• The three Rs of security. Source: Devopedia.
    image
  • Typical threats that the three Rs model attempts to mitigate. Source: Smith 2016b, slide 15.
    image
  • Don't persists keys and certificates for a long time. Source: Deogun and Sawano 2018, slide 33.
    image

Three Rs of Security

Summary

image
The three Rs of security. Source: Devopedia.

Security is an important concern in all computer systems. This is more so with complex enterprise systems deployed on cloud infrastructure. An application composed of dozens of microservices running hundreds of containers across multiple nodes is hard to secure without good guiding principles.

The methodology of three Rs—Rotate, Repave and Repair—offers a simple approach towards greater security of your cloud deployments. The basic idea is to be proactive (by taking precautions) and reactive (by quickly fixing problems). Speed is of essence. The longer a deployment stays in a given configuration, the greater is the opportunity for threats to exploit any vulnerabilities.

Milestones

Apr
2016

Justin Smith, a security expert at Pivotal, blogs about the three Rs model. In May, he presents the model at the Cloud Foundry Summit in Silicon Valley. At about the same time, a news article on The New Stack names the three Rs as Cloud Foundry's security strategy.

Nov
2017

The three Rs model makes it to the Technology Radar of ThoughtWorks. They note that this is feasible because of cloud-native architectures. Apps must be designed to be resilient to failures.

Mar
2018

The use of the three Rs model at the network edges, including embedded or IoT devices, is discussed. Many devices are still being deployed with default passwords. Rotating credentials at the edge is a challenge.

Jun
2018

The three Rs model is presented at Devoxx Poland conference. This indicates a growing awareness of the model within the developer community.

Discussion

  • What problem does the three Rs model solve?
     image
    Typical threats that the three Rs model attempts to mitigate. Source: Smith 2016b, slide 15.

    With DevOps, it's become possible to deliver software faster. Yet security is one aspect that's been slow to change. This is often seen in firewall rules, long-lived credentials, and hard-to-update databases. The choice is between moving quickly and accept the associated risks; or moving slowly to mitigate risk. Often, enterprises choose to move slow.

    In 2016, the U.S. Intelligence identified cyberthreats as a greater threat than terrorism or traditional weapons of mass destruction. Enterprises are spending a lot on securing endpoints and networks. Yet, Gartner's research shows that 70% of vulnerabilities are in the application layer.

    The basic premise of the three Rs model is that the more time you give to attacks, the more opportunity they get to cause some serious damage. So it's best to embrace change and move quickly. It's been said that,

    To get safer, you have to go faster, and that is the exact opposite of how organizations work today.

  • Could you explain each of the three Rs?
     image
    Don't persists keys and certificates for a long time. Source: Deogun and Sawano 2018, slide 33.

    The three Rs of security are the following:

    • Rotate: Rotate datacenter credentials every few minutes or hours. Credentials could be passwords, certificates, access tokens, etc.
    • Repave: Repave every server and application in the datacenter every few hours from a known good state. Rather than patch a particular software, patch the whole stack. Destroy old VMs and containers and recreate from a known good state. Use rolling deployments to minimize downtime.
    • Repair: Repair vulnerable operating systems and application stacks consistently within hours of patch availability.

    The idea is to give attacks less time to snoop around and learn about your system. It's feasible to adopt the three Rs today due to cloud-native architectures and continuous deployments. In fact, it may no longer be a badge of honour to claim that your server has been running for years without a reboot. From a security perspective, it's better to limit the maximum uptime of a server.

  • How are the three Rs of security related to DevOps?

    DevOps is a combination of people, processes and tools that enables teams to deliver software faster. Teams don't work in silos. A DevOps workflow that includes security is what we call DevSecOps. DevSecOps attempts to include security concerns at all stages of a development workflow.

    The three Rs model may be seen as a subset of DevSecOps. Security at the application layer can never be perfect. The solution is to mitigate the risks during operations. DevOps already includes a wealth of tools and automation. These can be used to implement the three Rs model.

References

  1. Amazon AWS. 2018. "What is DevOps?" Accessed 2018-12-12.
  2. Dasika, Kamala. 2017. "Cloud-Native Security: Going Upstack From the 3 Rs." Blog, Pivotal, May 1. Accessed 2018-12-12.
  3. Deogun, Daniel and Daniel Sawano. 2018. "Creating secure software - benefits from cloud thinking." Devoxx Poland, June. Accessed 2018-12-12.
  4. Jackson, Joab and Lee Calcote. 2016. "Cloud Foundry’s Security Strategy: Rotate, Repair, Repave." The New Stack, May 24. Accessed 2018-12-12.
  5. Smith, Justin. 2016a. "The Three Rs of Enterprise Security: Rotate, Repave, and Repair." Built to Adapt, Pivotal, April 20. Accessed 2018-12-12.
  6. Smith, Justin. 2016b. "Security & Cloud Foundry." Cloud Foundry Summit, Silicon Valley, May 23-25. Accessed 2018-12-12.
  7. ThoughtWorks. 2017. "Technology Radar: Vol. 17." November. Accessed 2018-12-12.
  8. Vijayan, Jaikumar. 2017. "6 DevSecOps best practices: Automate early and often." TechBeacon, December 13. Accessed 2018-12-12.
  9. Vincent, Joe. 2018. "Innocent mistakes, huge security holes – Thats the story for IoT and edge until something changes…" Blog, Zededa, March 12. Accessed 2018-12-12.

Milestones

Apr
2016

Justin Smith, a security expert at Pivotal, blogs about the three Rs model. In May, he presents the model at the Cloud Foundry Summit in Silicon Valley. At about the same time, a news article on The New Stack names the three Rs as Cloud Foundry's security strategy.

Nov
2017

The three Rs model makes it to the Technology Radar of ThoughtWorks. They note that this is feasible because of cloud-native architectures. Apps must be designed to be resilient to failures.

Mar
2018

The use of the three Rs model at the network edges, including embedded or IoT devices, is discussed. Many devices are still being deployed with default passwords. Rotating credentials at the edge is a challenge.

Jun
2018

The three Rs model is presented at Devoxx Poland conference. This indicates a growing awareness of the model within the developer community.

Tags

See Also

  • DevSecOps
  • Advanced Persistent Threat
  • Cloud Security
  • Cloud Monitoring
  • Security Chaos Engineering
  • Security Principles

Further Reading

  1. Smith, Justin. 2016a. "The Three Rs of Enterprise Security: Rotate, Repave, and Repair." Built to Adapt, Pivotal, April 20. Accessed 2018-12-12.
  2. Smith, Justin. 2016c. "Cloud Native Security: Rotate, Repair, Repave." Pivotal Software, on YouTube, August 19. Accessed 2018-12-12.
  3. Deogun, Daniel and Daniel Sawano. 2018. "Creating secure software - benefits from cloud thinking." Devoxx Poland, June. Accessed 2018-12-12.

Top Contributors

Last update: 2018-12-12 12:13:49 by arvindpdmn
Creation: 2018-12-11 15:00:09 by arvindpdmn

Article Stats

711
Words
0
Chats
1
Authors
3
Edits
3
Likes
176
Hits

Cite As

Devopedia. 2018. "Three Rs of Security." Version 3, December 12. Accessed 2019-01-22. https://devopedia.org/three-rs-of-security