Securing Your Workload Mesh

Andrew Carnegie said this: The way to become rich is to put all your eggs in one basket and then watch that basket. While this quip from the industrialist might have been useful folksy advice for Grandma and Grandpa, it is terrible guidance for the modern computing and application system designer. A much better mental image in computer science today involves distribution – and the correct unit for scattered computation is the workload.

When done right, modern workload implementation involves a carefully woven mesh of applications, systems, databases, and other computational structures, supported across a heterogeneous infrastructure. The optimal strategy is to first decouple workloads from their underlying host environments, and to then scatter the workloads across a cloud ecosystem. The resulting advantages range from increased resilience to improved performance.

The big challenge, however – and there’s always some-darn-thing complicating new designs in computing – is that security becomes a bit of a puzzle. That is, where we could previously code rules into an access management system tightly coupled to the application inside a next-generation firewall, we no longer have that perimeter luxury when designers scatter their workloads all over tarnation. Securing a blob sure seems easier than securing a mesh.

I spent some stimulating discussion time on this topic last week with Pravin Madhani, founder of K2 Cyber Security. Madhani is an impressive entrepreneur, but he also has serious chops in technology, with degrees from IIT and UT Austin, as well as years of experience in many technical and engineering roles. K2 is one of his more ambitious technical efforts, and he was kind enough to share his vision. Here is what I learned:

“Workloads used to be hosted on-premise, inside a perimeter,” he explained. “But now, everyone knows that they are hosted in the cloud. And this poses obvious cyber security challenges, not just in the architectural sense, but also in how applications execute. Establishing a dynamic understanding of how an application interacts with its environment is a key aspect in providing proper cyber protection.”

K2 is focused on two aspects of the security problem for cloud-hosted workloads: First, it offers a protective solution for workloads called K2 Prevent, that builds a dynamic execution map of application behavior. “Our map is built very quickly at run-time,” Madhani said, “and it allows us to compare live execution with a profile of normal expected behavior just from the binaries. Unlike in RASP, we don’t need access to source code.”

The second element of the K2 solution is an architectural control called K2 Segment that supports workload distribution across a heterogeneous cloud ecosystem. Workloads are identified by assigned cryptographic identities, and policies are enforced for virtual machines, containers, pods, and other hosting structures, without reliance on a perimeter. The platform orchestrates a common set of policies – and this is required for modern cloud.

Madhani took me through several use-case examples, and they were impressive. He showed me a case involving a vulnerable module in NGINX (pronounced Engine-X, by the way). The K2 execution map was apparently instrumental in identifying the errant behavior through observed differences with live run-time behavior. He also showed me a case study where common labels were enforced across Kubernetes pods. It all sounded quite nice.

The success of a security start-ups is driven by many factors, including the passion of its founders. An additional factor that always seems to be present, however, is a clear technical vision compatible with the reality of evolving customer environments. I can report with great confidence that Pravin Madhani has the correct vision: Cloud hosted workloads will need behavioral controls, and they will need distributed policy orchestration. Period.

So, I think this is likely a successful run for K2, especially as more companies host applications across heterogeneous cloud operating environments. Having the security travel along with the workloads seems such a good idea that it’s hard not to see growth here. I suspect K2 Prevent will be easier to sell in the near term than K2 Segment – but I shared with Madhani my view that the segmentation will have more impact in the long run.

You should consider connecting with Madhani and his team at K2 Cyber Security. And make sure to wear your thinking cap, because his team deals with complex technology. It does require some serious concentration to keep up: Welcome to high tech cyber security. But in the end, the time will be well-spent and you’ll be glad that you started planning for commonality in the security and policy enforcement of your workloads across cloud.

As always, please share what you learn.