Catching Up and Closing the Gap: DevOps Alignment Advances the State of Container Security
March 11, 2019

Ali Golshan
StackRox

Companies are struggling to address the gap that exists between how they're using containers and their level of confidence about security and misconfigurations. The more containers dominate application development, the more imperative it is to integrate container security measures throughout the process, bringing it earlier in the app dev process and integrating it with the orchestration layer. Portability and integration are critical as companies are trying to simultaneously operationalize and secure containers and microservices across hybrid and multi-cloud deployments.

The lag between container security and container adoption represents significant risks to individual businesses as well as the broader ecosystem. It's time to close this security gap before it widens, and DevOps has a central role to play. Properly deployed, containers enable more effective security practices than traditional infrastructure, and the cloud-native stack is particularly well-suited for cloud environments and complex ecosystems.

Major Concerns

According to research from the StackRox State of Container Security 2018 Report, professionals using container technologies are most concerned about misconfigurations and runtime security. Incidents of attacks and breaches based on exposed Kubernetes settings have made headlines and jangled nerves. Even though misconfigurations are seen as a primary vulnerability, respondents are also focused on runtime security, perhaps because running containers in production is still fairly new and no one wants to risk discovering unknown issues post deployment.

DevOps is increasingly positioned as responsible for operating container security solutions

In reaction to these anxieties, organizations are trying a "shift left" approach, looking to address security earlier in the software development cycle. As a result, DevOps is increasingly positioned as responsible for operating container security solutions. The CI/CD process components (e.g., build automation, developer tools) are closely linked to container security, which pushes security and DevOps teams to shift towards greater cooperation and collaboration with each other.

DevOps Alignment

To facilitate shrinking the gap between adoption rates and security maturity — and between traditional security and development silos — organizations should seek container security solutions that reflect the DevOps model, workflow, and processes. Avoiding the headlines that keep security leaders up at night requires solutions that address container and orchestrator misconfigurations and also deliver runtime security functions with adaptive detection to reduce false alerts.

DevOps teams want solutions with security controls that leverage cloud-native infrastructure. In other words, a solution that uses the network policy enforcement built into Kubernetes is preferable to one that creates a separate security layer. Portability across mixed environments (on-prem, hybrid, multi-cloud, managed) is important for similar reasons.

To better support container security, DevOps requires visibility and intelligence at the deployment level. If information is limited to the container-level perspective, staff don't have the big picture context to make decisions or garner insights. Risk mitigation information, including context about what needs to be addressed and why, should be provided directly to all appropriate DevOps teams.

The Ecosystem

Speaking of the bigger picture, as digital transformation accelerates across industries and containers come into wider use in critical production environments, security practices need to keep pace. Already, security teams are frequently caught unaware, surprised at how broadly containers are being used in their organization. While the mechanics need to be container-specific and tied to various build, deploy, and run stages, the core functionality should resemble best-in-class network and endpoint solutions: identify and manage assets; prioritize the riskiest elements; automatically harden the environment; and detect and block malicious actors.

Container security should reach way beyond what a bolt-on solution can touch. Kubernetes, the orchestrator chosen most for container deployments, is the core engine of effective container security. DevOps should help bridge the gap between adoption and security by focusing on Kubernetes protection and hardening. Teams that settle on Kubernetes, and then build tools and systems that rely on it, will solve a lot of the security risks going forward. As Kubernetes is increasingly crowned the OS of the cloud, many security challenges will be simplified.

Through the migration to the cloud, central IT has turned its focus to enabling applications instead of running infrastructure. Security is likewise shifting to enabling rather than operating security tools. As organizations become more focused on application development, DevOps will move toward center stage as the roles and responsibilities of the group expand. In containerized environments, the security team will define policies and put guardrails in place, but DevOps will operate the security tools tied to microservices and containerized applications.
The CISO will grow into a more strategic role, shaping policy and working to embed security functions and "shift left" even more.

Security Agility

The granularity of container technology presents new opportunities to optimize security resilience and agility. In cloud-native environments, the control layer and data plane are mixed together; DevOps can programmatically secure the application by writing in a layer of logic to maintain continuous and instantaneous enforcement. With monolithic applications, security gaps were often found only in production, when all dependencies were in full effect; with container security, they can be found much earlier. Moreover, security gaps can be addressed without breaking or refactoring the whole application.

Risk resilience, security agility, and granular control will be essential to achieving container excellence. Bringing in DevOps to take advantage of the security strengths of Kubernetes and cloud-native environments will help organizations keep pace with their own innovation and close security gaps and create a strong foundation for future opportunities, challenges, and growth.

Ali Golshan is CTO and Co-Founder of StackRox
Share this

Industry News

November 24, 2020

Red Hat announced new capabilities and features for Red Hat OpenShift, the company's enterprise Kubernetes platform.

November 24, 2020

Sectigo released Chef, Jenkins, JetStack Cert-Manager, Puppet, and SaltStack integrations for its certificate management platform.

November 24, 2020

DataStax released K8ssandra, an open-source distribution of Apache Cassandra on Kubernetes.

November 23, 2020

Spectro Cloud has released a new, self-hosted version of its flagship product, Spectro Cloud.

November 23, 2020

GitLab completed integration of Peach Tech, a security software firm specializing in protocol fuzz testing and dynamic application security testing (DAST) API testing, and Fuzzit, a continuous fuzz testing solution providing coverage-guided testing.

November 23, 2020

Fugue announced the availability of its SaaS product in AWS Marketplace, further simplifying the process for Amazon Web Services customers to use Fugue to bring their environments into compliance quickly, demonstrate compliance at any time, and Shift Left on cloud security.

November 19, 2020

Rollbar announced AI-assisted workflows powered by its new automation-grade grouping engine.

November 19, 2020

Buildkite expanded its integration with GitHub and introduced a new onboarding experience.

November 19, 2020

Rancher Labs launched a new Partner Program for the OEM and embedded community.

November 18, 2020

Puppet announced its evolution to an integrated automation platform to enable key business initiatives such as scaling DevOps, risk reduction, policy as code, and evolving cloud strategies.

November 18, 2020

Adaptavist has joined the GitLab partner program as a Select partner.

November 18, 2020

Postman launched the beta version of public workspaces, a hub that makes it possible for both API producers and consumers to seamlessly communicate and collaborate in real time without team or organizational boundaries.

November 17, 2020

Red Hat introduced new capabilities for Red Hat Enterprise Linux and Red Hat OpenShift intended to help enterprises bring edge computing into hybrid cloud deployments.

November 17, 2020

Humio announced the availability of the Humio Operator.

November 17, 2020

Accurics announced that Terrascan, the open source static code analyzer that enables developers to build secure infrastructure as code (IaC), has been extended to support Helm and Kustomize.