Melpomene - Fotolia
As enterprises embrace DevOps and infrastructure automation that spans multiple clouds, perimeter-based IT security rapidly becomes a relic of the past.
Instead, DevOps security demands tools that work with ephemeral applications, elastic infrastructures and can be shared among multiple technical and business stakeholders in the organization.
Alaska Airlines first embarked on this journey in 2016, and signed on as the first customer of a startup, ShieldX Networks Inc., that emerged from stealth in 2017. That tool played a central role as the airline migrated legacy application to updated VMware-based private data centers, as well as public cloud services from AWS and Microsoft Azure. Now, the airline also plans to incorporate ShieldX for DevOps security as it moves apps to containers and Kubernetes.
"With the emergence of [a] multi-cloud and multi-data center [infrastructure], suddenly I've got two different cloud vendors with two different security policies, plus what I'm doing on premises, and I can't afford a team that gets equally deep on all those fronts," said Brian Talbert, director of network and connectivity solutions at Alaska Airlines, based in Seattle. "My nirvana was one vendor that could really simplify things and create a policy structure that overlays my whole environment."
Multi-cloud, microservices journey began with distributed security
Alaska Airlines' CEO met one of the ShieldX founders at an industry event in early 2016, and set up a meeting between Talbert and ShieldX reps. Talbert said he was impressed by ShieldX's product architecture, which is based on containers and can scale each DevOps security feature independently of the others. At that time, ShieldX's more established competitor vArmour had not embraced such an architecture, though that has changed since Talbert last compared the two tools.
ShieldX and vArmour, along with competitors such as Illumio, secure individual applications through network microsegmentation, which breaks the traditional perimeter-based IT security mold where a hardened "shell" of firewalls protect static data centers and the applications inside them. As cloud-native applications break free from individual servers and data center networks, that traditional security model must change, Talbert said.
"First we had [ShieldX] learn our legacy environment, so we could lift it out of the legacy data centers ... into our new data centers, and do it securely," Talbert said. Once the airline migrates apps to new data centers, including those in the public cloud, ShieldX tags get baked into DevOps deployment pipelines, to automatically deploy security policies with applications and follow them wherever they go.
Brian TalbertDirector of network and connectivity solutions, Alaska Airlines
The tag system, which Alaska Airlines engineers helped ShieldX to design, shields software engineers from the gory details of firewall ports and rules. It also folds in policy input from Alaska's infosec department so that security requirements and implementation don't have to be determined before each app deployment. In the past, IT ops teams took up to two weeks to map application security policy rules to individual firewalls -- now, they can add security policies to apps in a matter of seconds or minutes.
The simplicity of the tag system for Alaska Airlines stakeholders not steeped in IT ops minutiae was also a strong advantage for ShieldX when Talbert chose the product, he said. VArmour has since rolled out Application Controller,* which performs a similar function.
"I've always been convinced that if we make [an app] more complex, we're going to make it less secure, with too many opportunities to overlook something," Talbert said.
ShieldX roadmap sets sights on container security
ShieldX container infrastructure support remains in development. ShieldX plans to release DevOps security support for containers through an integration with the Istio service mesh and Envoy proxy, according to its CEO, Ratinder Ahuja. ShieldX will also experiment with Linkerd integration.
"It will be a couple years before enterprises move to full Kubernetes environments," Ahuja said.
This is the case at Alaska Airlines, which has dabbled in Kubernetes and containers both on premises and in the cloud through the Azure Kubernetes Service. Most of the airline's container workloads are in test and development, and a small number of noncritical production applications run on containers.
"We're testing the waters, but we're all headed there," Alaska Airlines' Talbert said of the company's container strategy. "We expect ShieldX to be there right along with us."
Once ShieldX adds container support, Talbert said he'd like to see it expand further to support automated security policy distribution to edge devices such as employee workstations. In the meantime, Talbert's team will integrate edge security tools such as Carbon Black with the ShieldX API so that ShieldX can intercept attacks that emerge at the edge and target data centers.
*Information changed after publication