It is always the case that changes – particularly radical changes – to application architectures have a ripple effect across the data center. And ripples turn into waves as they travel away from the epicenter, in this case leaving security professionals swamped. And like a bad “B-side” disaster flick, the danger isn’t coming from just one side; it’s coming from two and threatening to squash security professionals not once but twice.
First there’s the threat coming from app dev; where applications are being decomposed into many small and highly distributed services, often deployed in containers and automatically updated, well, a lot. In web-scale shops, deploy frequencies are measured by the day, but thanks to pressure from mobility even in the enterprise deploys are being measured now per week instead of per month or quarter. Combined with a sudden explosion in the number of services being deployed in any given cycle and we can see how the ripple becomes a wave very quickly.
Let’s break and see what’s happening on the other side of the production environment, on the consumer side. Here, SSL Everywhere is gaining steam. For reasons including growing privacy and insider threat awareness, the demand for “secure” connections to apps and sites everywhere (and anywhere) is quickly becoming one that must be addressed. Even browser builders are getting in the game, staunchly refusing to “go back” to the days when unencrypted, plain-old-HTTP was acceptable. Such connections are going to be deprecated (no longer supported), meaning “support SSL/TLS or go home” has become a thing you can no longer ignore.
Now, you, Security Pro, are sitting between these two waves. At this point you probably recognize that the issue is not so much supporting the notion of SSL everywhere, but actually implementing it – especially if you’re also considering the impact to cloud-deployed apps.
Many folks have been content to implement SSL/TLS support on a per-server (app) basis. Each app server gets its own certificate (that has to be managed) and gets its configuration modified to ensure not only support for SSL/TLS, but the ability to “upgrade” connections from plain-old-HTTP to secure-HTTP.
That might work okay in the old, traditional and very static world, but riddle me this: how does one insure the proper certificates on servers that are launched in support of elasticity in a cloud environment? How does one insure proper certificate support and configuration on microservices (every single one of them) that are being deployed with greater frequency? And often with the same operational focus on elasticity as is present in cloud computing environments?
Testing alone is going to take time; precious time few security pros have these days given the frightening security skills shortage. Capital and operational costs are going to skyrocket (certificates and time ain’t cheap, you know). The waves are going to crash together and dump a thousand tons of water right on your head.
Still doing okay? Head between the knees and breathe deeply for a moment; it’ll pass.
Luckily this reality has yet to come to fruition. Microservices are just beginning to take off and while SSL Everywhere is gaining a lot of traction, it’s got a ways to go yet. That means you have time to save your sanity and evaluate architectural options for handling the surge on both sides. That’s good, because there’s a lot to consider – from determining which ciphers are still safe and which aren’t, to whether you need or want (or can have) an HSM in the picture to how it’s going to impact all your other security infrastructure and how to address that with other solutions.
SSL proxy-based architectures (to keep security infrastructure from being blinded) and traffic replication options as well as centralized certificate management are some of the options you should be considering now as potential solutions to the challenges that will inevitably arise as these two movements begin to converge on you.
The ripples have started, but the waves have yet to gain full momentum. By initiating a review of your infrastructure and architectural options now, you may be able to weather both waves without being overcome by them.
About the Author: Lori MacVittie is responsible for evangelism across F5’s entire portfolio including a broad set of network and application security solutions. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine with a focus on applications and security. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.