrl-alt-del sequence. This is a nuanced issue that can be solved by using the on screen keyboard (osk.exe) to enter the ctrl-alt-end sequence on the remote laptop, but I wanted an easier solution.

, who has done a lot of work customized DetectionLab to include Security Onion (a future post maybe?) suggested I modify the Vagrantfile with the following bolded content. This example is for the wef host in the Vagrantfile.

Basically, add the bold entries wherever you see a "virtualbox" option, to enable the VRDP server binding to 0.0.0.0 (which should be all IP addresses, to include the public IP, as I want).

Before I restarted the wef host, you can see below how the VRDE server is listening only on localhost on port 5932 (in bold).

This should allow me to access the "screen" of the VM via port 5932 and the IP of the host laptop. Unfortunately, there is some sort of conflict, as I saw the domain controller also reserved the same port for its VRDE.

I encountered a similar issue with the domain controller also failing to resolve a conflict with the host system RDP port.

I haven't solved these problems yet. I wonder if it's a result of using pre-built VMs, which use the 5.x series of Virtualbox extensions, while my Virtualbox system runs 6.0?

These are minor issues, for the result of all this work is four systems offering Windows client and server features, plus instrumentation. That could be another topic for discussion. I'm also excited by the prospect of

. Furthermore,

has a

that replaces some of the instrumentation with Security Onion!

Cloud Security Alliance Celebrates 10th Anniversary at CSA Summit 
at RSA Conference 2019

Starbucks CISO David Estlick among the Keynote Speakers

SEATTLE – RSA CONFERENCE 2019 - Jan. 14, 2019 –The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced its agenda for the CSA Summit 2019, a full-day event being held on March 4 in conjunction with the RSA Conference 2019. The CSA Summit 2019 will reflect on the lessons learned by enterprises and cloud providers as cloud has become the dominant IT system in the market, while also exploring new frontiers—such as artificial intelligence, blockchain and IoT—that will be accelerating change in information security in the next decade.

“This year marks the 10-year anniversary of CSA’s founding, and to commemorate this milestone, the CSA Summit will bring key thought leaders to the main stage and look ahead to the next 10 years of cloud security. We’re excited to celebrate an extraordinary decade and look forward to another 10 years of raising awareness of best practices to help ensure not only a secure cloud computing environment but one in which emerging technologies present more opportunities than threats,” said Jim Reavis, founder and CEO, Cloud Security Alliance.

This year’s stellar line-up will include the following sessions:

• Security Re-Defined: How Valvoline Went to the Cloud to Transform its Security Program and Accelerate Digital Transformation. Jason Clark, Chief Strategy Officer, Netskope, and Bob Schuetter, CISO, Valvoline.
• The Future of Privacy: Futile or Pretty Good? Jon Callas, Technology Fellow, ACLU.
• Securing Your IT Transformation to the Cloud. Jay Chaudhry, CEO, Chairman, and Founder, Zscaler.
• Ten Years in Cloud: An Observation of Success (Discussion Panel).
• Ready for Liftoff? Planning a Safe and Secure Cloud Migration. Jason Garbis, Vice President of Cybersecurity Products, Cyxtera.
• From GDPR to California Privacy: Managing Cloud Vendor Risk. Kevin Kiley, Vice President of Sales & Business Development, OneTrust.
• Behind the Scenes of MGM Resorts’ Digital Transformation (Case Study). Rajiv Gupta, Senior Vice President, Cloud Security Business Unit, McAfee, and Scott Howitt, Senior Vice President & CISO, MGM Resorts International.
• Blockchain Demo with Kurt Seifried, Chief Blockchain Officer, Cloud Security Alliance
• The Approaching Decade of Disruptive Technologies (Discussion Panel).

Keynotes from Symantec and IBM will also be speaking along with Starbucks CISO Dave Estlick.

Security professionals will want to take advantage of the CCSKv4 Plus training class (March 3-4). The course, led by Jon-Michael C. Brook, CISSP, CCSK, Certified AWS Solution Architect, provides a comprehensive review of cloud security fundamentals, prepares students to take the CSA CCSK v4 certificate exam and guides them through six hands-on labs that tie cloud security best practices to real-world applications.

