Virtualization Technology News and Information
StackRox 2019 Predictions: Security Goes Cloud-Native - Container and Kubernetes Security at the Speed of DevOps

Industry executives and experts share their predictions for 2019.  Read them in this 11th annual series exclusive.

Contributed by Kamal Shah, CEO, and Ali Golshan, CTO and Co-founder, StackRox

Security Goes Cloud-Native: Container and Kubernetes Security at the Speed of DevOps

Digital transformation is picking up speed. As new tech converges with innovative product and service delivery models, the cycles of trial, limited adoption, and mainstream production use grow closer together, sometimes outpacing skill development and forcing connected efforts like security to keep up. In other words, you have to move fast to stay in the game.

Containerized environments and microservices-driven application delivery are essential to digital transformation. The cloud-native architecture and service delivery framework is crucial for enabling the fast application iteration businesses require today.

These containerized environments have evolved quickly from emergence to mainstream, demanding that operationalizing and securing these environments evolve as well. It's well understood that traditional tooling and legacy products won't work to secure containers and microservices. Indeed, very few tools are available today to help secure them properly, and as production deployments ramp up, security gaps become more apparent.

Container and microservices technologies create an unprecedented opportunity to move from a constant stream of new security tools to building infrastructure and applications that are secure by design. As we race into 2019, we want to share our thoughts about what businesses should be focusing on when it comes to container security.

Complexity and immaturity create new risks

First and foremost, it's important to take a clear-eyed look at the risks arising from lack of maturity and expansion of complexity in these deployments. When built and used properly, these environments are inherently more secure. So we have to use the next year to figure out what "properly" looks like and how to get up to speed. The primary security gaps are due to the fact that these environments involve new tech, new tools, and extensive configuration - all of which is unfamiliar territory for traditional security teams. There's a skill shortage in general, and a need to rethink security roles at the organization level.

Securing containers depends on security Kubernetes

As the orchestrator of choice for most container deployments, Kubernetes sits at the heart of effective container security. The platform is extremely powerful, with many "knobs" to tune. If you don't set it up right, misconfigurations could expose your organization to significant risk. In addition,  once a technology like Kubernetes occupies a significant enough portion of the tech landscape, it becomes a target. That's why the focus over the next year has to turn from adoption to protection and hardening.  Container security platforms must encompass strong Kubernetes security to protect containerized applications effectively.

The central role of DevOps will extend to more IT functions

Traditionally, the CIO was the provider of IT infrastructure (e.g., email servers). Given the migration to cloud services, and on-prem use of cloud-native architectures, central IT has shifted to enabling applications rather than directly running the infrastructure that supports them. Similarly, the security team used to provide security solutions and operate security tools. This group, too, must now be an enabler rather than the full-time operator of some security functions.

In today's application development world, DevOps holds center stage, and the roles and responsibilities of this group are expanding.  While the security team will define policies and put guardrails in place, DevOps will operate the security tools tied to containerized applications.

As a result, the CISO will have a more strategic role, in shaping policy and broadening the domain of security functions to "shift left" even more, with more security built into the infrastructure earlier in the software development life cycle.

The need for standards is rising alongside adoption

As companies work through their digital transformation initiatives, they're developing the infrastructure for their container deployments - the workflows, requirements, and combinations of solutions needed to protect these environments. We believe that companies will increasingly need to standardize to address the breadth of challenges. One area ripe for standardization is the orchestrator. Kubernetes, with its rich community involvement and breadth of managed service offerings, will finalize its dominance as the orchestrator of choice. Settling on Kubernetes, and then building tools and systems that rely on Kubernetes, will solve a lot of the security risks going forward. Much like we saw with cloud computing workloads, operating systems, and networking protocols, anointing Kubernetes as the OS of the cloud will simplify many challenges. The industry is already showing strong support for Kubernetes, with managed Kubernetes offerings from Google, IBM, Red Hat, Amazon, and Microsoft.

This standardization will serve organizations well in many dimensions. Adjacent technology providers can deepen their capabilities when their support matrix shrinks to one platform.  Businesses can share information and best practices, and they can hire from a common pool of talent with a core set of skills and experience.  And security and other related technologies will improve, as the combination of built-in Kubernetes capabilities and add-on technologies tied to Kubernetes continue to thrive.

Security is getting closer to the application

Resilience and agility can be optimized through the granularity of container technology. The control layer and data plane are mixed together in cloud-native environments. You can programmatically decide how to secure the application, and write in that layer of logic to create continuous and instantaneous enforcement. Historically, with monolithic applications, you would often find security gaps only in production, when all dependencies were in full effect. Containers help us identify them much earlier.

