StackRox, a provider of container security services, today announced an investment and technology development agreement with In-Q-Tel (IQT), an independent, not-for-profit strategic investor that identifies and accelerates development of technologies employed by U.S. government agencies.
StackRox CEO Ali Golshan says that as government agencies increasingly embrace public clouds such as Amazon Web Services (AWS), many of them also have embraced containers to migrate existing legacy applications to the cloud as well as develop cloud-native applications. Reliance on containers tends to vary widely across the federal government, but Golshan says it’s now clear that agencies such as the Department of Homeland Security are taking an interest in container security issues.
Golshan notes StackRox is already working on a half-dozen proof-of-concept projects involving several government agencies. As those projects progress, IQT wants to be able to leverage the collective experience of those agencies to harden systems running containers and help government agencies embrace best practices for DevSecOps. IQT has strong ties to U.S. intelligence community.
As part of that effort, StackRox and IQT will work together to help U.S. government agencies to prioritize container runtime security issues based on factors such as orchestrator settings, network segmentation policies, secrets and container configuration. Most recently, StackRox added a risk scoring capability to its container security platform. The company did not reveal the exact amount of the investment being made by IQT or what aspects of container security it would be focusing on in the collaboration.
Golshan says the paradox of container security is that while containers are smaller targets than a traditional virtual machine, the rapid proliferation of containers across the IT environment creates a scenario where adoption of a new technology is increasing rapidly the overall size of the attack surface that needs to be defended. The goal is to provide a level of security that automatically detects any anomalies within those containers, which, because of the ephemeral nature of containers, can be quickly replaced, he says, noting the result should be an application portfolio that is considerably more secure than applications that rely on patch management processes that are deeply flawed inside most organizations.
Containers generally have the same security issues as any previous generation of technologies employed to build applications. Issues that need to be addressed run the gamut from vulnerability assessments of container images to misconfiguration of container runtimes deployed on a physical host. Once those issues are addressed, the equivalent of a firewall needs to be set up to determine what microservices based on containers have permission to communicate with one another.
There’s a significant difference between what containers can do and what they should be allowed to do within the context of a well-defined set of cybersecurity policies, notes Golshan. StackRox is making a case for addressing all those issues via a single platform that presents developers and cybersecurity teams with a common pane of glass for managing DevSecOps.
Adoption of best DevSecOps processes inside and out of government agency circles naturally is still nascent. But as the number of containers deployed within IT environments continues to expand, it’s only a matter of time before containers force a larger DevSecOps conversation.