Written by Mia Villarreal and David Zendzian
In an era where digital infrastructure forms the backbone of modern enterprises, security and resilience of applications is not just a priority, it's imperative. Regardless of the size of the organization or company, there are five core functions of a robust cybersecurity program as outlined by the National Institute of Standards and Technology (NIST) Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover.
The burning question still remains: how do you achieve these outcomes? This blog will introduce the main security outcomes you can expect when deploying your applications on Tanzu Platform along with how you can implement them in your organization. For more details, dive into the Security Outcomes with Tanzu Platform whitepaper for an in-depth look into security on Tanzu Platform. Download the whitepaper here.
Understanding the Landscape: The Need for Comprehensive Security
The cloud native computing era has accelerated application modernization efforts and fundamentally changed the application development and deployment process. Software is treated as an asset with direct impact on business processes, customer engagement, and revenue growth.
Along with fundamentally changing the way software is built and released, cloud native computing has also introduced new vulnerabilities and attack vectors, making cybersecurity a critical concern for DevOps professionals, IT security experts, and platform engineers.
With this in mind, we’ve baked in security-enhancing capabilities into our flagship VMware Tanzu Platform, a modern application platform made for organizations navigating the complexities of cybersecurity, offering a continuous security approach to safeguarding applications on-prem or in the cloud. Tanzu Platform not only addresses these essential cybersecurity requirements but also enhances an organization's security posture with innovative features and integrations.
Let’s dive deeper into what it takes to achieve these five main security outcomes and how you can implement them in your organization.
Identify: Mapping the Terrain
At the outset, understanding the organization's context is crucial for managing cybersecurity risk effectively. Assets must be accurately identified and prioritized to ensure that protective measures align with potential impact areas.
Tanzu Platform aids in this process through advanced asset management capabilities that provide a comprehensive inventory and control over software platforms and applications. It does this through mapping the business intended state deployment and Tanzu Platform monitors and maintains the declared state for all Application Instances, VMs, and VM configurations.
Protect: Fortifying Defenses
The Protect function encompasses the strategies and technologies employed to shield critical services from cybersecurity events or incidents. Among the many protective measures, identity management, and access control (PR.AC), data security (PR.DS), and information protection (PR.IP) are integrated and supported in the Tanzu Platform environment.
Access control and management of credentials is a critical step in the 3Rs and a foundation of the Tanzu Platform. In addition to deploying applications, Tanzu Platform can also manage service deployments such as databases and message queues. With the service deployments, a component within Tanzu Platform called credhub creates and manages credentials and certificates necessary for service binding and platform operations. With the platform handling credential creation, rotation, and management for applications and service risks in application access control are handled automatically by the platform and do not need to be shared directly with any developers or operators.
Another critical component of access control is the management of access to the Tanzu Platform platform for those operators managing it and developers and teams managing the applications deployed within the platform. The platform can be configured for both sets of users to leverage corporate federated access controls and supports segmented access for both operators through the OpsMan management interface and application teams through spaces and orgs which provide logical segmentation between applications on the platform.
figure 1 - Multiple levels within the platform where permissions can be assigned.
In addition to the underlying storage being encrypted, application data stores that hold sensitive data should also have their own encryption mechanisms, to ensure only authorized people and services can access the data.
The Tanzu Platform operates on Tanzu-provided ephemeral images that not only provide transparent and continuous upgrades to the platform, but the container runtime has been hardened and restricted to a level that protects each individual application instance in addition to the underlying VM foundation.
From integrating with centralized identity systems and services to encrypting data at rest and in transit, Tanzu Platform equips enterprises with the tools needed to safeguard their digital assets proactively.
Detect: The Art of Vigilance
With the increasing sophistication of cyber threats, the ability to detect anomalies and events in real time can make or break an organization. Tanzu Platform enhances an organization's surveillance capabilities through security continuous monitoring (DE.CM), monitoring for unauthorized files, scanning for virus, providing runtime application network controls, having a robust logging egress platform, and vulnerability detection as well as other business and security capabilities. These features ensure that potential threats are identified swiftly, allowing you to apply security patches and platform updates with near-zero downtime.
On the Cloud Foundry Weekly podcast, the team did a deep-dive into the facets of security around Cloud Foundry and the Tanzu Platform and shared the steps needed to ensure your platform is running as securely as possible. Check it out for more information surrounding real-world examples of security postures.
Respond: Swift and Decisive Action
In the wake of a detected cybersecurity incident, the ability to respond effectively can mean the difference between a minor hiccup and a catastrophic breach. Tanzu Platform streamlines communications and analysis, providing actionable insights for containing and mitigating the impact of incidents.
If the incident was part of an application buildpack such as was the case with Log4j, or on the stemcell that builds the platform VMs, Tanzu provides continuous and rapid updates. Repaving—a process of rebuilding the platform and applications—is a critical strategy for eliminating vulnerabilities and thwarting attackers' efforts.
When a security update is available, the Tanzu Platform through either platform automation or manual updates repaves the platform foundation or application deployments. If the application is designed for replication and resilience, then this upgrade can be transparent with zero down time.
In the case of log4j, Tanzu had a manual patch available for customers within hours and an official patch within the day, including the multiple additional findings and patches that followed the initial patch. The largest Tanzu Platform platforms were fully patched within hours and at most within a day or two.
Recover: Restoring Normalcy
Post-incident recovery processes are crucial for minimizing downtime and restoring normal operations. Tanzu Platform supports these efforts through its robust backup and recovery capabilities, enabling organizations to rebuild infrastructure, restore platforms, and redeploy applications efficiently. While it is crucial to focus on the backup and recovery plans of application data, Tanzu's framework lays a solid foundation for implementing thorough recovery strategies.
From Theory to Practice
Implementing a comprehensive security strategy requires a holistic understanding of the underlying framework and the ability to leverage the right tools and technologies. Tanzu Platform stands as an exemplary platform that aligns with the NIST Cybersecurity Framework and through inherent platform controls and architectural configurations support other industry frameworks such as PCI, FFIEC, OSI and others, offering a structured approach to achieving critical security outcomes.
For DevOps, security experts, and platform engineers, Tanzu Platform offers improved operational efficiency, reliability, and strong protection against cybersecurity threats. Integrating Tanzu Platform as your platform to build, run, and manage modern applications in your platform enables a harmonious balance of agility, performance, and security. You can sleep easy at night knowing your applications are operating seamlessly while being protected against potential threats.
Our comprehensive whitepaper on "Security Outcomes with Tanzu Platform" delves deeper into these themes, offering insights and actionable strategies to secure your applications effectively. Whether you are in the process of modernizing your apps or looking to enhance your cybersecurity posture, understanding and implementing the principles outlined in our whitepaper can set your organization on the path to security excellence.
The digital landscape continues to evolve, and with it, the cybersecurity landscape shifts. Staying ahead of these changes requires not just vigilance but also a commitment to employing best-in-class tools and frameworks that can adapt to emerging threats. Tanzu Platform continues to leverage existing tools and components in this ongoing battle, offering a comprehensive, structured approach to securing applications in the modern enterprise.