Attendance is free to individuals registered as an RSA conference delegate or with an RSA Expo pass. Use code XEU9CSA and receive a free Expo Plus Pass (Offer is limited; expires Feb. 7) or use code 1U9CSAFD and receive $100 off full conference registration. Individuals must indicate their interest in attending on the CSA Summit session page (click the star icon in the upper right corner) after completing RSA registration. Seating is limited and the event reaches capacity each year.

WHAT: Cloud Security Alliance Summit 2019
WHEN: Monday, March 4, 8:30 am - 4:30 p.m.
WHERE: RSA Conference 2019 | Moscone Center South, Room 207
ATTENDEE REGISTRATION: https://www.rsaconference.com/events/us19/register
MEDIA REGISTRATION: Email [email protected] to receive press credentials and schedule pre-event/onsite interviews with CSA leadership and conference speakers.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

Contact
Kari Walker for the CSA
ZAG Communications
703.928.9996
[email protected]

New Cloud Security Alliance Study Finds Cybersecurity Incidents and Misconceptions Both Increase as Critical ERP Systems Migrate to Clouds

Seattle, WA – January 11, 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today released the findings from the first research survey on “Enterprise Resource Planning (ERP) Applications and Cloud Adoption.” The study offers greater insight into cloud preparation and migration, the features and benefits gained, and the security and privacy challenges for ERP systems in a cloud environment.

According to the survey, 69 percent of organizations are migrating data for popular ERP applications to the cloud, moving to major cloud infrastructure-as-a-service providers, with the overwhelming majority, almost 90 percent, stating that these applications are business-critical.

In line with the top three migration concerns - moving sensitive data followed by security and compliance - the research finds that attackers are evolving, too. Over half of the survey respondents stated that they expect security incidents in the cloud to increase in the next year.

Yet, when it comes to accountability, there are troubling misconceptions: While 60 percent of survey respondents claim that they feel the cloud service provider is responsible for a breach, 77 percent believe that it is the responsibility of the organization itself actually to secure their ERP applications. Third-parties are held least accountable and responsible. This perception gap shows that organizations need to take more ownership of their business-critical applications while migrating them to the cloud.

“The cloud computing ecosystem is maturing rapidly and business-critical applications, such as ERP solutions, are being moved to cloud environments. With this shift, organizations are starting to explore the question of whether a cloud environment might alleviate traditional challenges that business-critical applications normally face,” said John Yeoh, Director of Research, Americas for the Cloud Security Alliance. “As moving to the cloud raises its own security and privacy challenges, we wanted to provide some benchmarks regarding the myriad issues surrounding cloud migration and security.”

The study, which was sponsored by Onapsis, a leader in business-critical application security, surveyed 199 managers, C-level executives, and staff from enterprises in the Americas (49%), APAC (26%) and EMEA (25%).

“In any cloud migration, regardless of the provider, security must be implemented from the start and implemented in phases throughout the project. Organizations are concerned about moving sensitive data across environments, then addressing the security and compliance implications that come of that migration. Our studies have found that implementing security in each phase of the migration could save customers over five times of their implementation costs,” stated Juan Pablo Perez-Etchegoyen, CTO of Onapsis and Chair of the CSA ERP Security Working Group.

Among the survey’s other key findings:

• Americas (73%) and APAC (73%) were more likely to report that they were currently migrating business-critical applications to the cloud than those in EMEA, where regulations such as the European Union General Data Protection Regulation (GDPR) impacted organizational plans for technology purchases, cloud services, and third-party policies.
• Companies are taking added measures to protect their ERP applications in the cloud, including identity and access controls (68%), firewalls (63%), and vulnerability assessment (62%).
• On-premise models (61%) are employed most commonly, with cloud SaaS (41%), cloud IaaS (23%) and cloud PaaS (17%) following.
• Listed among the benefits of moving to the cloud were scalability with new technologies (65%), lower cost of ownership (61%) and security patching and updating by the provider (49%). Barriers listed were moving of sensitive data (65%), security (59%), and compliance challenges (54%).

Read the full results of “ERP Applications and Cloud Adoption.” The survey comes as a follow-up to the February report “The State of Enterprise Resource Planning Security in the Cloud.”

CSA research prides itself on vendor neutrality, agility, and integrity of results. Sponsors are CSA Corporate Members who support the findings of the research project but have no added influence on the content development or editing rights of CSA research.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

Media Contacts
Kari Walker for the CSA
ZAG Communications
703.928.9996
[email protected]