The document discusses cloud-native application architectures and how they enable speed, safety, and scale through approaches like twelve-factor applications and microservices. It outlines the cloud-native stack and where governance is needed to secure different components like code, orchestration tools, containers, services, and infrastructure. The document argues that while cloud-native approaches are well-suited for technology companies, traditional enterprises face challenges in fully adopting these architectures due to differences in priorities, skills, and scale.

1. Apcera Confidential
Hector Tapia
Principal Solutions Consultant
Securing the Cloud-Native Stack

2. Software as a competitive advantage
Lots of people talk about these companies and use them as examples on how innovation
disrupts the marketplace
• What does this innovative companies have in common?
• Speed of innovation
• Always-available services
• Web Scale
• Device-centric user experiences
• Recover from failures quick
Cloud-native application architectures
are key to enable the business model
that allowed these companies to obtain
their disruptive character.
2

3. Why Cloud-Native Application Architectures?
Speed Safety Scale

4. Cloud Native Applications are Architected Differently
Two common examples of Cloud-Native Applications are:
Twelve-factor Applications & MicroServices
• Every integrationpoint will eventually fail one time or another
• Be prepared to handle all kind of failures
• All functionality is publishedand consumed via Web Services
• Designedfor Scale Out
• Break down the task, process requests asynchronously
• Use messaging to decouple functionality
• Eventual consistency model
• Build stateless services that can be scaled out and load balancedStateless Model
Asynchronous Processing
Horizontal Scalability
Handling Failures
Services
Two common examples of Cloud-Native Applications are:
Twelve-factor Applications & MicroServices
4

5. • Codebase: One codebase tracked in revision control,many deploys
• Dependencies: Explicitly declare and isolate dependencies
• Config: Store config in the environment
• Backing Services: Treat backing services as attached resources
• Build, release, run: Strictly separate build and run stages
• Processes: Execute the app as one or more stateless processes
• Port Binding: Export services via port binding
• Concurrency:Scale out via a process model
• Disposability: Maximize robustness with fast startup and graceful shutdown
• Dev/Prod parity: Keep development, staging, and productionas similar as possible
• Logs: Treat logs as event streams
• Admin processes: Run admin/managementtasks as one-off process
The twelve-factor app is a collection of patterns for Cloud-Native Application
Architectures
5

6. 6
MicroServices
Is a way of designing software
applications as suites of
independently deployable
services
Wall-E CopyrightDisney/Pixar

7. • New requirements for Developers and Operations
• Fast, tested, fail safe, small changes continuously deployed to production
• Measure, share visibility and provide feedback of users to business, continuously.
• Small experiments, test assumptions, fail fast and learn!
How to get Cloud-Native?
7

8. 8
Most build software for Innovation and Differentiation
75% By 2020, 75% of Application
Purchases supporting digital
business will be “Build”, not “Buy”.
Forecast Analysis: Enterprise Application
Software, Worldwide, 2Q15 Update

9. But innovation doesn’t come without risk
Recent Hack Attacks
9

10. Programing languages frameworks and libraries that comprise applications
Code deployment pipelines, automation and configuration management frameworks,
container and infrastructure management
Tools which automatically run and manage jobs, containers and hosts in a cluster
Tools enabling an application or service to discover information about its environment
and other components needed to form a larger system
Specification and execution engine for operating system level virtualization for running
multiple isolated Linux systems
Lightweight operating system to manage compute resources necessary to deploy
application in containers
Emulated physical compute, network and storage resources that are the basis for
Cloud-based architectures
Physical servers, switches, routers and storage arrays that occupy the Datacenter
Code
Workflow / Management
Orchestration: Scheduling & Cluster
Management
Service Discovery
Container Engine
Minimal OS
Virtual Infrastructure
Physical Infrastructure
Tools
Infrastructure
{
{
The Cloud-Native Stack - Taxonomy
10

11. Programing languages frameworks and libraries that comprise applications
Code deployment pipelines, automation and configuration management frameworks,
container and infrastructure management
Tools which automatically run and manage jobs, containers and hosts in a cluster
Tools enabling an application or service to discover information about its environment
and other components needed to form a larger system
Specification and execution engine for operating system level virtualization for running
multiple isolated Linux systems
Lightweight operating system to manage compute resources necessary to deploy
application in containers
Emulated physical compute, network and storage resources that are the basis for
Cloud-based architectures
Physical servers, switches, routers and storage arrays that occupy the Datacenter
Code
Workflow / Management
Orchestration: Scheduling & Cluster
Management
Service Discovery
Container Engine
Minimal OS
Virtual Infrastructure
Physical Infrastructure
The Cloud-Native Stack - Where it has to be secured?
• Authentication
mechanism
• Policy changes
• Resource usage
(Memory, CPU, IO)
• Networking (Ingress &
Egress)
• Service user
• Data use
• Staging pipelines
• Package selection
• Execution location
• Workload deployment
and changes
How Much {
Who {
What {
Which {
Where {
11

12. Not everybody is ready, not everything is Cloud-Native
Cloud Native Originated in Customer-facing Tech Companies
12
Customer-Facing Tech
• Spend 20%+ of revenue on R&D
• Employ highly paid developers
• Internet-scale
• Technology is their business
Traditional Enterprises
• Spend 2-4% of revenue on R&D
• Employ “normal” people
• Enterprise-scale
• Thousands of apps
• Technology seen as a tax

13. There are many places in the New Cloud Native Architecture where Governance is needed
Load Balancer
HTTP/S & TCP
Router
Order Management
UI
Browse Products UI
Account
Management UI
Checkout UI
Customer Profile
Service
Catalog Service
Order Service
Payment Service
DB
DB
ESB / ETL
13

14. There are many places in the New Cloud Native Architecture where Governance is needed
Load Balancer
HTTP/S & TCP
Router
Order Management
UI
Browse Products UI
Account
Management UI
Checkout UI
Customer Profile
Service
Catalog Service
Order Service
Payment Service
DB
DB
ESB / ETL
What Users and IP
addresses can come
into the Cluster?
What Packages can
be used to deploy to
Production?
What Docker images
can be used? What
Repositories?
What workload can
communicate with
other workloads?
Which workloads
can egress? What
external services?
What services can
the workload bind
to?
What resources can each workload
have? Where can they be scheduled?
14

15. apcera.com nats.io kurma.io
docs.apcera.com
We are hiring!