I’m pulling my hair out trying to clarify my POV on production network security. To reiterate there is something to be said for configuration as code, lights out operation, and zero trust architecture. I recall watching a demo of Apcera.
Apcera demonstrated a elegant Zero Trust docker implementation before docker enterprise or docker stacks etc… They proved that applications and microservices could be linked together securely with encrypted microsegmented networking and that through DPI (deep packet inspection) could determine whether the connection to a database was authentic.
Right now I am looking at getting back into the container market again. I’m hoping that it has matured so that the tools make this sort of deployment easier with a smaller dependency tree. For example configuring traefik to auto renew SSL certs in let’sencrypt is a nightmare even with the acme config. Where a simple “renew” cronjob makes that easier.
Docker, on the otherhand, makes encrypted microsegmentation a snap.
How many internal servers and services [a] are still messaging in plaintext [b] do not have authenticated certificates?