Anchore has launched Anchore Federal, a collection of out-of-the-box policy rules to validate compliance with the rigid security requirements defined in DevOps initiatives launched by the U.S. Department of Defense (DoD).
Paul Holt, senior vice president for federal at Anchore, says the goal is to provide internal government and external organizations that need to participate in the DoD initiative with a set of best practices for container security.
The DoD Enterprise DevSecOps Initiative encourages the U.S. military to not only embrace best DevOps practices but also make sure security issues are addressed in all phases of the software life cycle as responsibility for application security shifts left toward developers. As part of a DevSecOps reference design created by the DoD, the only two security vendors specifically mentioned are Anchore and Twistlock, which is now part of Palo Alto Networks.
Holt says as part of a defense-in-depth approach to cybersecurity, the DoD preferred to identify two providers of container security platforms to help ensure that any malware that might not be detected by one platform is discovered by the other.
Anchore Federal is based on Anchore Enterprise, a commercial edition of the open source Anchore container security platform. Like many organizations, the U.S. government has shifted toward an open source-first approach to software whenever feasible, notes Holt. With the launch of Anchore Federal, the company is committed to providing updates to the best container security practices it has defined, including additional future policies that reflect a rapidly changing security and regulatory landscape.
It’s hard to say with certainty to how far down the path the DoD or any other government agency is in embracing DevOps. A recent survey published by Puppet, provider of an IT automation framework, ranks government agencies slightly ahead of telecommunications carriers in terms of DevOps adoption but significantly behind the financial services and retail sectors. Like most organizations, government agencies are struggling more with the cultural implications of transitioning to DevOps than with any aspect of the technologies involved.
Holt says Anchore is expecting that many organizations in highly regulated industries will employ many of the same principles identified by the DoD to define their best practices. In addition, any organization that builds software for the DoD also is likely going to need to comply as well. To facilitate those efforts, Anchore is also making available Anchore Federal Accelerator, a program that schools software providers on how to deliver their products to the DoD that complies with the DoD Enterprise DevSecOps reference design.
Fresh off raising an additional $20 million in funding, Anchore is solely focused on securing containers running in Kubernetes environments in a way that is integrated tightly with the continuous integration/continuous deployment (CI/CD) platforms used to drive DevOps processes. It remains to be seen whether organizations will adopt an additional platform to secure Kubernetes platforms alongside the platforms they currently employ to secure monolithic applications. Anchore is clearly betting legacy cybersecurity platforms will not lend themselves to the requirements of IT environments that need to programmatically secure applications using application programming interfaces (APIs) designed for developers rather than cybersecurity professionals who prefer legacy user interfaces. Regardless of the outcome, however, the one thing that is clear is that securing containers requires a whole new approach to cybersecurity.