SUSE Integrates Container Security Platform With Rancher

At the KubeCon + CloudNativeCon Europe 2022 conference, SUSE announced it has made the NeuVector container security platform available as an open source product. That platform has also been submitted to the Cloud Native Computing Foundation (CNCF) in the form of a project dubbed Open Zero Trust (OZT) which is awaiting approval.

In addition, SUSE integrated NeuVector 5.0 with version 2.6.5 of the Rancher container management framework for Kubernetes that SUSE gained with the acquisition of Rancher Labs in 2020.

Other capabilities added to the latest release of Rancher include a Prometheus tool that makes it easier to isolate metrics between projects in Rancher and support for the latest curated version of SUSE’s distribution of Kubernetes.

Glen Kosaka, head of product security for SUSE, says that integration makes it possible to declaratively centralize the management of container security alongside the other Kubernetes management tasks.

It’s not clear whether security and IT operations will be centralized in Kubernetes environments, but Kosaka notes that as IT organizations shift toward deploying microservices-based applications, a unique opportunity to improve application security presents itself. Securing legacy monolithic applications is more challenging because it is not easy to identify all the services and processes within it, he says. A microservices-based application might be more complex to build and manage, but it is easier to secure the individual services components that make up that application, adds Kosaka.

The NeuVector container security platform is, essentially, a multi-vector container firewall that protects container networks from Layer 3 through Layer 7. It detects and displays real-time connection information for all container traffic and automatically segments traffic based on application layer behavior, regardless of network settings. Those packets can also be analyzed to help debug applications and also discover the root cause of a breach. Previously, SUSE made NeuVector code available via an open source license, but now the entire integrated platform is available under a similar open source model that, Kosaka notes, should reduce the time and cost of securing a wider range of container applications.

The primary challenge organizations face today is that most developers don’t have a lot of time available to master all the nuances of application security. The more automated application security becomes within the context of the platform on which applications are already being deployed, the easier it becomes to achieve and maintain container security. In the absence of a container security platform, it’s too easy for malware within a container to spread laterally as the container is reused or, worse yet, take over an entire host.

One way or another, responsibility for container security is shifting left toward developers and the DevOps teams that support them. In the wake of a series of high-profile breaches, there is now more focus on software supply chain security than ever. The problem is not only a chronic shortage of security expertise; few cybersecurity professionals understand how container platforms work. It’s not feasible for most cybersecurity teams to closely monitor how every application is being developed. Usually, there are a series of scans applied to discover vulnerabilities in the days before an application is deployed. Of course, given the rate at which containers are ripped and replaced, with a modern application that approach is quickly proving impractical.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1605 posts and counting. See all posts by Mike Vizard