Catching Up and Closing the Gap: DevOps Alignment Advances the State of Container Security
March 11, 2019

Ali Golshan
StackRox

Companies are struggling to address the gap that exists between how they're using containers and their level of confidence about security and misconfigurations. The more containers dominate application development, the more imperative it is to integrate container security measures throughout the process, bringing it earlier in the app dev process and integrating it with the orchestration layer. Portability and integration are critical as companies are trying to simultaneously operationalize and secure containers and microservices across hybrid and multi-cloud deployments.

The lag between container security and container adoption represents significant risks to individual businesses as well as the broader ecosystem. It's time to close this security gap before it widens, and DevOps has a central role to play. Properly deployed, containers enable more effective security practices than traditional infrastructure, and the cloud-native stack is particularly well-suited for cloud environments and complex ecosystems.

Major Concerns

According to research from the StackRox State of Container Security 2018 Report, professionals using container technologies are most concerned about misconfigurations and runtime security. Incidents of attacks and breaches based on exposed Kubernetes settings have made headlines and jangled nerves. Even though misconfigurations are seen as a primary vulnerability, respondents are also focused on runtime security, perhaps because running containers in production is still fairly new and no one wants to risk discovering unknown issues post deployment.

DevOps is increasingly positioned as responsible for operating container security solutions

In reaction to these anxieties, organizations are trying a "shift left" approach, looking to address security earlier in the software development cycle. As a result, DevOps is increasingly positioned as responsible for operating container security solutions. The CI/CD process components (e.g., build automation, developer tools) are closely linked to container security, which pushes security and DevOps teams to shift towards greater cooperation and collaboration with each other.

DevOps Alignment

To facilitate shrinking the gap between adoption rates and security maturity — and between traditional security and development silos — organizations should seek container security solutions that reflect the DevOps model, workflow, and processes. Avoiding the headlines that keep security leaders up at night requires solutions that address container and orchestrator misconfigurations and also deliver runtime security functions with adaptive detection to reduce false alerts.

DevOps teams want solutions with security controls that leverage cloud-native infrastructure. In other words, a solution that uses the network policy enforcement built into Kubernetes is preferable to one that creates a separate security layer. Portability across mixed environments (on-prem, hybrid, multi-cloud, managed) is important for similar reasons.

To better support container security, DevOps requires visibility and intelligence at the deployment level. If information is limited to the container-level perspective, staff don't have the big picture context to make decisions or garner insights. Risk mitigation information, including context about what needs to be addressed and why, should be provided directly to all appropriate DevOps teams.

The Ecosystem

Speaking of the bigger picture, as digital transformation accelerates across industries and containers come into wider use in critical production environments, security practices need to keep pace. Already, security teams are frequently caught unaware, surprised at how broadly containers are being used in their organization. While the mechanics need to be container-specific and tied to various build, deploy, and run stages, the core functionality should resemble best-in-class network and endpoint solutions: identify and manage assets; prioritize the riskiest elements; automatically harden the environment; and detect and block malicious actors.

Container security should reach way beyond what a bolt-on solution can touch. Kubernetes, the orchestrator chosen most for container deployments, is the core engine of effective container security. DevOps should help bridge the gap between adoption and security by focusing on Kubernetes protection and hardening. Teams that settle on Kubernetes, and then build tools and systems that rely on it, will solve a lot of the security risks going forward. As Kubernetes is increasingly crowned the OS of the cloud, many security challenges will be simplified.

Through the migration to the cloud, central IT has turned its focus to enabling applications instead of running infrastructure. Security is likewise shifting to enabling rather than operating security tools. As organizations become more focused on application development, DevOps will move toward center stage as the roles and responsibilities of the group expand. In containerized environments, the security team will define policies and put guardrails in place, but DevOps will operate the security tools tied to microservices and containerized applications.
The CISO will grow into a more strategic role, shaping policy and working to embed security functions and "shift left" even more.

Security Agility

The granularity of container technology presents new opportunities to optimize security resilience and agility. In cloud-native environments, the control layer and data plane are mixed together; DevOps can programmatically secure the application by writing in a layer of logic to maintain continuous and instantaneous enforcement. With monolithic applications, security gaps were often found only in production, when all dependencies were in full effect; with container security, they can be found much earlier. Moreover, security gaps can be addressed without breaking or refactoring the whole application.

Risk resilience, security agility, and granular control will be essential to achieving container excellence. Bringing in DevOps to take advantage of the security strengths of Kubernetes and cloud-native environments will help organizations keep pace with their own innovation and close security gaps and create a strong foundation for future opportunities, challenges, and growth.

Ali Golshan is CTO and Co-Founder of StackRox
Share this

Industry News

September 16, 2019

Oracle announced the general availability of Java SE 13 (JDK 13).

September 16, 2019

Data Intensity launched its Automation-as-a-Service offering.

September 16, 2019

Mobile Labs launched the final addition to its mobile device cloud suite: GigaFox Red and GigaFox Silver.

September 12, 2019

Rafay Systems announced the general availability of its turnkey, SaaS-based offering designed to confront a complex set of ongoing challenges enterprises and service providers face when modernizing their applications.

September 12, 2019

StackRox announced the availability of the StackRox App for the Sumo Logic Continuous Intelligence Platform.

September 12, 2019

Lacework is receiving $42 million from Sutter Hill Ventures and Liberty Global Ventures.

September 11, 2019

Clubhouse released a fully featured Free Plan that offers the full power of its flagship product to teams up to 10 people.

September 11, 2019

Sectigo released integrations with five of the most popular DevOps configuration management and container orchestration platforms.

September 11, 2019

Kong announced the release of a new open source project called Kuma.

September 10, 2019

Parasoft is excited to announce that Parasoft SOAtest, an API and UI functional testing solution, has won a 2019 API Award in the Best in Microservices Infrastructure category.

September 10, 2019

Cohesity announced the launch of Cohesity Agile Dev and Test, a new solution that addresses a key bottleneck organizations face in building applications at speed.

September 10, 2019

Split Software announced the addition of Feature Monitoring, an automated detection capability for its feature delivery platform that reduces detection times of errors in a code release.

September 09, 2019

US Signal announced the launch of its managed Website and Application Security Solution.

September 09, 2019

Tasktop announced that Jama Software is now offering the cloud version of its Tasktop Integration Hub for Jama Connect to automate and visualize the flow of product-critical information across the software delivery value stream.

September 09, 2019

Mesosphere announced a significant expansion in strategy and product portfolio as well as a new company name - D2iQ.