Vulnerabilities / Threats

1/9/2019
10:30 AM
Kamal Shah
Kamal Shah
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security at the Speed of DevOps: Maturity, Orchestration, and Detection

Container and microservices technologies, including the orchestrator Kubernetes, create an extraordinary opportunity to build infrastructure and applications that are secure by design.

Containerized environments, central to digital transformation, have become mainstream with notable speed. Cloud-native architecture and microservices-based applications are critical to enabling companies to move fast. To move quickly with safety, companies must accelerate the maturity of their container security strategies and implementations.

As production deployments pick up speed, security gaps become evident, presenting immediate risk to businesses. We already know that traditional security tooling and products don't work to secure containers and microservices. As a result, most companies with container deployments are concerned about insufficient security strategies and investments and are looking to new companies for purpose-built solutions.

Along with deploying new container security platforms, companies realize they must also leverage the security capabilities and architectures inherent to cloud-native, containerized ecosystems. Container and microservices technologies, like Kubernetes, create an extraordinary opportunity to build infrastructure and applications that are secure by design. The best security platform for these technologies will tap into the power of the full ecosystem rather than add on a range of security functions separate from the infrastructure.

New Challenges and Strategic Shifts
Containerized environments are inherently more secure when built and used properly. But it takes experience with these systems to configure and run them securely. Often, the security team is not experienced with containers or Kubernetes. Many companies are rethinking their security roles and responsibilities in light of container adoption.

Strengthening Kubernetes security is one of the most fundamental things an organization can to do to protect containerized applications. Kubernetes has become the orchestrator of choice for most container deployments. Part of what makes it a powerful solution is the degree to which you can exert control with it, but with many "knobs" to tune comes the potential for mistakes. If you don't set it up right, with the dashboard protected and role-based access control implemented, you can introduce business risk through unnecessary exposure. Also, Kubernetes is becoming a target because it's widely adopted.

We recommend time spent on protection and hardening — Kubernetes includes a lot of moving parts, and given its role in application development, the question arises as to which team should secure it.

DevOps Gets Closer to Security
With the rise of cloud services and cloud-native architectures, the CIO's team has shifted from providing and running infrastructure to enabling applications. And now, with containerization, the security team is making a similar shift, enabling rather than operating security functions. That's because as security necessarily moves closer to the application, it enters DevOps' domain. Because of their expertise and central role in building, testing and deploying applications, DevOps team members must take responsibility for protecting those applications and their infrastructure. Security teams likely will still define policies and put guardrails in place, but DevOps increasingly will operate the security tools closest to containerized applications.

DevOps also has the know-how to build security into the infrastructure earlier in the software development life cycle. Resilience and agility can be improved through the granularity of container technology. In cloud-native environments, the control layer and data plane are interwoven; you can write in a layer of logic to create continuous, instantaneous enforcement.

Containers and microservices give you the ability to make changes — including security fixes — on a nearly continuous basis. To fix an issue, simply replace a bad image with a good one, kill the affected containers, and when those containers rebuild, they'll automatically use updated images. This way, you can address security gaps without breaking the entire application.

By weaving security solutions into the infrastructure and closer to the application, DevOps can give hackers quite a headache. If they succeed at infiltrating, bad actors typically are limited to seeing what's in just a single container — broadening the attack means they have to replicate their intrusive maneuvers multiple times.

Given the inherent security constructs of containers, security and DevOps teams can work together to protect the infrastructure. Security team members don't have to fully understand all the development tools — they can focus on sharing the security principles and policies to apply to the new dev tools. DevOps and security can better learn how to work together in new ways and speak each other's language if they implement a container security platform that integrates native DevOps tooling, such as using Kubernetes for network policy enforcement.

Work Smarter
Intelligent, actionable, built-in visibility and control should be an integral part of any responsible security model. That's already a tall order. With container technology, we add a portability requirement. For businesses trying to operationalize and secure containers across hybrid and multicloud deployments, the security model has to be at once holistic, highly portable, and deeply integrated. Hygiene, vulnerability management, and prevention are hallmarks of today's security efforts.

As more vital infrastructure is built using containerized and cloud-native models, we need to shift our focus to detection. 

Vulnerability scanning and hardening are still important, but to do anything about runtime attacks, you need detection capabilities. And you can't remediate manually — systems designed to scale up and out rapidly and iterate frequently, as containers do, require automation and machine learning. Kubernetes and containers provide the capability to automate the execution of a specific response to everything that is detected. The most effective security solutions will be those that make actionable detection possible — and eliminate counterproductive streams of alerts.

There's much more to come. We're at an exciting intersection of possibilities thanks to the convergence of containers, orchestrators, microservices, and DevOps capabilities. If we harness the momentum, we can advance standards, cultivate the portability and integration of security, encourage collaboration, and make the strategic investment to build holistic, sustainable systems that protect our digitally transformed world.

Related Content:

 

Kamal Shah brings more than 20 years of experience identifying new markets, creating category-defining products that delight customers, and building large businesses to his role as CEO of StackRox. Previously, Kamal was SVP of products and marketing at Skyhigh Networks, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4035
PUBLISHED: 2019-03-22
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X...
CVE-2019-4052
PUBLISHED: 2019-03-22
IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthenticated users to discover login ids of registered users. IBM X-Force ID: 156544.
CVE-2019-9648
PUBLISHED: 2019-03-22
An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.