Driven by the digital transformation of the financial industry, state-owned banks, joint-stock banks and commercial banks at all levels have also entered the process of containerization.

The design, construction and optimization of the entire container cloud platform is a huge challenge for banks if production on the container cloud is the goal. How to make better use of cloud native technology to help banks achieve agile, lightweight, fast and efficient integration of development, testing, delivery and operation and maintenance, so as to restructure business and promote the development of fintech is a long-term issue.

In this financial cloud native talk, we will talk with you about how to build a secure cloud native platform.

Cloud native technologies, represented by containers and microservices, are both opportunities and challenges for the financial industry. The opportunity lies in that cloud native technology is helping banks to innovate through differentiated businesses and quickly gain the favor of more users. The challenge is how the financial industry, which emphasizes safety and stability more than any other industry, can maintain steady and fast business growth in a rapidly changing technological environment.

In recent years, more and more attention has been paid to the security of cloud native platforms in the financial industry. In order to meet the basic guarantee of high reliability and high performance of containers, security construction is crucial, but it is very macro and involves all aspects. It’s not just passive defense and post-mortem, it’s situational awareness, it’s active defense, it should be considered and planned as a whole.

  • What are the dimensions of container security?
  • How to start with container safety protection practice?
  • How to avoid safety problems in the process of containerization transformation from the whole life cycle?

I hope this article gives you some inspiration.

 

What are the dimensions of container security?

Docker and K8s will inevitably have vulnerabilities. Each vulnerability repair requires large-scale cluster upgrading, and each upgrade may have an impact on the containers running above, which is a great pressure on THE operation and maintenance of K8s. So how do we keep container platforms safe?

Based on the hierarchical architecture of the cloud native platform, we can look at this problem from the following four levels:

  • At the container and K8s level, problems such as image security, container runtime security, container network security, and permission security are usually ensured. In addition, you can further pay attention to K8s’ Pod security policy, PSP.

  • At the platform level, cluster isolation, tenant security, user isolation, network ACL, audit, DevSecOps, NetworkPolicy, platform high availability, and HTTPS access security are all provided by the platform at the platform level. The platform itself vulnerability scanning, component vulnerabilities and other problems need to be strictly missed before the release of the manufacturer, so as to effectively deal with them. In the process of purchasing, many customers will require the manufacturer to provide the security test report of each version in the future.

  • At the application level, DevSecOps provides security for applications during development. In addition, the platform provides high application availability assurance, secure application access, cross-domain policies, and high data availability to further ensure application security. Generally, it is recommended that the front-end security devices provide WAF, DDos, and ANTI-SQL injection capabilities for Internet-oriented applications to further improve application security.

  • At the operation and maintenance level, the reinsurance service during peak hours can be used as another strategy to ensure the normal operation of the platform.

 

How to start with container safety protection practice?

Cloud native security cannot be separated from container security. Container security is recommended to be evaluated and practiced from the following aspects:

1. Infrastructure layer

  • Operating system security: First of all, it needs to be clear that operating systems involving container cloud working nodes use operating systems that comply with security guidelines. Use firewalls, port blocking and other security measures. Routine system security updates and patches must be applied as soon as they become available to prevent hackers and intruders from exploiting known vulnerabilities. Use a minimal operating system and reduce the attack surface of the system by streamlining preconfigured components that are platform-independent. Use third-party security hardening tools to define the access control of applications, processes and files on the system. Establish audit and logging processes to ensure that the operating systems used to build the platform are secure and compliant.

  • Network layer security: Isolates traffic on the management plane and minimizes port exposure.

  • Storage security: Periodic snapshots and backup, and encrypts sensitive data.

 

Second, platform layer security

  • Security scan: For container scheduling and management platform itself, security baseline test and platform security scan should be implemented first.

  • Audit: Audit user operations at the platform level, as well as resource and operation audits at the project level;

  • Authorization: Implement permission control on the platform, authorization can be based on different dimensions such as role/project/function;

  • Backup: Periodically back up platform data;

  • Inspection: select platform products with automatic inspection capability.

 

Iii. Container safety

  • Image security: The container runs as a non-root user, uses secure basic images, and periodically scans the images for security vulnerabilities.

  • Runtime security: it mainly refers to the security Settings within the host system, such as container privileges, promotion permissions, host PID, host IPC, host network, read-only file system and other security restrictions during the container platform running. It is also recommended to restrict container access to the underlying host directory. Limits the scope of the container’s exposure to external network ports. Users restrict some sensitive projects to monopolize the host computer to achieve service isolation.

  • Container network Security: You can use the Networkpolicy template to implement fine-grained container security policies such as IP addresses, ports, and labels for all PODS and namespaces. At the same time, subnets are created for namespaces in a cluster and the subnets between namespaces are whitelisted. Perform access control.

 

How to avoid safety problems in the process of containerization transformation from the whole life cycle?

As we all know, the safety problem in the process of containerization transformation can not be underestimated. Through the observation, we found that in the past three years the industry has some container failures, the basic question is: test business system in the process of migration to the container platform, wrong operations teams cannot be handled in a timely manner, lead to the business developer of container platform stability, reliability, question, eventually lead to project failure.

Therefore, in order to avoid such security problems as much as possible, IT is suggested that the existing operation and maintenance system, security system and relevant tool platform should be first connected during the implementation of container projects, and limited resources should be focused on the security of container platforms on the basis of integrating the existing IT security system as a whole.

Moreover, there is a large technical threshold between container operation and traditional operation and maintenance, so we can also consider purchasing on-site services from professional technical manufacturers to solve the security reinforcement and platform operation and maintenance problems. Financial enterprises themselves focus on container platform training, application promotion and other IT value generating work.

In conclusion, the safety of the cloud native platform construction didn’t happen overnight, but a need to constantly improve, iterative process of accumulation, later will also involves the functions of planning, operational platform, upgrade implementation, security, application migration, service innovation, process design and a series of related issues, suggest that financial enterprises at the same time of purchasing products, services, The project construction/service mode of closer cooperation between Party A and Party B is adopted. Based on the situation of financial enterprises, security problems in the process of container transformation are targeted to avoid, and the security construction of financial cloud native platform is realized smoothly and efficiently.

We believe that container, as an important part of cloud native, will keep up with the upsurge of cloud native development and develop towards a more secure and reliable direction.