Security at the Speed of DevOps: Maturity, Orchestration, and Detection

Container and microservices technologies, including the orchestrator Kubernetes, create an extraordinary opportunity to build infrastructure and applications that are secure by design.

Kamal Shah, CEO at StackRox

January 9, 2019

5 Min Read
Dark Reading logo in a gray background | Dark Reading

Containerized environments, central to digital transformation, have become mainstream with notable speed. Cloud-native architecture and microservices-based applications are critical to enabling companies to move fast. To move quickly with safety, companies must accelerate the maturity of their container security strategies and implementations.

As production deployments pick up speed, security gaps become evident, presenting immediate risk to businesses. We already know that traditional security tooling and products don't work to secure containers and microservices. As a result, most companies with container deployments are concerned about insufficient security strategies and investments and are looking to new companies for purpose-built solutions.

Along with deploying new container security platforms, companies realize they must also leverage the security capabilities and architectures inherent to cloud-native, containerized ecosystems. Container and microservices technologies, like Kubernetes, create an extraordinary opportunity to build infrastructure and applications that are secure by design. The best security platform for these technologies will tap into the power of the full ecosystem rather than add on a range of security functions separate from the infrastructure.

New Challenges and Strategic Shifts
Containerized environments are inherently more secure when built and used properly. But it takes experience with these systems to configure and run them securely. Often, the security team is not experienced with containers or Kubernetes. Many companies are rethinking their security roles and responsibilities in light of container adoption.

Strengthening Kubernetes security is one of the most fundamental things an organization can to do to protect containerized applications. Kubernetes has become the orchestrator of choice for most container deployments. Part of what makes it a powerful solution is the degree to which you can exert control with it, but with many "knobs" to tune comes the potential for mistakes. If you don't set it up right, with the dashboard protected and role-based access control implemented, you can introduce business risk through unnecessary exposure. Also, Kubernetes is becoming a target because it's widely adopted.

We recommend time spent on protection and hardening — Kubernetes includes a lot of moving parts, and given its role in application development, the question arises as to which team should secure it.

DevOps Gets Closer to Security
With the rise of cloud services and cloud-native architectures, the CIO's team has shifted from providing and running infrastructure to enabling applications. And now, with containerization, the security team is making a similar shift, enabling rather than operating security functions. That's because as security necessarily moves closer to the application, it enters DevOps' domain. Because of their expertise and central role in building, testing and deploying applications, DevOps team members must take responsibility for protecting those applications and their infrastructure. Security teams likely will still define policies and put guardrails in place, but DevOps increasingly will operate the security tools closest to containerized applications.

DevOps also has the know-how to build security into the infrastructure earlier in the software development life cycle. Resilience and agility can be improved through the granularity of container technology. In cloud-native environments, the control layer and data plane are interwoven; you can write in a layer of logic to create continuous, instantaneous enforcement.

Containers and microservices give you the ability to make changes — including security fixes — on a nearly continuous basis. To fix an issue, simply replace a bad image with a good one, kill the affected containers, and when those containers rebuild, they'll automatically use updated images. This way, you can address security gaps without breaking the entire application.

By weaving security solutions into the infrastructure and closer to the application, DevOps can give hackers quite a headache. If they succeed at infiltrating, bad actors typically are limited to seeing what's in just a single container — broadening the attack means they have to replicate their intrusive maneuvers multiple times.

Given the inherent security constructs of containers, security and DevOps teams can work together to protect the infrastructure. Security team members don't have to fully understand all the development tools — they can focus on sharing the security principles and policies to apply to the new dev tools. DevOps and security can better learn how to work together in new ways and speak each other's language if they implement a container security platform that integrates native DevOps tooling, such as using Kubernetes for network policy enforcement.

Work Smarter
Intelligent, actionable, built-in visibility and control should be an integral part of any responsible security model. That's already a tall order. With container technology, we add a portability requirement. For businesses trying to operationalize and secure containers across hybrid and multicloud deployments, the security model has to be at once holistic, highly portable, and deeply integrated. Hygiene, vulnerability management, and prevention are hallmarks of today's security efforts.

As more vital infrastructure is built using containerized and cloud-native models, we need to shift our focus to detection. 

Vulnerability scanning and hardening are still important, but to do anything about runtime attacks, you need detection capabilities. And you can't remediate manually — systems designed to scale up and out rapidly and iterate frequently, as containers do, require automation and machine learning. Kubernetes and containers provide the capability to automate the execution of a specific response to everything that is detected. The most effective security solutions will be those that make actionable detection possible — and eliminate counterproductive streams of alerts.

There's much more to come. We're at an exciting intersection of possibilities thanks to the convergence of containers, orchestrators, microservices, and DevOps capabilities. If we harness the momentum, we can advance standards, cultivate the portability and integration of security, encourage collaboration, and make the strategic investment to build holistic, sustainable systems that protect our digitally transformed world.

Related Content:

 

About the Author

Kamal Shah

CEO at StackRox

Kamal Shah brings more than 20 years of experience identifying new markets, creating category-defining products that delight customers, and building large businesses to his role as CEO of StackRox. Previously, Kamal was SVP of products and marketing at Skyhigh Networks, a leading Cloud Access Security Broker (CASB) acquired by McAfee in January 2018. Before that, Kamal was part of the founding executive team at Clearwell Systems (acquired by Symantec) and General Manager at Siebel Systems (acquired by Oracle). Kamal holds a Bachelor of Science in Computer Science and an MBA from Harvard Business School.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights