How Adobe uses microservices and containers to bolster security
Adobe operates many of its services in the cloud, bundled under its Creative Cloud, Document Cloud, and Marketing Cloud umbrellas. Service uptime is critical to the business, and some services have five-nines availability requirements. Because Adobe has been in acquisition mode in recent years, it needs an agile, rapid way to integrate newly acquired business operations.
To accomplish this, Adobe is focusing on DevOps automation and security agility. Its development teams understand the business case for and practice of DevOps. The Adobe security team is a big proponent of DevOps principles as well.
"Automation is key," Brad Arkin, chief security officer for Adobe, said during a keynote address at the Container Security Summit, hosted by Google, Intel, and Twistlock.
We can’t afford to have dev and security teams that take months to go through a cycle. We are automating manual tasks across the board as much as we can, for both development and operations.” Indeed, part of Adobe’s digital transformation is modernizing the company's most fundamental business capability: software development.
Microservices, containers, and continuous integration and delivery have become critical tools in Adobe's digital transformation journey. "Microservices allow us to architect applications in a way that is resilient, adaptable, and portable to almost any infrastructure. This is the only way that can help us achieve broad-scale automation,” Arkin said.
Adobe also is a big believer in continuous integration (CI) and delivery; the company is rapidly modernizing all of its software build and delivery processes onto CI and continuous delivery (CD) platforms. Adobe Acrobat Document Cloud, for instance, uses a fully automated CD pipeline.
Considering that Arkin is ultimately responsible for securing more than a billion lines of code in the midst of Adobe's digital transformation, he's remarkably optimistic. “Despite the fact that some of these technologies have not been around for long, we are moving as fast as we can because the opportunity is so compelling,” he said.
It's an opportunity to reduce resource costs, improve infrastructure management, and make moving services across different clouds and platforms easier. Arkin feels strongly that the move to microservices and containers will ultimately allow his company to become safer. "Immutable infrastructure and better system manageability are positive changes to security operations that we must leverage to lower our risk profile and fundamentally change the security game," he said.
Moving it all to the cloud
Adobe was very much a desktop software company in the late 2000s. Server utilization wasn't top of mind for operations or company finance. With the transition to delivering its products as cloud-based services, corporate finance has become “incredibly mindful of the rate of data center utilization, cloud usage, and even scaling out models,” Arkin said.
“As the CSO, part of my job is to enable the business to make changes, manage them, measure the outcome, and monetize,” he said. His vision to achieve these goals is clear:
We are committed to moving the Creative Cloud, Marketing Cloud, and Document Cloud onto the latest microservices architecture and container platforms to leverage the efficiency and flexibility these technologies bring.
Migrating to the cloud has already enabled Arkin’s team to move its focus up the stack, from physical security to infrastructure and operations security, and ultimately to software and applications. The way he sees it, shrinking infrastructure into code has enabled his organization to better integrate secure development lifecycle (SDLC) practices into the way it manages infrastructure. That, he said, is a vast improvement over the traditional build-your-own, box-oriented infrastructure.
Arkin sees the move to microservices and containers as an innovation opportunity for both Adobe and his team. Adobe uses many different development methodologies and deployment models. As a result, it needs a wide array of security tools. As Adobe moves to microservices and CI/CD, Arkin expects to consolidate development platforms, which he believes will lead to a more uniform security layer and, ultimately, better SDLC efficiency.
But the benefits don't stop there.
“Software will never be perfect,” Arkin said. “What you want is an infrastructure that will allow you to deploy code into a controllable, auditable, and manageable environment, where a single incident can be quickly managed and [its] impact contained in a measurable and predictable way."
Arkin sees microservices and containers as the right infrastructure for enabling this controlled compartmentalization. "Another critical aspect, when you have this compartmentalization, is anomaly detection to quickly and accurately spot compromises,” he added.
Traditional anomaly detection is challenging because of the difficulty associated with determining a “normal” state. Because of this, Arkin likes the immutable, minimalistic nature of container technologies. “With containers, in a server environment with good hygiene, you have a far better chance of defining what the baseline normal is, and therefore a better chance of succeeding in anomaly detection," he said.
These are just some of the bigger challenges that Adobe and other container adopters are now facing. Others include:
- Robust sandboxing and segregation. Organizations need to ensure strict segregation between containers or microservices components in order to prevent one compromised component from affecting others. It's essential to maintain robust isolation between containers running on the same host in order to limit the "impact radius."
- Maturing orchestration tools. The orchestration stack for microservices and containers is still evolving, and some of the more sophisticated capabilities do not yet exist. Complex deployment rules, taking into account context, identities, and application-specific information, are not yet possible with available orchestration tools.
- Stronger role-based controls into the new stack. Some emerging technologies do not have good support for handling roles and role segregation. Richer access-control frameworks are needed to support complex business environments with DevOps-style transactions, where development and test teams are touching production environments.
- Compliance. The Payment Card Industry Data Security Standard (PCI DSS), the Federal Information Security Management Act (FISMA), and other regulatory and compliance standards have not yet been translated into these new technology environments. It is not clear how an auditor today would assess a regulated application implemented in containers, for instance. We need clearer definitions of compliance requirements for these new environments.
“Compliance is a particularly important consideration,” Arkin said. “Standards bodies are usually silent about new technologies in the beginning. But you cannot wait for them to rework their guidance. As an innovator, you must start with interpreting how compliance requirements could be mapped to the new environments, proactively working with standards bodies and start innovating. You can't sit around and wait."
A perfect time to move forward
Like many IT innovators, Arkin is excited about the opportunity that containers and microservices bring. A modern development platform, immutable infrastructure, more automation, and fewer manual mistakes are just some of the benefits that he has seen at Adobe.
It's an exciting time for IT professionals. If you are up to trying new things, there are plenty of innovation opportunities for you to create a fundamental impact.
*This article was originally published on TechBeacon.