The Need for Automation in Modern Microservice Environments
August 15, 2018

Reuven Harrison
Tufin

Microservices are a hot topic in IT circles these days. The idea of a modular approach to system building – where you have numerous, smaller software services that talk to each other instead of monolithic components – has many benefits.

Speed and the ability to change and adapt on the fly are often cited as reasons for the growing interest in and adoption of a microservices approach. Today's companies need to innovate quickly to remain at the top of their industries. Traditional development methodologies simply take too long. You need to be agile in order to establish and maintain your competitive advantage. 

That brings up competing goals between developers and security, but it doesn’t have to. Instead, there is a tradeoff that needs to happen between developers and security teams around the level of control each team has. The ideal scenario is that developers will control every step of the CI/CD pipeline in order to move fast, while allowing the security team to control enough of the process to make sure that security and compliance policies are adhered to.

Where is the middle ground? How can you heighten security without slowing development? How can organizations achieve this level of collaboration and make it work to their advantage?

Visibility

To be successful, visibility is key. For developers, this is the ability to see whether they adhere to security and compliance policies or not. These checks must happen at every stage of the CI/CD process. Security teams require the visibility to know whether developers are producing configurations that are aligned to security and compliances policies.

Without an easy way to view all activity, there's no way to make sure microservices are operating properly – which makes it increasingly harder to identify risk and solve potential problems.

But just having visibility into your systems – and knowledge of potential problems – isn't enough. You need to be able to protect against vulnerabilities and risky connectivity issues, while also establishing a way to make adjustments without limiting the efficiency and productivity of your developers. 

Automation

Automation makes sense for organizations that have embraced the DevOps approach to software delivery. Using continuous integration and continuous delivery tools, services can be created and modified so often that it becomes impossible to manually review and ensure each one is configured, deployed and communicating as intended – or is being operated in compliance with corporate security policies. Automating security in line with company policies can help protect microservices no matter where they're deployed – on-premise, or in a private or public cloud.

With automation, it becomes easier to identify and protect vulnerable containers that could be externally accessible. Automation should be used to find security issues and then take actions to close up those vulnerabilities, limiting the impact of a breach or preventing one altogether. In addition, as any IT professional knows, the type and style of security issues and potential attacks change on a regular basis. Staying on top of each new potential security issue and constantly monitoring your implementations for them is difficult work; automation can do it for you on a regular basis. 

The best part is that automation can work in the background – ensuring that developers and teams are not bothered by the process, are automatically brought in line with corporate security policy – and do not have their efforts limited because of the need to remain compliant.

When done correctly, automation is an enabler of DevOps – making it easier for developers to build, deploy and operate secure applications at scale. 

Conclusion 

In embracing DevOps and microservices, companies have made a conscious decision to replace stale and inefficient business processes with more agile and effective ones that enable collaboration and empower innovation. It is easy to see that traditional security controls and processes are no fit for today’s development world. 

To be successful, organizations need visibility into and control of these new environments – and need it without disrupting the agile development process they have worked so hard to put in place. By embracing automation, they can truly have the best of both worlds. 

Reuven Harrison is CTO of Tufin
Share this

Industry News

February 27, 2020

Datadog announced an integration with Nessus from Tenable.

February 27, 2020

Talend announced the Winter ‘20 release of Talend Data Fabric.

February 27, 2020

Alcide announced that the Alcide Kubernetes Security Platform now supports compliance scans for PCI and GDPR, enabling DevOps to deliver regulatory compliance checks rapidly and seamlessly alongside Alcide’s leading Kubernetes security capabilities.

February 26, 2020

Perforce Software released a free tool for organizations considering open source software - OpenLogic Stack Builder.

February 26, 2020

Applause announced a new partnership with Infosys to provide broader end-to-end digital experience testing services to clients.

February 26, 2020

RapidMiner announced the release of its platform enhancement, RapidMiner 9.6. This update prioritizes people – not technology – at the center of the enterprise AI journey, providing new, unique experiences to empower users of varying backgrounds and abilities.

February 25, 2020

JFrog announced the availability of the "JFrog Platform," a hybrid, multi-cloud, universal DevOps platform.

February 25, 2020

Nureva added new agile canvas templates to Span Workspace, including a heat map developed by Jeff Sutherland, the co-creator of Scrum and founder of Scrum Inc. and Scrum@Scale.

February 25, 2020

Agiloft announced the addition of its new Agiloft AI Engine, complete with prebuilt AI Capabilities for contract management and an open AI integration that allows customers to incorporate custom-built AI tools into the no-code platform.

February 24, 2020

Cloudify announced that its latest product update - Cloudify version 5 - features an Environment as a Service component, designed to achieve consistent delivery and management of hybrid-cloud services and network infrastructures across CI/CD pipelines - at scale.

February 24, 2020

Checkmarx announced new enhancements to its Software Security Platform to empower more seamless implementation and automation of application security testing (AST) in modern development and DevOps environments.

February 24, 2020

Rapid7 and Snyk announced a strategic partnership to deliver end-to-end application security to organizations developing cloud native applications.

February 20, 2020

The American Council for Technology and Industry Advisory Council (ACT-IAC), the premier public-private partnership dedicated to advancing government through the application of information technology, officially announced the release of the DevOps Primer.

It was produced through a collaborative, volunteer effort by a working group from government and industry, hosted by the ACT-IAC Emerging Technology Community of Interest (COI).

February 20, 2020

DLT Solutions, a subsidiary of Tech Data, launched the Secure Software Factory (SSF), a framework that provides the U.S. public sector with consistent development and deployment of high-quality, scalable, resilient and secure software throughout an application’s lifecycle.

February 20, 2020

Netography announced the general availability of the company’s Security Operations Platform.