As enterprises increasingly rely on the cloud and containers to make their business function, software development is undergoing explosive changes for the sake of productivity, agility, and scale. As part of that, DevOps and DevSecOps have created controlled, easily deployable, and secure, automated development-to-production processes that enable multiple software updates per day with less risk.

For companies heading down this path, it is essential to build the pipeline around Zero Trust principles. Without it, current network security concepts in the cloud won’t function properly, according to Kurt Glazemakers, CTO of secure access provider Appgate.

“Because enterprise network security relies on static firewall rules that can only be updated in maintenance windows after a change approval process, securely deploying applications in an automated way will not work in dynamic cloud environments,” he explained in a recent blog post.

Glazemakers wrote that most cloud environments come with built-in concepts like security groups and container service meshes that allow automatic network security provisioning as part of service deployments.

These methodologies might work well for simple applications but lose their power as soon as you make a connection to or from various regions, clouds, or technology stacks. For example, he wrote, there is no interoperability between different cloud vendors’ security groups or different Kubernetes clusters.

“The fallback results in reverting to network ACLs to filter IP addresses over intercloud connectivity (SD-WAN/IPSEC/MPLS) which is problematic when ephemeral workloads are used that change IP addresses constantly or when multiple services share the same cluster IP,” Glazemakers explained.

The solution to these problems is Zero Trust Network Access (ZTNA).

To that end, the company has developed new Kubernetes access control security for Appgate SDP, enabling customers to accelerate Zero Trust security for the cloud by protecting cloud-native workloads. This new capability builds on the company’s efforts to protect traditional cloud workloads with its ZTNA solution.

Kubernetes—an open-source platform for managing containerized workloads and services—is a key tool driving cloud-native development. The number of developers using Kubernetes has grown by 67% in 2021, and the global container and Kubernetes security market is predicted to reach $8.24 billion by 2030, up from $714 million in 2020. The new Appgate SDP capability is deployed natively within a Kubernetes cluster as a sidecar, which allows organizations to use Zero Trust principles to control service-to-service access across Kubernetes clusters. This enables them to manage and enforce which microservices can communicate with which critical resources, regardless of location or implementation technologies.

“As organizations worldwide focus on developing cloud-native applications, they need a means to easily and effectively secure containerized workloads,” said Jawahar Sivasankaran, president and chief operating officer of Appgate. “This new capability microsegments services from each other, giving organizations control over service-to-service access. This reduces the attack surface, minimizing a bad actor’s ability to move laterally across microservice architectures in an organization’s environment.”

In his blog post, Glazemakers outlined five ways ZTNA improves automated CI/CD pipelines:

A 100 % software-driven approach. This allows secure communication between services, independent of technology stacks.

Business-driven network security. With ZTNA, policies are typically managed at a business-driven level, not at the network layer. So, security teams control overall policies aligned to business definitions and ZTNA automatically translates them into the right network access controls.

Secure access to the session, not the entire network. By applying security directly to a session, secure tunnels are created between services to enforce security on each individual connection. This makes it easy to change, test and scale.

Real-time security based on identity and context. ZTNA uses strong identity controls, such as service certificates to identify the service and define what it can access based on matching higher-level security policies. Besides identity, service attributes like tags, location and role can be included to feed the policy decision.

Full audit trails. With ZTNA, every service connection is audited with the matching policy and service attributes, making it easy to provide detailed audit logs for development versus production environments.

More information on Appgate's new Kubernetes access control security for Appgate SDP can be found here.