Trend Micro is now making it possible to employ Kubernetes to orchestrate security scans of container images conducted by Trend Micro Deep Security, its suite of of tools that rely on deep packet inspection to protect applications using a combination of firewalls, intrusion protection systems and monitoring of logs and files.
Mark Nunnikhoven, vice president of cloud research for Trend Micro, says these capabilities make it possible to embed container image scanning within a DevOps pipeline at scale while simultaneously inspecting both east-west and north-south traffic between containers Kubernetes.
Designed to be deployed using a Helm Chart, this approach also simplifies container image scanning simplifies across hybrid computing environments, including cloud services such as Google Kubernetes Engine (GKE), Azure Kubernetes Service (AKS) and Amazon Elastic Container Service for Kubernetes (Amazon EKS), he says.
Rather than having to deploy a separate set of tools to specifically address container security, Trend Micro is making a case for extending the same cybersecurity framework that organizations employ today to protect virtual machines to containers. That approach reduces the total cost of cybersecurity at a time when most organizations will be running a mix of containers and virtual machines side by side for the foreseeable future, Nunnikhoven notes.
Tighter integration between Trend Micro Deep Security and Kubernetes is arriving at a time when many organizations are trying to embrace best DevSecOps processes to create more secure applications. As part of that transition, more focus is being put on scanning application images before they are deployed in a production environment. Currently, much of the responsibility for scanning those images rests with the application developer.
However, once an application is deployed in a production environment, it becomes the responsibility of the cybersecurity team to make sure those images are updated regularly as new vulnerabilities are discovered. Once a new vulnerability is discovered, the cybersecurity team kicks off a request for an update to that image that is usually delivered via the next update cycle managed via a continuous integration/continuous (CI/CD) deployment. That approach provides organizations with a much higher level of cybersecurity resiliency because it’s much easier to rip and replace a set of containers than it is to patch an entire monolithic application. That approach also eliminates the need for cybersecurity professionals to be involved in every application development sprint, which would only serve to slow down the rate at which applications are developed.
It remains to be seen which vendors will come to dominate the container security landscape. But the one thing that is for certain is application cybersecurity is being transformed. In fact, it will be interesting to see in the months and years ahead the degree to which application cybersecurity concerns serve to accelerate the adoption of microservices architectures based on containers and Kubernetes.
Naturally, it may take years to replace the monolithic applications that permeate the enterprise today. But it’s already apparent that the only way to fundamentally make IT secure is to \find a way to build applications that are much more resilient in the first place.