Digital transformation is the new paradigm in enterprises. Enterprises are adopting data-driven architectures and using more and more native services in the cloud and, through this, accelerating the development of their products and services. Under this pressure, security has to keep up and be sure that environments, in a lot of cases even mission-critical environments, remain resilient. This is the domain of zero trust.

This chapter explains what zero trust is and why it is important to DevOps. Zero trust assumes that everything is secured inside a corporate network and that includes the DevOps pipelines. Some of the technologies used in zero trust environments are service meshes and microservices, a topic that we will discuss in the final section of this chapter.

After completing this chapter, you will have learned what zero trust means and the impact it has on DevOps. You will have learned how microservices and secure service...

Zero trust really means zero trust, for starters. The principles of zero trust have gained a lot of traction in IT security over the past few years, and for a good reason. Attacks don't just come from the outside, but also from the internal networks in enterprises. Zero trust advocates that any user, or maybe every identity, is authenticated, regardless of whether the user is inside or outside the enterprise's network. When authenticated, the user must be validated against security policies and authorized before access to applications is granted. Data access should only be granted through verified applications to which users are authenticated and authorized.

Before we learn how this would work in DevSecOps, and particularly in Continuous Integration/Continuous Deployment (CI/CD) pipelines, we need to have a deeper look at the principles of zero trust.

Zero trust starts with knowing who's in the enterprise's network. There...

With a good understanding of the concept of zero trust, we can define architectures that apply the principles of zero trust. The following guidelines will help define the architecture. Some of these principles might be obvious, and others may lead to constraints in the way developers develop and deploy applications. But, at the end of the day, we need to be sure that the enterprise assets are secured:

• Assess and analyze all access controls. Strict policies on IAM must be in place. Least privilege must be part of those policies. This is the backbone of zero trust according to the National Institute of Standards and Technology (NIST). They defined a set of principles for zero trust architectures, all involving the way enterprises handle IAM. The key principle is to have a single source of identities. In most cases, enterprises will use Active Directory (AD) for this. In short, any user or identity must be known by the AD.
• Next, there must...

DevOps is about gaining higher productivity with faster releases of code. DevOps teams can focus on specific tasks and code that is designed to only perform that task. They develop the code independently from other services to increase focus, the speed of delivery, and customer experience. Security principles are applied to these services and continuously validated by the means of automated scanning. DevOps is by default distributed architecture, in contrast with monolithic architectures where systems are designed and built as a whole. In DevOps, the architecture will be driven by microservices: an application is defined as a collection of independent services that will communicate with each other over specified protocols. The following figure shows the principle of microservices:

Figure 15.1 – Principle of microservices

In terms of security, we can assume that microservice architectures are more secure than monolith...

In the previous sections, we discussed the principles of zero trust architectures and how microservices can help us with zero trust. Next, we learned how we can have microservices interact by means of a secure service mesh. In this section, we will learn how we can achieve this with containerized applications and using cloud services that we target from CI/CD pipelines. Platforms such as AWS and Azure offer solutions for this, and we will discuss these solutions.

First, we need to understand how we add security to a service mesh. One way to do this is with sidecars. Explained in a very simple way, a sidecar is a point in a container cluster where security postures are inserted. You could envisage it as a main road where cars are driving. A car carrying specific security policies comes from a side road and inserts itself in the line of cars on the main road. However, the point where this happens is fixed.

There are various tools that offer a...

In this chapter, we first studied the principles of zero trust architecture, and we learned that DevOps teams need to adhere to these principles too. Zero trust starts by knowing exactly who may access code repositories, and knowing that builds can only be deployed to strictly contained network segments so that other services are not impacted. Next, we learned that microservices architecture can serve DevOps really well. They allow independent development and deployment of features in code without affecting other services.

We learned that microservices are a secure type of architecture. The challenge, however, is to establish interaction between these microservices. We studied service mesh as a solution for that and learned how to integrate security postures as a containerized microservice, using the technology of sidecar proxies. We learned that sidecars can be used to insert secure services and monitoring next to our microservices.

In the final section, we introduced...

1. What basic rule do we apply with respect to the privileges of accounts in a zero trust environment?
2. What type of service do we use to insert separate containers with security postures next to application containers?
3. What does AWS offer to enable service mesh?

• Website of the National Cybersecurity Center of Excellence (NCCoE) on zero trust architecture: https://www.nccoe.nist.gov/projects/building-blocks/zero-trust-architecture
• Hands-On Microservices with Kubernetes, by Gigi Sayfan, Packt Publishing, 2019
• Documentation on Microsoft Azure Service Fabric: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-overview#:~:text=%20Overview%20of%20Azure%20Service%20Fabric%20%201,application%20lifecycle...%204%20Next%20steps.%20%20More%20
• Blog post on AWS App Mesh: https://aws.amazon.com/app-mesh/?aws-app-mesh-blogs.sort-by=item.additionalFields.createdDate&aws-app-mesh-blogs.sort-order=desc&whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc