Security Orchestration for Container Orchestration

The software development marketing is booming. Every company has “an app for that,” with (on average) 434 custom applications in production. As such, developers are in high demand, with projected growth in employment at 21%, according to the Bureau of Labor Statistics. And the number one tool for development and DevOps teams today is (no surprise!) containers. The stats for container usage and adoption are astounding, especially given the newness of the technology. And no container conversation would be complete without the inclusion of Kubernetes.

Kubernetes (“the Kubes” or “k8s,” if you’re in-the-know) has seen a blistering pace of adoption because it enables the orchestration needed to leverage containers at scale. Developing microservices has tremendous advantages from a productivity standpoint, but the building blocks of containers leave organizations with far more pieces to manage during build, deployment, and runtime cycles. Kubernetes provides the automation and management needed to enable DevOps to use containers efficiently.

While containers and container orchestration have revolutionized software development, they also add a layer of complexity to securing the software development lifecycle (SDLC). Traditional security tools were built for on-premises environments where architectures were static and provided physical places to apply controls. Elasticity, extensibility, and abstraction are the name of the game in the world of containers. Some security vendors have tried to retrofit traditional security tooling into cloud and container environments, only to come up against challenges in translating “network speak” to “cloud- or container-speak.” Not only does this approach leave gaps in security, but it also introduces friction between development and security teams—and in this day and age of digital innovation, developers rule the roost, often leaving security out of the loop until it’s too late.

Building from the cloud...down

A new breed of security players has emerged in recent years, building security tools designed from the group up for cloud- and container-native environments. Ali Golshan, the CTO and Co-founder of StackRox, is one such individual, said Michelle McLean, the company’s VP of Marketing, during a recent call with Ed and me. Golshan’s vision for founding the company was to develop security tooling that worked effectively in container environments. As background, Golshan started his cyber security career helping multiple governments with defensive and offensive nation state security, which is where he grew his passion for threat hunting and runtime detection.

In 2015, Golshan created StackRox to address the challenges specific to securing containerized environments. He worked with Wei Lien Dang, now StackRox’s VP of Product, to evolve the platform into the StackRox Kubernetes Security Platform, providing a “security orchestrator for the container orchestrator” Kubernetes, so to speak.

McLean admitted during our call that StackRox's decision to focus just on Kubernetes was a difficult one initially, given the number of orchestrators available in the market. But the focus has paid off, as evidenced by the numbers of development teams using k8s today and by the functionality that k8s, itself, offers. “Our product leverages Kube's declarative data to provide insights such as stack ranking Kube deployments by risk,” she said. “The orchestration layer has to be the point of enforcement, a sort of traffic cop sitting on top of the containers. StackRox taps into all of Kubernetes’ native capabilities, then uses them to gain a comprehensive view of everything happening across environments. This context, combined with tapping the native enforcement capabilities in Kube, allows us to operationalize security, ensuring it scales across deployments, enables portability, and provides a single source of truth to DevOps and security teams.”

Full visibility and a centralized point of policy enforcement sound like security utopia, but StackRox achieves both due to its tight integration with k8s and other CI/CD and DevOps tools. StackRox is deployed as a set of containers, sitting at various layers of the cloud-native stack, including within each Kubernetes cluster. Thus, it can “act like a mission controller,” said McLean, and see everything that’s happening from build to deploy through runtime.

Richer context; faster remediation

Though developers today are security-conscious, it’s still challenging to protect the infrastructure across the SDLC. For one thing, many developers use open source code in their applications, and they can’t control the vulnerabilities that might exist in that code. They need the ability to differentiate between vulnerabilities they can fix and those they can’t, plus have the controls to fail a build when a fixable vulnerability is detected. Code analysis tools solve only part of the problem—using a tool like StackRox prevents vulnerable images from being built or vulnerable services from being deployed.

StackRox provides a broad set of security use cases across the container life cycle, including vulnerability management, configuration management, monitoring, risk profiling, compliance, and runtime detection and response. Configuration management—of not just containers but also Kubernetes—is crucial to protecting these environments, as seen in several high-profile cloud and container breaches. Therefore, the checks on configuration supplied by StackRox enable a first line of defense every organization should implement.

Continuous monitoring, risk profiling, and automatic incident response provide customers ongoing control over their environments. StackRox leverages the runtime information to inform protections for the next build and deploy cycle, helping customers continually harden their environments and lower risk. Plus, environmental context derived from Kubes and analyzed through StackRox makes it easier for organizations to identify and address the biggest risks, such as applications with containers running in privileged mode or those with customer PII exposed to the internet.

Without security orchestration at the container orchestration level, everything from visibility to control becomes much harder. With the rapid pace of software development lifecycles, the best way to affect protection across containers, pods, namespaces, clusters, and workloads is to have an overarching view starting at the highest level so that policies can be applied uniformly down through the stack. StackRox may not be for everyone, given its applicability to just Kubernetes environments, but there sure are a lot of companies out there that use Kubernetes and could benefit from what the platform has to offer.