Three Rs of Security
Security is an important concern in all computer systems. This is more so with complex enterprise systems deployed on cloud infrastructure. An application composed of dozens of microservices running hundreds of containers across multiple nodes is hard to secure without good guiding principles.
The methodology of three Rs—Rotate, Repave and Repair—offers a simple approach towards greater security of your cloud deployments. The basic idea is to be proactive than be reactive as seen in traditional enterprise security. Speed is of essence. The longer a deployment stays in a given configuration, the greater is the opportunity for threats to exploit any vulnerabilities.
Discussion
-
What problem does the three Rs model solve? With DevOps, it's become possible to deliver software faster. Yet security is one aspect that's been slow to change. This is often seen in firewall rules, long-lived credentials, and hard-to-update databases. The choice is between moving quickly and accept the associated risks; or moving slowly to mitigate risk. Often, enterprises choose to move slow.
In 2016, the U.S. Intelligence identified cyberthreats as a greater threat than terrorism or traditional weapons of mass destruction. Enterprises are spending a lot on securing endpoints and networks. Yet, Gartner's research shows that 70% of vulnerabilities are in the application layer.
The basic premise of the three Rs model is that the more time you give to attacks, the more opportunity they get to cause some serious damage. So it's best to embrace change and move quickly. It's been said that,
To get safer, you have to go faster, and that is the exact opposite of how organizations work today.
-
Could you explain each of the three Rs? The three Rs of security are the following:
- Rotate: Rotate datacenter credentials every few minutes or hours. Credentials could be passwords, certificates, access tokens, etc.
- Repave: Repave every server and application in the datacenter every few hours from a known good state. Rather than patch a particular software, patch the whole stack. Destroy old VMs and containers and recreate from a known good state. Use rolling deployments to minimize downtime.
- Repair: Repair vulnerable operating systems and application stacks consistently within hours of patch availability.
The idea is to give attacks less time to snoop around and learn about your system. It's feasible to adopt the three Rs today due to cloud-native architectures and continuous deployments. In fact, it may no longer be a badge of honour to claim that your server has been running for years without a reboot. From a security perspective, it's better to limit the maximum uptime of a server.
-
How are the three Rs of security related to DevOps? DevOps is a combination of people, processes and tools that enables teams to deliver software faster. Teams don't work in silos. A DevOps workflow that includes security is what we call DevSecOps. DevSecOps attempts to include security concerns at all stages of a development workflow.
The three Rs model may be seen as a subset of DevSecOps. Security at the application layer can never be perfect. The solution is to mitigate the risks during operations. DevOps already includes a wealth of tools and automation. These can be used to implement the three Rs model.
Milestones
2016
2017
2018
References
- Amazon AWS. 2018. "What is DevOps?" Accessed 2018-12-12.
- Dasika, Kamala. 2017. "Cloud-Native Security: Going Upstack From the 3 Rs." Blog, Pivotal, May 1. Accessed 2018-12-12.
- Deogun, Daniel and Daniel Sawano. 2018. "Creating secure software - benefits from cloud thinking." Devoxx Poland, June. Accessed 2018-12-12.
- Jackson, Joab and Lee Calcote. 2016. "Cloud Foundry’s Security Strategy: Rotate, Repair, Repave." The New Stack, May 24. Accessed 2018-12-12.
- Smith, Justin. 2016a. "The Three Rs of Enterprise Security: Rotate, Repave, and Repair." Built to Adapt, Pivotal, April 20. Accessed 2018-12-12.
- Smith, Justin. 2016b. "Security & Cloud Foundry." Cloud Foundry Summit, Silicon Valley, May 23-25. Accessed 2018-12-12.
- ThoughtWorks. 2017. "Technology Radar: Vol. 17." November. Accessed 2018-12-12.
- VMware. 2020. "Cloud native security: Reduce risk in the enterprise." VMware Tanzu, March 9. Accessed 2020-07-20.
- Vijayan, Jaikumar. 2017. "6 DevSecOps best practices: Automate early and often." TechBeacon, December 13. Accessed 2018-12-12.
- Vincent, Joe. 2018. "Innocent mistakes, huge security holes – Thats the story for IoT and edge until something changes…" Blog, Zededa, March 12. Accessed 2018-12-12.
Further Reading
- Smith, Justin. 2016a. "The Three Rs of Enterprise Security: Rotate, Repave, and Repair." Built to Adapt, Pivotal, April 20. Accessed 2018-12-12.
- Smith, Justin. 2016c. "Cloud Native Security: Rotate, Repair, Repave." Pivotal Software, on YouTube, August 19. Accessed 2018-12-12.
- Deogun, Daniel and Daniel Sawano. 2018. "Creating secure software - benefits from cloud thinking." Devoxx Poland, June. Accessed 2018-12-12.