StackRox Tackles Kubernetes Configuration, Vulnerability Issues
StackRox this week extended its Kubernetes security platform to add tools that scan for misconfigurations and vulnerabilities.
Misconfigurations have long been the scourge of IT security. However, given the complexity of Kubernetes environments, the potential to misconfigure a cluster is high. Version 3.0 of the StackRox Kubernetes Security Platform adds dashboards that identify which misconfigurations represent the highest security risk in terms of remediation priorities.
In addition, the StackRox Kubernetes Security Platform can identify network exposures, privileged containers, processes running as root and various compliance issues as well as monitor secrets and usage of privileged role-based access controls.
At the same time, StackRox is adding dashboards to discover Kubernetes vulnerabilities in both Kubernetes and container images.
Finally, StackRox with this release is adding support for the CRI-O container runtime project being overseen by the Cloud Native Computing Foundation (CNCF) to provide an alternative to Docker containers along with support for Kubernetes on Distributed Cloud Operating System (DC/OS) from D2iQ (formerly Mesosphere) and integration with Microsoft Teams collaboration software.
Wei Lien Dang, vice president of product for StackRox, says one of the things IT organizations frequently do is rely on the default settings for Kubernetes. At the very least, the default settings are likely to be out of compliance with any number of mandates. At the very worst, cybercriminals will exploit some known vulnerability that no one thought to remediate. Of course, there may never be such a thing as perfect security, but chances are deploying Kubernetes relying only on default setting is an open invitation for trouble.
The next biggest issue most organizations overlook is the amount of privileged access being given to the Kubernetes cluster, adds Dang. Most organizations wind up giving everyone within the organization complete access to every application running on the cluster, notes Dang.
In the meantime, debates over the best way to approach Kubernetes security continue to rage. Most cybersecurity teams will instinctively want to apply existing cybersecurity policies rather than being required to rewrite them for a new platform. However, in the age of DevSecOps there is a need for a more programmable approach to cybersecurity that is application programming interface (API)-driven that requires new cybersecurity tools. In fact, the adoption of Kubernetes will force the DevSecOps debate within most organizations.
StackRox is making a case to address that need via a single integrated suite of tools designed specifically for Kubernetes clusters. Otherwise, organizations will find themselves managing disparate security and compliance tools at a higher total cost.
When it comes to Kubernetes cybersecurity, there is no shortage of options. The most important thing is to not treat cybersecurity as an afterthought. Historically, every time an organization adopts a new platform, it’s not until there is a major incident or some type of compliance audit that attention starts to get paid to cybersecurity. By that time, however, the amount of work that needs to be done to secure a Kubernetes cluster running a production environment is substantially higher than it is to secure that cluster when it is provisioned.
