According to NIST SP 800-204, developing a microservices-based application typically needs to address security concerns from a stack of layers such as hardware, virtualization, cloud, communication, service/application, and orchestration. Which of the following is most unique to microservices-based applications? (Wentz QOTD)
A. Virtualization
B. Communication
C. Service/application
D. Orchestration
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Communication.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
The following is an excerpt from NIST SP 800-204:
Six layers are present in the deployment stack of a typical microservices-based application as suggested in: hardware, virtualization, cloud, communication, service/application, and orchestration. This document considers these layers to be threat sources, and several of the security concerns affiliated with them are described below to provide an overview of the threat background in a microservices-based application. It is important to remember that many of the possible threats are common to other application environments and not specific to a microservices-based application environment.
• Hardware layer: Though hardware flaws, such as Meltdown and Spectre, have been reported, such threats are rare. In the context of this document, hardware is assumed to be trusted, and threats from this layer are not considered.
• Virtualization layer: In this layer, threats to microservices or hosting containers originate from compromised hypervisors and the use of malicious or vulnerable container images and VM images. These threats are addressed in other NIST documents and are therefore not discussed here.
• Cloud environment: Since virtualization is the predominant technology used by cloud providers, the same set of threats to the virtualization layer applies. Further, there are potential threats within the networking infrastructure of the cloud provider. For example, hosting all microservices within a single cloud provider may result in fewer network-level security controls for inter-process communication as opposed to controls for communication between external clients and the microservices hosted within the cloud. Security threats within a cloud infrastructure are considered in several other NIST documents and are therefore not addressed here.
• Communication layer: This layer is unique to microservices-based applications due to the sheer number of microservices, adopted design paradigms (loose coupling and API composition), and different interaction styles (synchronous or asynchronous) among them. Many of the core features of microservices pertain to this layer, and the threats to these core features are identified under microservices-specific threats in Sec. 3.2.
• Service/application layer: In this layer, threats are the results of malicious or faulty code. As this falls under secure application development methodologies, it is outside of the scope of this document.
• Orchestration layer: An orchestration layer may come into play if the microservices implementation involves technologies such as containers. The threats in this layer pertain to the subversion of automation or configuration features, especially related to scheduling and clustering of servers, containers, or VMs hosting the services, and are therefore beyond the scope of this document.
Reference
- NIST SP 800-204
根據 NIST SP 800-204,開發基於微服務的應用程序通常需要解決來自硬件、虛擬化、雲、通訊、服務/應用程序和編排等層堆棧的安全問題。 以下哪一項對基於微服務的應用程序是最為獨有的? (Wentz QOTD)
A. 虛擬化 (Virtualization)
B. 通訊 (Communication)
C. 服務/應用 (Service/application)
D. 編排 (Orchestration)