菜单

本页面中的信息并不完全以您的首选语言展示,我们正在完善其他语言版本。想要以您的首选语言了解相关信息,可以点击这里下载PDF。

技术

Sidecars for endpoint security

NOT ON THE CURRENT EDITION
This blip is not on the current edition of the radar. If it was on one of the last few editions it is likely that it is still relevant. If the blip is older it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the radarUnderstand more
Nov 2019
试验?

我们今天构建的许多技术解决方案,都运行在日益复杂的多云或混合云环境中,其中包含多个分布式组件和服务。在这种情形下,我们在实施初期应用了两个安全原则: 零信任网络,永远不要信任网络并始终进行验证;以及最小权限原则,即授予执行特定作业所需的最小权限。端点安全性的边车(Sidecars for endpoint security)是实现这些原则的一种常用技术,用于在每个组件的端点上实施安全控制,例如服务、数据存储和Kubernetes控制接口的API。我们使用进程外的边车来实现——一个共享相同执行上下文、主机和标识的运行中的进程或容器。开放策略代理(Open Policy Agent)Envoy是实现此技术的工具。用于端点安全的Sidecars将可信的足迹最小化到本地端点,而不是整个网络。最后,我们希望由负责端点的团队负责sidecar安全策略的配置,而不是单独的中心化团队。

May 2018
评估?

Microservices architecture, with a large number of services exposing their assets and capabilities through APIs and an increased attack surface, demand a zero trust security architecture — ‘never trust, always verify’. However, enforcing security controls for communication between services is often neglected, due to increased service code complexity and lack of libraries and language support in a polyglot environment. To get around this complexity, some teams delegate security to an out-of-process sidecar — a process or a container that is deployed and scheduled with each service sharing the same execution context, host and identity. Sidecars implement security capabilities, such as transparent encryption of the communication and TLS (Transport Layer Security) termination, as well as authentication and authorization of the calling service or the end user. We recommend you look into using Istio, linkerd or Envoy before implementing your own sidecars for endpoint security.

Nov 2017
评估?

Microservices architecture, with a large number of services exposing their assets and capabilities through APIs and an increased attack surface, demand a zero trust security architecture — ‘never trust, always verify’. However, enforcing security controls for communication between services is often neglected, due to increased service code complexity and lack of libraries and language support in a polyglot environment. To get around this complexity, some teams delegate security to an out-of-process sidecar — a process or a container that is deployed and scheduled with each service sharing the same execution context, host and identity. Sidecars implement security capabilities, such as transparent encryption of the communication and TLS (Transport Layer Security) termination, as well as authentication and authorization of the calling service or the end user. We recommend you look into using Istio, linkerd or Envoy before implementing your own sidecars for endpoint security.