Enable javascript in your browser for better experience. Need to know to enable it? Go here.
radar blip
radar blip

Sidecars for endpoint security

Last updated : Nov 20, 2019
Not on the current edition
This blip is not on the current edition of the Radar. If it was on one of the last few editions it is likely that it is still relevant. If the blip is older it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the Radar Understand more
Nov 2019
试验 ? 值得一试。了解为何要构建这一能力是很重要的。企业应当在风险可控的前提下在项目中尝试应用此项技术。

我们今天构建的许多技术解决方案,都运行在日益复杂的多云或混合云环境中,其中包含多个分布式组件和服务。在这种情形下,我们在实施初期应用了两个安全原则: 零信任网络,永远不要信任网络并始终进行验证;以及最小权限原则,即授予执行特定作业所需的最小权限。端点安全性的边车(Sidecars for endpoint security)是实现这些原则的一种常用技术,用于在每个组件的端点上实施安全控制,例如服务、数据存储和Kubernetes控制接口的API。我们使用进程外的边车来实现——一个共享相同执行上下文、主机和标识的运行中的进程或容器。开放策略代理(Open Policy Agent)Envoy是实现此技术的工具。用于端点安全的Sidecars将可信的足迹最小化到本地端点,而不是整个网络。最后,我们希望由负责端点的团队负责sidecar安全策略的配置,而不是单独的中心化团队。

May 2018
评估 ? 在了解它将对你的企业产生什么影响的前提下值得探索

Microservices architecture, with a large number of services exposing their assets and capabilities through APIs and an increased attack surface, demand a zero trust security architecture — ‘never trust, always verify’. However, enforcing security controls for communication between services is often neglected, due to increased service code complexity and lack of libraries and language support in a polyglot environment. To get around this complexity, some teams delegate security to an out-of-process sidecar — a process or a container that is deployed and scheduled with each service sharing the same execution context, host and identity. Sidecars implement security capabilities, such as transparent encryption of the communication and TLS (Transport Layer Security) termination, as well as authentication and authorization of the calling service or the end user. We recommend you look into using Istio, linkerd or Envoy before implementing your own sidecars for endpoint security.

Nov 2017
评估 ? 在了解它将对你的企业产生什么影响的前提下值得探索

Microservices architecture, with a large number of services exposing their assets and capabilities through APIs and an increased attack surface, demand a zero trust security architecture — ‘never trust, always verify’. However, enforcing security controls for communication between services is often neglected, due to increased service code complexity and lack of libraries and language support in a polyglot environment. To get around this complexity, some teams delegate security to an out-of-process sidecar — a process or a container that is deployed and scheduled with each service sharing the same execution context, host and identity. Sidecars implement security capabilities, such as transparent encryption of the communication and TLS (Transport Layer Security) termination, as well as authentication and authorization of the calling service or the end user. We recommend you look into using Istio, linkerd or Envoy before implementing your own sidecars for endpoint security.

已发布 : Nov 30, 2017
Radar

下载第25期技术雷达

English | Español | Português | 中文

Radar

获取最新技术洞见

 

立即订阅

查看存档并阅读往期内容