Catching Up and Closing the Gap: DevOps Alignment Advances the State of Container Security
March 11, 2019

Ali Golshan
StackRox

Companies are struggling to address the gap that exists between how they're using containers and their level of confidence about security and misconfigurations. The more containers dominate application development, the more imperative it is to integrate container security measures throughout the process, bringing it earlier in the app dev process and integrating it with the orchestration layer. Portability and integration are critical as companies are trying to simultaneously operationalize and secure containers and microservices across hybrid and multi-cloud deployments.

The lag between container security and container adoption represents significant risks to individual businesses as well as the broader ecosystem. It's time to close this security gap before it widens, and DevOps has a central role to play. Properly deployed, containers enable more effective security practices than traditional infrastructure, and the cloud-native stack is particularly well-suited for cloud environments and complex ecosystems.

Major Concerns

According to research from the StackRox State of Container Security 2018 Report, professionals using container technologies are most concerned about misconfigurations and runtime security. Incidents of attacks and breaches based on exposed Kubernetes settings have made headlines and jangled nerves. Even though misconfigurations are seen as a primary vulnerability, respondents are also focused on runtime security, perhaps because running containers in production is still fairly new and no one wants to risk discovering unknown issues post deployment.

DevOps is increasingly positioned as responsible for operating container security solutions

In reaction to these anxieties, organizations are trying a "shift left" approach, looking to address security earlier in the software development cycle. As a result, DevOps is increasingly positioned as responsible for operating container security solutions. The CI/CD process components (e.g., build automation, developer tools) are closely linked to container security, which pushes security and DevOps teams to shift towards greater cooperation and collaboration with each other.

DevOps Alignment

To facilitate shrinking the gap between adoption rates and security maturity — and between traditional security and development silos — organizations should seek container security solutions that reflect the DevOps model, workflow, and processes. Avoiding the headlines that keep security leaders up at night requires solutions that address container and orchestrator misconfigurations and also deliver runtime security functions with adaptive detection to reduce false alerts.

DevOps teams want solutions with security controls that leverage cloud-native infrastructure. In other words, a solution that uses the network policy enforcement built into Kubernetes is preferable to one that creates a separate security layer. Portability across mixed environments (on-prem, hybrid, multi-cloud, managed) is important for similar reasons.

To better support container security, DevOps requires visibility and intelligence at the deployment level. If information is limited to the container-level perspective, staff don't have the big picture context to make decisions or garner insights. Risk mitigation information, including context about what needs to be addressed and why, should be provided directly to all appropriate DevOps teams.

The Ecosystem

Speaking of the bigger picture, as digital transformation accelerates across industries and containers come into wider use in critical production environments, security practices need to keep pace. Already, security teams are frequently caught unaware, surprised at how broadly containers are being used in their organization. While the mechanics need to be container-specific and tied to various build, deploy, and run stages, the core functionality should resemble best-in-class network and endpoint solutions: identify and manage assets; prioritize the riskiest elements; automatically harden the environment; and detect and block malicious actors.

Container security should reach way beyond what a bolt-on solution can touch. Kubernetes, the orchestrator chosen most for container deployments, is the core engine of effective container security. DevOps should help bridge the gap between adoption and security by focusing on Kubernetes protection and hardening. Teams that settle on Kubernetes, and then build tools and systems that rely on it, will solve a lot of the security risks going forward. As Kubernetes is increasingly crowned the OS of the cloud, many security challenges will be simplified.

Through the migration to the cloud, central IT has turned its focus to enabling applications instead of running infrastructure. Security is likewise shifting to enabling rather than operating security tools. As organizations become more focused on application development, DevOps will move toward center stage as the roles and responsibilities of the group expand. In containerized environments, the security team will define policies and put guardrails in place, but DevOps will operate the security tools tied to microservices and containerized applications.
The CISO will grow into a more strategic role, shaping policy and working to embed security functions and "shift left" even more.

Security Agility

The granularity of container technology presents new opportunities to optimize security resilience and agility. In cloud-native environments, the control layer and data plane are mixed together; DevOps can programmatically secure the application by writing in a layer of logic to maintain continuous and instantaneous enforcement. With monolithic applications, security gaps were often found only in production, when all dependencies were in full effect; with container security, they can be found much earlier. Moreover, security gaps can be addressed without breaking or refactoring the whole application.

Risk resilience, security agility, and granular control will be essential to achieving container excellence. Bringing in DevOps to take advantage of the security strengths of Kubernetes and cloud-native environments will help organizations keep pace with their own innovation and close security gaps and create a strong foundation for future opportunities, challenges, and growth.

Ali Golshan is CTO and Co-Founder of StackRox
Share this

Industry News

March 03, 2021

Red Hat announced the latest release of Red Hat Process Automation, which delivers new developer tooling, extended support for eventing and streaming for event-driven architectures (EDA) through integration with Apache Kafka, and new monitoring capabilities through heatmap dashboards.

March 03, 2021

Leaders of the software development industry announced the formation of the Value Stream Management Consortium (VSMC).

March 03, 2021

Delphix and GenRocket announced a technology alliance designed to fulfill the needs of enterprise customers who desire a comprehensive test data solution that improves software quality.

March 02, 2021

JFrog announced that its DevOps Platform tools – JFrog Artifactory and JFrog Xray – are available with native deployment templates for customers using AWS GovCloud (US) and Azure Government clouds.

March 02, 2021

Spectro Cloud announced support for existing Kubernetes environments, including clusters on public cloud services such as Amazon EKS, Azure AKS and Google GKE, has been added to the Spectro Cloud Kubernetes management platform.

March 02, 2021

Idera announced the acquisition of PreEmptive Solutions, LLC, a provider of application protection and security.

March 01, 2021

CloudBolt Software announced the launch of OneFuse Community Edition, a free version of its codeless integration platform for automating, integrating, and extending private and hybrid cloud infrastructures.

March 01, 2021

DBmaestro launched support for Snowflake, the Data Cloud company.

March 01, 2021

Platform9 closed Series-D funding with an additional $12.5 million for a total of $37.5 million.

February 25, 2021

Red Hat announced Red Hat OpenShift 4.7, the latest version of the company’s enterprise Kubernetes platform.

February 25, 2021

Granulate announced the release of its open-source platform, the G-Profiler, a production profiling solution that measures the performance of code in production applications to facilitate compute optimization.

February 25, 2021

Checkmarx announced the launch of KICS (Keeping Infrastructure as Code Secure), an open source static analysis solution that enables developers to write more secure infrastructure as code (IaC).

February 24, 2021

Applause launched its Product Excellence Platform (PEP).

February 24, 2021

Mabl announced the beta release of their new native desktop application that empowers users to easily automate testing for browsers, mobile browsers, and APIs.

February 24, 2021

D2iQ announced the general availability of D2iQ Kaptain, the cloud native end-to-end platform for running ML workloads on Kubernetes.