iTNews Asia: Given the pandemic, and growing push into the hybrid clouds and edge computing, is microservices primed to take off? How do you see the market evolving? What's driving growth?
Serkan Cetin: Over the last few years we've already seen more organisations utilise cloud technologies to deliver applications and services to their users and their clients, mostly driven through transformation initiatives, and this will continue to grow over the coming years to develop and bring new services to market.
However, implementing security and specifically identity security practices are not always considered up front as part of the transformation as organisations were under pressures to rapidly deliver capabilities and bring forward these projects. This can have further knock-on effects to an organisation’s security posture, and potentially leave them vulnerable to new attack methods and can lead to data breaches.
As the adoption of these technologies continues to grow, organisations will need to review their security practices and tooling to make sure it's capable of supporting their hybrid IT environments.
Additionally, microservices are in use in most industries and almost all web delivered applications. It actually makes development easier and is always a component of DevOps. The issue is many people don’t really understand that the concept is what they are often already doing.
This of course leads to the additional problem that this silent adoption is occurring, and yet the security to handle them is often not in place since management isn’t connecting the need that DevOps should always be DevSecOps… or DevOps with a security/privacy first mindset.
iTNews Asia: Let's talk about the setbacks – for some organisations microservices has not delivered on its promise. They found it difficult to handle complex tasks or in managing heterogeneous microservices. What can be done to make this more efficient?
Serkan Cetin: A microservices infrastructure can create problems and managing and keeping secure hundreds of heterogeneous microservices is certainly challenging.
What we are seeing is that unfortunately microservices are rarely designed with security in mind, so there is an element of catch-up and a greater need for collaboration with security teams and DevOps teams.
Compliance is also made more problematic, as they first need to know how many and which microservices are using that data, and exactly who has access to exactly which microservice.
The ultimate issue is that there is a demarcation in people’s thinking between DevOps and DevSecOps. In reality the term DevSecOps should not be necessary, as security and privacy should be involved in the development teams. The largest issues here are two-fold.
First off, corporate security and developers often set up separate security systems including things like password vaults and then do not integrate them. Security is often not involved in the development at all and therefore the security is unmonitored by the security teams. This can be easily corrected by using a solution that supports multiple vaults.
The second issue is that most development teams do not take either security or privacy training. In reality, privacy and security training should be required for positions like product owner or scrum master, as well as senior developers.
Additionally, compliance officers need to take a closer look at their development teams, as they are very likely to cause a compliance nightmare when left without monitoring or controls.
iTNews Asia: There are still companies running complex applications, databases, ERPs in traditional on premise and cloud environments. Does monolithic still make sense for some applications? Would you agree microservices was never a solution to every problem. When does microservices becomes most sensible to use?
Serkan Cetin: Organisations should adopt microservices if they know they have the infrastructure and resource to diligently oversee the security and compliance of data. There is no right or wrong in terms of monolithic versus microservices, but whilst there is an undoubtable shift towards agile and microservices, in order to respond quickly as an business or organisation, the security and privacy considerations should move higher up the agenda at the same time.
In the end, when done right, microservices significantly increase development speed. However, most applications start moving to a more hybridisation of the monolithic and microservices before going pure one way or the other.
Some never leave that state. So when are microservices the most sensible? Whenever a component needs to be able to have rapid changes, like a user interface or a web service or even security software. These need to change for development constantly so the issue of rebuilding a monolithic application are tremendous.
iTNews Asia: With DevOps growing, would you agree security and compliance are going to be even more important in the development. How are developers or the industry managing this (or not)? Will these concerns be addressed?
Serkan Cetin: Absolutely! With the adoption of DevOps methodologies, we're already finding that organisations are looking for ways to improve their security and compliance. Cyber threats are constantly evolving, and we can see from recent times how some of the breaches have utilised new attack methods to obtain access, such as targeting the supply chain or targeting new technologies and cloud services.
A common security challenge many will face in DevOps practices is with managing the secrets, keys and privileged access to systems and applications. Some may have hardcoded the passwords or keys into the application, which is a security risk as not only is the secret then known to the individual(s) who wrote the code as they can continue using this in other applications or share it with others, it also opens the possibility for an attacker to inject malicious code to extract or take advantage to obtain access into the application and data.
Development teams need to be working with a security/privacy first mindset, and security should be involved throughout the development process and with the development teams. The approach organisations can take to address this challenge is to utilise Privileged Access Management (PAM) solutions.
PAM technologies enable organisations to implement a secure method for key and secret usage, and works towards adopting DevSecOps practices. PAM technologies provide the ability to manage, monitor, record and audit the use of accounts and secrets, and eliminate the need for hardcoded passwords.
iTNews Asia was speaking to Serkan Cetin, Technical Director, APJ atOne Identity