我们今天构建的许多技术解决方案,都运行在日益复杂的多云或混合云环境中,其中包含多个分布式组件和服务。在这种情形下,我们在实施初期应用了两个安全原则: 零信任网络,永远不要信任网络并始终进行验证;以及最小权限原则,即授予执行特定作业所需的最小权限。端点安全性的边车(Sidecars for endpoint security)是实现这些原则的一种常用技术,用于在每个组件的端点上实施安全控制,例如服务、数据存储和Kubernetes控制接口的API。我们使用进程外的边车来实现——一个共享相同执行上下文、主机和标识的运行中的进程或容器。开放策略代理(Open Policy Agent)和Envoy是实现此技术的工具。用于端点安全的Sidecars将可信的足迹最小化到本地端点,而不是整个网络。最后,我们希望由负责端点的团队负责sidecar安全策略的配置,而不是单独的中心化团队。
Microservices architecture, with a large number of services exposing their assets and capabilities through APIs and an increased attack surface, demand a zero trust security architecture — ‘never trust, always verify’. However, enforcing security controls for communication between services is often neglected, due to increased service code complexity and lack of libraries and language support in a polyglot environment. To get around this complexity, some teams delegate security to an out-of-process sidecar — a process or a container that is deployed and scheduled with each service sharing the same execution context, host and identity. Sidecars implement security capabilities, such as transparent encryption of the communication and TLS (Transport Layer Security) termination, as well as authentication and authorization of the calling service or the end user. We recommend you look into using Istio, linkerd or Envoy before implementing your own sidecars for endpoint security.
Microservices architecture, with a large number of services exposing their assets and capabilities through APIs and an increased attack surface, demand a zero trust security architecture — ‘never trust, always verify’. However, enforcing security controls for communication between services is often neglected, due to increased service code complexity and lack of libraries and language support in a polyglot environment. To get around this complexity, some teams delegate security to an out-of-process sidecar — a process or a container that is deployed and scheduled with each service sharing the same execution context, host and identity. Sidecars implement security capabilities, such as transparent encryption of the communication and TLS (Transport Layer Security) termination, as well as authentication and authorization of the calling service or the end user. We recommend you look into using Istio, linkerd or Envoy before implementing your own sidecars for endpoint security.
