Traditionally, security teams have been accustomed to investigating incidents and falling back to previous code releases if they detect serious issues. With the rise of modern cloud-native applications and immutable infrastructure, however, security engineers have new solutions at their fingertips. Those solutions are more sophisticated than merely falling back.
What is Immutable Infrastructure?
To understand how cloud-native, immutable infrastructure changes the security game, you first have to understand what immutable infrastructure means.
Put simply, immutable infrastructure refers to infrastructure with components that are designed to be destroyed and replaced with new versions whenever a change is necessary. This makes immutable infrastructure different from conventional deployment technologies, in which components were typically updated while they were still running rather than being redeployed whenever a change takes place.
Docker containers are a prime example of immutable infrastructure. When you want to deploy an application inside a container, you download an image, which contains the code necessary to run the application. You then spin it up to launch the application.
When it comes time to make a change to the application—to correct a security vulnerability, for example, or add a new feature—you destroy the existing instances of the container, download an updated image, and spin up the updated image in place of the old instances.
For IT Ops teams, the chief advantage of immutable infrastructure is that it enables clean, predictable updates. In the past, updating a running application or infrastructure component was always risky business because you couldn’t be sure that the update would actually work until it was complete.
With immutable infrastructure, however, you can test the updated version of your resource before it goes live, which provides a high level of confidence that nothing will go awry.
What Immutable Infrastructure Means for Security
The benefits of immutable infrastructure are not limited to the way IT Ops teams deploy applications. Security engineers, too, can gain much by taking advantage of the special features that immutable infrastructure provides.
On this front, there are two main ways in which security teams can benefit from immutable infrastructure combined with cloud-native technology, like containers.
Faster and More Deterministic Incident Resolution
A long term challenge with incident response has always been separating the anomalous from the normal. Classical systems that were stateful and changed over time made this difficult because there was no simple way to define the baseline.
With immutable infrastructure, baselines are much more definitive and, thus, anomalies much easier to identify. No longer do manual rules need to be created to define the abnormal, machine learning can instead be used to create a reference model for normal behavior and anything outside the model can be assumed to be anomalous.
For example, in a traditional system running a web server, you’d need to create multiple manual rules to only allow httpd to run, for it only listen on tcp/80, and for it to only write to /var/logs/httpd. Because that webserver would be updated throughout its life, you’d probably need to configure rules to allow any version of httpd to run to accommodate upgrades.
Further, while you may have a firewall rule to only allow the VM to listen on tcp/80, it’s usually impractical to ensure only a specific binary (or version of a binary) is allowed to listen there.
With immutable infrastructure, though, all of this is much easier. Versioning occurs at the container level so models can be learned that are much more app tailored and only allow the checksum of a specific version of a binary to run and for only it to be bound to the socket. This makes it practical to instantly identify an incident - even if a skilled attacker acts quietly.
Further, security tools can now effectively prevent anomalies before they occur because the baseline provides a trustworthy reference model of what’s normal. Finally, gathering forensic data during incident response is much simpler because it can be continuously gathered efficiently outside the container and maintained separately from the compromised entity itself.
Whitelisting
Whitelisting can help security teams to take further advantage of immutable infrastructure. Whitelisting means identifying the behaviors that an application should be allowed to perform, and automatically disallowing any that are not on the whitelist.
For example, if applications should never access a certain port or consume more than a given amount of memory, whitelisting will automatically constrain them from doing so. In this way, whitelisting helps to prevent security exploits in real time, while also enabling security teams to recognize breaches.
When used in conjunction with immutable infrastructure, whitelisting makes it easy to deploy a secure application quickly and safely. A container image can be tested for compliance with whitelist rules before it is rolled out, then deployed when it is deemed stable.
In addition, immutable infrastructure makes it possible to change whitelist configurations and test them against certain versions of applications before the applications are deployed into production.
Conclusion
With immutable infrastructure and cloud-native technologies such as containers, tedious, risk-prone security workflows can become a thing of the past. Falling back to older application versions and hoping while crossing your fingers that they don’t break the rest of the environment is no longer necessary.
Instead, security vulnerabilities can be mitigated quickly in production by deploying new application images that conform with whitelist rules.
For security teams, IT Ops teams and end-users alike, it’s a win-win-win. Security problems are addressed more quickly without causing new problems for the IT Ops team, and without disrupting services for end-users. The only losers are the bad guys.