The battle over container security is heating up following a $42 million investment in Lacework, a provider of a container security platform that is optimized for best DevSecOps processes.
There now are two extremes when it comes to container security. One camp wants to extend security policies that were developed for monolithic applications to containerized applications. Their rationale is there aren’t enough containerized applications yet to warrant investing in a dedicated container security platform.
The rival camp argues that the ephemeral nature of containers requires a platform optimized to secure them. Lacework CEO Dan Hubbard says his company falls firmly in that category. In fact, Hubbard says, what is required is a single platform capable of addressing the entire container security life cycle end to end. At the core of that argument is the assumption that as responsibility for cybersecurity continues to shift left toward developers, there will be more need for a programmable container security platform that can be embedded easily within a set of best DevSecOps security practices.
There is a massive amount of capital pouring into the container security space. In most cases, that capital is manifesting itself in the form of venture capital investments. However, acquisitions are happening as well—witness the recent acquisition of container security platform vendor Twistlock by cybersecurity incumbent Palo Alto Networks.
It’s unclear to what degree DevSecOps will drive a shift away from cybersecurity platforms that were designed for professionals who prefer graphical user interfaces (GUIs) over application programming interfaces (APIs) to secure applications. Cybersecurity teams that are chronically understaffed have a vested interest in pushing responsibility for implementing cybersecurity controls onto the shoulders of developers. However, from hard experience, many cybersecurity professionals still don’t trust developers to implement the right controls. The problem is, there aren’t enough cybersecurity professionals to participate in every DevOps development sprint, so like it or not they need to have faith developers will do the right cybersecurity thing and they will need to verify whether the right security controls have been implemented just before the application gets deployed in a production environment.
In the meantime, it’s also apparent DevOps teams will exercise more influence on what container security platforms get implemented. The goal should be to set up guardrails that make it easier for developers to do the right thing versus continuing to rely on a guard dog model that has already shown itself to be severely flawed, says Hubbard.
Hubbard says Lacework will use most of the funds it has raised to focus on fundamentals such as sales, marketing and engineering. To that end, the company has appointed Andy Byron to lead the sales and marketing team as president of Lacework. Previously, Byron led sales and marketing as chief revenue officer at Cybereason, an endpoint security company, and before that was president and COO of Fuze, a provider of a unified communications platform.
About the only thing all the players involved right now agree upon is that security concerns are holding back deployments of containerized applications—which, ironically, are more secure than monolithic applications that depend on flawed patch management processes to remediate vulnerabilities. The best way to address those concerns remains the subject of fierce debate.