UPDATED 16:00 EST / SEPTEMBER 17 2019

INFRA

Why securing Kubernetes and containers can’t come ‘after the app’

Where would hybrid information technology be today without containers? The virtualized method for running distributed applications zips workloads from on-premises to cloud and back. Kubernetes — the open-source platform for orchestrating containers — helped solve the challenge of running them at scale.

Now, with more and more enterprises deploying containerized apps in Kubernetes, security is up for review. Are these technologies — so key to many companies’ IT — wandering about scantily defended from cyber threats?

It’s easy to see why most companies choose hybrid cloud over 100% public-cloud or on-prem environments. Estimates of hybrid-adoption vary; 69% of organizations use at least one public cloud and at least one private cloud, according to the “RightScale 2019 State of the Cloud Report.”

Some legacy applications might be safest on-prem, perhaps for compliance reasons; new, cloud-native apps may perform best in public cloud. Hybrid companies want to be able to change their minds; they want to be able to run apps in any environment and move them around easily.

“The underlying infrastructure that makes that a reality are containers and Kubernetes,” said Kamal Shah (pictured), president and chief executive officer of StackRox Inc., which was founded in 2014 to help enterprises secure their containerized, cloud-native applications at scale.

Albeit, there are still some kinks to work out in hybrid and multicloud. Likewise, Kubernetes is not ancient. There has been a strong collective effort to mature and simplify Kubernetes for enterprise use over the last couple of years. The Cloud Native Computing Foundation — the project’s home — and the wider open-source community, as well as various vendors, have made significant progress. Yet, there are still some green spots here and there. Security and data protection for Kubernetes is an area with a bit of uncertainty, an emerging set of new practices, and some promising startups.

Shah spoke with Jeff Frick, host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the Sumo Logic Illuminate conference in Burlingame, California. They discussed the unique security needs of Kubernetes and containers (see the full interview with transcript here). (* Disclosure below.)

The week, theCUBE spotlights StackRox in its Startup of the Week feature.

Cloud-native security shows up bright and early

Security objectives for cloud-native technologies like Kubernetes are the same as those in traditional IT: Fortify the environment and enable speedy response and recovery in the event of a break-in. But the how of cloud-native security is quite different, according to Shah. The techniques and technologies involved must be agile enough for the brief life cycle of containers.

Containers are immutable and ephemeral infrastructure. “In a traditional monolithic application, you go spend six months building it, and then you can go spend a couple weeks or a month hardening and putting security around it. But when you’re launching applications every six hours, you can’t spend six days addressing security; it has to be built in,” Shah explained. 

One of the most endorsed startups in cloud-native security — Twistlock Ltd. — shares Shah’s philosophy. To keep pace with cloud-native operations, security should be present at dress rehearsal, according to John Morello, chief technology officer of Twistlock.

“Cloud native has this notion of immutability and being able to take the same artifact from development to staging to production. That enables us to do things in a security fashion that you really haven’t been able to do in the past. As the developer builds the application, every build they do, Twistlock can scan that and see the vulnerabilities,” Morello told theCUBE last December.

Kubernetes’ knob problem

It is not just the container that needs securing; the orchestrator is just as important. Companies everywhere are deploying thousands or even tens of thousands of containers into production with Kubernetes. Many of them are now waking up to the lack of proper security measures in place, Shah stated. And the CNCF itself recently rallied its community to perform a Kubernetes security audit. The audit discovered 34 vulnerabilities on the platform.

There is a need for improved management of vulnerabilities and configuration, Shah added. In fact, misconfiguration is the number-one concern of Kubernetes users, according to a recent study StackRox conducted. It’s not hard to see why given the relative complexity of the platform.

“The reality is that Kubernetes has a lot of knobs, and each knob has multiple options. So if you’re not careful, you can really misconfigure your environment and make it so much easier for attackers,” Shah said. 

Security breaches due to Kubernetes misconfigurations are beginning to make the news. Shah believes there are more to come as companies deploy larger numbers of applications on Kubernetes. It is creating a whole new attack surface for hungry cybercriminals to feed upon.

“If you’re not proactive about it, I think it’s going to really hurt as you deploy containers in Kubernetes,” he stated.

New DevOps culture

And no organization has enough human security personnel to handle containers at scale without major technological assists, Shah pointed out. This means that hard-working automation is a must for Kubernetes and container security tools. They need to integrate seamlessly into tightly-run developer operations.

“If you don’t, then the DevOps body is going to reject the security organ,” Shah said.

In fact, cloud-native security is catalyzing a kind of cultural revolution in security departments, according to Shah. The ownership of security is shifting from information-security teams to DevOps teams themselves. Security teams still drive policy, but DevOps teams are the folks actually implementing security.

“And CISOs have to realize that it’s no longer just them, but they have to partner with their DevOps counterparts to effectively address security for this cloud-native stack,” Shah stated. 

The multicloud model is also pushing autonomy further into the information technology trenches. Companies today want to give their dev teams the freedom to pick the right cloud for a given job, according to Shah. What they don’t want is a bunch of distinct security solutions to hassle with in each different cloud. Luckily, Kubernetes can traverse multiple clouds and implement one security solution across them all.

StackRox bills itself as the only Kubernetes-native security platform. It protects cloud-native applications through build, deploy and runtime. It features vulnerability management; compliance checks for HIPPA, PCI and the like, visibility into the entire landscape of containers, and configuration management.

StackRox has partnered with Sumo Logic Inc., a startup specializing in cloud-native logs, metrics and tracing for modern applications. They just announced the StackRox App for the Sumo Logic Continuous Intelligence Platform. The app feeds StackRox’s security intelligence into the Sumo dashboard so customers get a single pane of glass for observability data and threat detection. It’s one security solution for all clouds, plus Sumo Logic observability on a single dashboard.

That’s the future. You don’t want to be beholden to one cloud provider. You want flexibility; you want choice. Kubernetes allows you to do that,” Shah said. 

Kubernetes security will be the No. 1 topic at the next RSA Conference, Shah predicted.  

Here’s the complete video interview below, part of SiliconANGLE’s and theCUBE’s coverage of Sumo Logic Illuminate. (* Disclosure: TheCUBE is a paid media partner for Sumo Logic Illuminate. Neither Sumo Logic Inc., the sponsor for theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU