It’s no secret that containers and Kubernetes offer unparalleled speed and agility. As organizations look to the technology for the ability to scale and deliver modern applications, Gartner predicts containers will be the default choice for 75% of new customer enterprise applications by 2024. But challenges remain – including open source risks, a quickly expanding attack surface and a widening gap between security teams and DevOps teams.
Organizations that have adopted a cloud-native approach are finding themselves at an inflection point. The implementation of containers has impacted the visibility that’s required to protect today’s anywhere workforce, with security lagging behind the pace of innovation.
Amid rapid cloud adoption, CISOs, SOC and DevOps teams need to achieve cloud-native security for the complete life cycle of containers and Kubernetes environments. Here’s how.
You can’t understand your environment if you don’t have visibility into how your infrastructure and workloads are configured. This applies to teams across the board. End-user services teams require visibility and analytics to manage posture and access. Infosec teams responsible for identifying risk, preventing attacks and detection and response need to have a line of sight into their environment. And cloud operations teams have to be able to securely configure cloud infrastructure. Improving visibility into Kubernetes workloads, developer activity and rules configurations should be at the top of the agenda for container security.
Scan Container Images
Container image scanning is usually the first security control that’s put in place by organizations moving to containerized applications; often, it’s the only security control that is deployed. DevOps teams leverage image scanning to gain visibility into what they are deploying, where the images are pulled from and what vulnerabilities exist. Security teams can then periodically review the image running in production and prioritize vulnerabilities by severity. Image scanning should be part of the continuous integration (CI) process, with policies applied at the continuous integration/continuous delivery (CI/CD) stages and in production.
Embrace Automation and Maintain Compliance
The distributed nature of Kubernetes environments and the rapid pace of change make it impossible to manually apply traditional security processes. The only way to secure your environment and ensure there is no deviation from compliance is to automate these processes and leverage tools that continuously monitor changes in the configuration state of an application. Typically, the application security team will define the security policies they want in place for their organization, and the DevOps team will create the policies and ensure compliance. But this leaves the potential for misalignment. Automation allows security and DevOps teams to better understand their security posture and enforce policies consistently across these environments.
Adopt a DevSecOps Mindset
We have to tackle the cultural change that’s needed to ensure security and DevOps teams can collaborate in this incredibly complex environment. For example, because a characteristic of cloud-native apps is to reuse open source container images, it’s the responsibility of both DevOps and security teams to ensure that artifacts and dependencies in their applications do not contain known vulnerabilities.
While developers are clearly assuming more responsibility for application security as part of the rise of DevSecOps, security teams still need to play an active role. Integrating security throughout the DevOps cycle will help to address the widening security gap and encourage collaboration between the two teams so that organizations no longer need to compromise security for speed. By prioritizing security from the start, DevOps teams will learn the type of risks that come with rushing deployment. And through working closely with DevOps, security teams can learn the type of manual testing that goes into development cycles to flag potential vulnerabilities earlier.
Security must be a shared responsibility for cloud-native organizations. By embracing DevSecOps, we can reduce the time to build containers, ensure images are secure, and simplify management across clusters and clouds. When security becomes an integrated part of the container life cycle, it results in a faster path to production. I encourage organizations to embrace the cultural changes needed to adopt a DevSecOps mindset. We work better together, and the security of modern applications and the cloud depends on it.