The more you can address things at the atomic, granular level (i.e., container and microservice), the more quickly you can block, rotate, and change them. To address a vulnerability, simply replace a bad image with a good one, kill the impacted containers, and when those containers rebuild, they'll automatically do so using the updated images. You've addressed the security gap without breaking the whole application, and you've done it a lot faster than refactoring the entire application. If you're wrong and slow, it's expensive and risky. If you're wrong and fast, you're just adding to your experience and learning.  Containers help you tap into the built-in application security strengths of their infrastructure. The security team doesn't have to fully understand all the development tools - they just need to shape the policies under which these tools operate.  Container security platforms that leverage the native DevOps tooling, like using Kubernetes for network policy enforcement, will help DevOps and security work together in unprecedented ways and speak the same language while they do so.

On the flip side, with security closer to the application, hackers have to work harder. To infiltrate, they have to be able to get inside each single container to see the traffic. Containers are isolated in namespaces, so attackers have to replicate their intrusive maneuvers multiple times.

The need for strong security detection will increase

Because companies are trying to operationalize and secure containers across hybrid and multi-cloud deployments all at once, the security model has to be portable and integrated. Much of the current security focus is on hygiene and prevention - with elements like vulnerability management taking center stage. As transformation velocity accelerates and more critical infrastructure is supported through containerized and cloud-native models, detection becomes more imperative. The need for holistic approaches to prevention and detection isn't just about API protection or specific exploits like cryptomining - intelligent, actionable, built-in visibility and control is simply part of a responsible security model.

Manual approaches quickly become insufficient when the ecosystem is scaling up and out and changing rapidly. Processing massive volumes of data and machine speed and being able to respond in real time will require AI and machine learning components. You can and should do all the usual vulnerability scanning and hardening, but at runtime, you need detection, because, as we have learned the hard way, hackers will still find a way in.

In 2019, look for solutions that enable actionable detection. A mountain of alerts is useless and can even create risk. Kubernetes and containers provide the capability to automate or execute a specific response to everything that is detected. For example, if a network connection leaves a service unnecessarily exposed to the Internet, you can use Kubernetes to block that network path. Similarly, if a token has been hijacked, you can revoke the ability of that token to access to a particular service.

Service mesh and Istio are becoming a critical component

Shows like DockerCon and KubeCon have grown exponentially. Keep your eyes out for MeshCon 2019. Service mesh technologies like Istio make it easier to connect and service the microservices that make up applications.  Istio is rapidly gaining momentum as the service mesh of choice, with capabilities including load balancing, failure recovery, monitoring, and analytics. The challenge is in its complexity - organizations are struggling to manage Kubernetes effectively, and Istio is estimated to be 10 times as complex as Kubernetes. Google is already offering Istio as a service, and other providers of Istio services will emerge quickly. The growing need for an abstraction and management layer for Kubernetes will push more platforms to incorporate it.

Kubernetes and Istio make it easier to run in multi-cloud deployments. You can apply one enforcement model across any of the cloud providers, enabling the ultimate vision of container portability.  We expect Istio to give independent security vendors a way to provide a more agile security and policy layer for container infrastructure that is more effective than today's typical configuration audit function. Expect substantial experimentation and knowledge building with Istio in 2019.

It wasn't so long ago that security pros had to overhaul their strategy in the face of mobile, BYOD, cloud, and shadow tech. The once solid, firewalled perimeter became porous, creating a major shift in security approaches and tooling. As we prepare to shift again in 2019, we anticipate a more graceful transition thanks to the agility, visibility and orchestration powered by the convergence of containers, microservices, Kubernetes, service mesh, and DevOps. Keep your eye out for opportunities to influence standards adoption and push for strategic improvements in your organization's maturity in regards to the complex and powerful transformations driven by containerized infrastructure.


About the Authors

Kamal Shah brings more than 20 years of experience identifying new markets, creating category-defining products that delight customers, and building large businesses to his role as CEO of StackRox. Previously, Kamal was SVP of products and marketing at Skyhigh Networks, a leading Cloud Access Security Broker (CASB) acquired by McAfee in January 2018. Before that, Kamal was part of the founding executive team at Clearwell Systems (acquired by Symantec) and General Manager at Siebel Systems (acquired by Oracle). Kamal holds a Bachelor of Science in Computer Science and a MBA from Harvard Business School.

With a passion for building disruptive products, Ali Golshan is Co-founder and CTO for StackRox, where he oversees the company's technology strategy and roadmap. Prior to StackRox, Ali was the Founder & CTO of Cyphort and led the company's product strategy, research, and technical initiatives, including the Threat Research Lab. Previously, Ali advised numerous Fortune 100 companies, including Google, Microsoft, PwC, and Visa. Ali has also worked with government intelligence agencies and defense contractors.

Published Monday, November 26, 2018 7:23 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2018>