[BreachExchange] How to implement cybersecurity for modern application connectivity

Mon May 24 18:35:14 EDT 2021

https://www.helpnetsecurity.com/2021/05/24/how-to-implement-cybersecurity-for-modern-application-connectivity/

The president’s recent executive order on improving the nation’s
cybersecurity highlights the security threats facing our country — and it
couldn’t be more timely.

Ransomware has been an ever-present threat to hospitals, financial
institutions, and U.S. infrastructure. The Colonial Pipeline hack forced a
shutdown of the U.S.’s largest fuel pipeline, leading to emergency
declarations in 17 states amidst gas shortages and price hikes. The White
House’s new cybersecurity executive order outlines the critical actions
required to better defend against and prevent similar threats in the future.

The order states that “protecting our nation from malicious cyber actors
requires the federal government to partner with the private sector.” The
private sector must “adapt to the continuously changing threat environment,
ensure its products are built and operate securely…”

The order also details that the federal government “must adopt security
best practices; advance toward Zero Trust Architecture; accelerate movement
to secure cloud services, including Software as a Service (SaaS),
Infrastructure as a Service (IaaS), and Platform as a Service (PaaS)…”
Specific security measures are outlined, including multi-factor
authentication and encryption for data at rest and in transit, as well as
approaches for authenticating all connection requests, having
consistently-implemented centralized controls, and more.

How does the order apply to today’s modern application networks and
cloud-first technologies? The rise of hybrid and multi-cloud environments,
distributed microservices applications, and container orchestration with
Kubernetes all imply a need for zero-trust application networking that
operates consistently and comprehensively in diverse heterogeneous
environments.

Contextualizing these trends with the executive order clearly implies that
API gateways and service meshes have suddenly become critical software
infrastructure, not just for the US federal government but also for any
private business that wants to be a technology supplier to the government.

It is imperative that all private businesses and governmental organizations
collaborate to secure connectivity for distributed, containerized,
microservices applications, which makes perfect sense since attackers probe
the entire digital supply chain and its implementation, not restricting
themselves to any one element of the total technology stack.

So, where do API gateways and service meshes come into play? Everywhere.
Both businesses and governments need to enable secure connectivity for
their microservices applications, both internal and external to the
organizations’ nominal boundaries, in data centers, in clouds, and out to
the edge for individual users’ mobile and desktop applications, and even
Internet of Things (IoT) infrastructure – like a gas pipeline!

An API gateway is the first point of “ingress” contact for zero-trust
architecture, receiving, screening, and routing incoming application
requests to the appropriate applications. For a service mesh, it doesn’t
matter if the underlying applications are running as microservices on
Kubernetes-orchestrated containers, on VMs, on cloud compute instances, or
on legacy monoliths on bare metal servers, all security policies should be
centrally administered and consistently and automatically enforced.

The best modern API gateways are built starting from the open-source Envoy
Proxy and most open service meshes are built starting from the open-source
Istio, but there are vendors who have made it their business to expand on
the projects with commercial offerings that are much more secure, even
Federal Information Processing Standards (FIPS) ready.

Secure API gateways and service meshes should include features like mutual
transport layer encryption (TLS and mTLS), the ability to manage secrets
(credentials), a built-in web- application firewall (WAF), data loss
prevention (DLP), extensible certificate-based authentication (including
API Keys, JSON Web Tokens, LDAP, OAuth, and OIDC), federated role-based
access controls (RBAC) and delegation, Open Policy Agent (OPA)
authorization, and vulnerability scanning.

The API gateways and service meshes also need to be reliable when put under
heavy load like a DoS attack with features like rate limiting, quotas,
load-balancing, and global failover routing to other resources if needed.
Access logging and unified observability through a central admin dashboard
and tools like Prometheus or Grafana are also requirements.

What is clear is that a sweeping executive order very quickly becomes more
complicated to implement when interpreted in context of modern applications
and mixed operating environments. But if public and private organizations
want to join in the fight for modern application security, they should
review and assess the many tools needed to be successful in that fight. And
clearly, the battle to preempt and prevent cyberattacks is one that affects
us all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210524/72d68db7/attachment.html>