By Byron V. Acohido
As a tech reporter at USA TODAY, I wrote stories about how Google fractured Microsoft’s Office monopoly, and then how Google clawed ahead of Apple to dominate the global smartphone market.
Related: A path to fruition of ‘SecOps’
And now for Act 3, Google has thrown down the gauntlet at Amazon, challenging the dominant position of Amazon Web Services in the fast-emerging cloud infrastructure global market.
I recently sat down with Gadi Naor, CTO and co-founder of Alcide, to learn more about the “microservices firewall” this Tel Aviv-based security start-up is pioneering. However, in diving into what Alcide is up to, Gadi and I segued into a stimulating discussion about this latest clash of tech titans. Here are key takeaways:
Google’s Kubernetes play
First some context. Just about every large enterprise today relies on software written by far-flung third-party developers, who specialize in creating modular “microservices” that can get mixed and matched and reused inside of software “containers.” This is how companies have begun to scale the delivery of cool new digital services — at high velocity.
The legacy ‘on-premises’ data centers enterprises installed 10 to 20 years ago are inadequate to support this new approach. Thus, digital infrastructure is being shifted to “serverless” cloud computing services, with AWS blazing the trail and Microsoft Azure and Google Cloud in hot pursuit.
Microservices and containers have been around for a long while, to be sure. Google, for instance, has long made use of the equivalent of microservices and containers, internally, to scale the development and deployment of the leading-edge software it uses to run its businesses. Then on June 7, 2014, Google released Kubernetes – Greek for helmsman – to the open source software community. Think of Kubernetes as a building block that allows for the orchestration of myriad containers, each containing numerous microservices.
Challenging AWS
The search giant’s generosity in externalizing this operational know-how to the open source community should be commended. But Google also had an ulterior motive. Naor explained that Google saw “an opportunity to build Kubernetes into an application delivery vehicle that would be used to onboard customers onto Google Cloud and generate business for them . . . They took what they had, rebuilt it and handed it off to the Cloud Native Computing Foundation. So now it was out of the hands of Google, even though they’ve remained one of the biggest supporters of Kubernetes.”
Naor
No need to dive into the technical weeds to divine Google’s underlying intent. “This is part of a five- to eight-year journey, with Kubernetes being the first stop,” Naor told me. “The next is a new open source project, called Istio, which is a new service mesh layer . . . and beyond that is a project called Knative, to be released in August. Knative is basically a serverless programming model built on top of ISTIO, which is built on top of Kubernetes.”
In short, Google-backed Kubernetes, Istio and Knative is to AWS and AWS Lambda – Amazon’s serverless computing offering – what Google Apps was to Microsoft Office and what Android was to iOS.
Gartner estimates that the so-called Infrastructure-as-a-service-Market (IaaS) global market will jump from to $83.5 billion in 2021, up from $40.8 billion in 2018. Some marquee tech vendors, led by VMware and IBM, are aligning with Google and have already announced backing for Knative.
Security void
So where does security fit into all of this? As this tectonic shift from on-premise data centers to multiple cloud platforms unfolds, Google, Amazon and Microsoft – and their respective ecosystem of partners – must come up with a fresh paradigm for dealing with the attendant security threats.
The core challenge is the same as it has always been: to balance productivity gains and user trust. Tech vendors and their enterprise customers want to leverage distributed architectures and multiple cloud platforms to the hilt. But they must also find a way to dial-in the proper amount of resiliency to cyber exposures, or risk losing public trust. And this must happen with complexity going through roof.
“At the end of the day, Dev and DevOps, not IT, are the ones driving adoption of these new technologies,” Naor told me. “This has created a gap, or a void, in the sense that you have Dev and DevOps swimming in parallel lanes, delivering small pieces to fit the bigger picture, and they’re not always security-minded; they’re there to drive product velocity.
“Yet, every company needs to be aware of the potential for data loss, even as the combination of Dev, DevOps and Security creates a lot of friction. The question is, ‘How do you get everything into harmony, where all the parties are actually happy?’”
Alcide’s microservices firewall seeks to be one piece of a much larger puzzle that needs to take shape. Instead of static perimeter wall, what Alcide has come up with is, as I understand it, sort of a protective jacket inside of each microservice, one that gets more robust over time.
“We attach policies as part of the build-process of the microservice,” Naor told me. “And essentially it propagates with the deployment lifecycle of the microservice. So if you deploy the microservice to a test environment, and you have our security agent, we apply the policies. And we create a microservice-level perimeter around it. On top of that, we have machine learning-based technology that is tailor made for microservices.”
Alcide’s innovation
Naor went on to explain that Alcide’s machine learning component is directed at Application Programming Interfaces, or APIs. These are the handshakes that allow one microservice to connect to another microservice and onto a container. APIs also enable one container to connect to the next, and for multiple containers to connect to Kubernetes.
In short, the number of APIs is vast and keeps growing, and the number of transactions between APIs, on any given day, is magnitudes of order greater than the number of APIs firing off in corporate environments. Each API represents an attack vector, which suggests that each API transaction ought to be accounted for.
“We have a patent pending technology that reads these signals in a certain way, folds them into the notion of what a microservice is, and then analyzes this data and projects something that’s explainable to the end user,” Naor said. “We give the end user something actionable to respond to and to remediate.”
Alcide also would like its tool to be routinely used to create a feedback loop — to the developer who wrote the microservice code in the first place. The developer could then contribute to remediation; or, at the very least, learn something from the vulnerability to apply in future iterations.
“We want to have a feedback loop that resonates with the workflows these new architectures deliver,” Naor told me. “Think about it: development is happening in parallel lanes, at different deployment velocities — and with all the moving parts, getting everything together is extremely difficult.
“Kubernetes is an extremely powerful building block, but it is also complex and it’s really easy to get things wrong. So this is where we come in.”
I came away from this conversation with a few more dots connected; and feeling incrementally more encouraged about the cybersecurity community’s tilt towards baking-in the needed level of security we’ll need. Talk more soon.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
