Business & Technology

Securing Web Applications in Microservices Architectures

By Mark Byers | August 28, 2018

Digital transformation involves much more than merely adopting IoT and moving to multi-cloud. It is utterly transforming how networks and services are being developed and deployed. Traditional software, for example, blends a range of features (such as a shopping cart, search function, catalog, and database) into a single, highly integrated package. But in today’s highly responsive and consumer-driven digital marketplace, this monolithic approach to development and deployment can severely slow down an organization’s ability to respond to market demands.

One response has been the development of microservices architectures. Rather than taking a traditional, highly integrated approach to software or network architecture development, new agile development approaches build each component and feature in isolation, independent of all other functions. It then leverages open communications standards for these separate components to interoperate. This iterative and incremental approach allows an organization to more rapidly develop, deliver, and customize applications, software, and infrastructures, thereby enabling them to more effectively respond to the continually evolving demands of today's digital market.

Of course, security also plays a critical role in the development and adoption of this sort of distributed development and deployment model. Organizations need to be able to ensure that security has been fully integrated into the process to not only protect traditional data and communications transactions, but to also secure the microservices architecture itself as its various components interoperate.

The need for seamless portability

Portability is another critical component of managing and securing today’s multi-ecosystem architectures. Because workflows and data need to pass seamlessly from one networked ecosystem to another, application components need to operate consistently regardless of the environment in which IT teams have placed them, including physical, private, and multi-cloud environments. Likewise, security tools need to be seamlessly deployed across these same networked ecosystems to ensure consistent policy enforcement and orchestration.

To make this happen, DevOps teams need to be able to quickly and easily port a security solution across different devices, different laptops, and different environments. Container-based technologies enable software to run reliably and consistently, even when moved from one computing environment to another—whether from a developer's laptop to a test environment, from a staging environment into production, and even from a physical machine deployed in a data center to a virtual machine located in a private or public cloud—thereby significantly simplifying deployment, management, updates, and interoperability.

Today’s agile networks require Web Application Firewall portability

Because web-based applications are so widely distributed, and can traverse a such a wide variety of back-end network environments, protecting them requires Web Application Firewalls (WAFs) with a similarly extended span of control. Instead of a fixed appliance that can't be easily moved or deployed consistently across different environments, security teams can move container-based WAF solutions seamlessly and effortlessly across any supported platform.

This level of portability is beneficial to not only protect the growing number of users and data using web applications directly, but also in securing QA, staging, and pre-production environments where engineers would have to substantially reconfigure a VM any time they move an application.

FortiWeb for containers

While containers are generally considered to be more secure by default than virtual machines, organizations still need to be vigilant about securing them. This requires the use of best practices to mitigate security risks, and applying edge security to protect both the containers and the transactions occurring between them.

Fortinet has just released a FortiWeb WAF solution designed for container-based environments that supports Docker container management. While this new FortiWeb container-based solution comes in a virtual appliance form factor, it is not a “VM” in the traditional sense. Instead, it is hypervisor independent, does not get assigned to a specific CPU, and provides portability and ease of deployment for DevOps applications. This extended functionality provides seamlessly integrated web application security for today’s microservices architectures—including those that span multiple devices and environments.

Conclusion

As organizations move to adopt agile development strategies and deploy microservices architectures, security continues to be a critical concern. When a development team writes, tests, updates, or deploys an application inside containers, the environment remains consistent across all parts of the delivery chain. While this makes collaboration between different teams (developers, testers, and admins) easier because they all are working with the same containerized environment, it also means that threats can also easily move laterally across environments. FortiWeb’s container-based web application firewall provides consistent security for these emerging container-based development, testing, and production environments.

 

Read more about how machine learning can help protect your organization from the problem of successful web application-based attacks.

Join the Discussion