As deployments of containers become more widespread, the challenges associated with securing them are becoming more apparent. To help cybersecurity and DevOps teams gets a better handle on those issues, NeuVector has updated its dashboard widgets and downloadable reports to include assessments of the risk of east-west attacks, ingress and egress connections and additional vulnerability exploits.
At the same time, NeuVector, which specializes in securing instances of Kubernetes clusters, has tightened its integration with the Red Hat OpenShift platform, which is based on Kubernetes.
Glen Kosaka, vice president of product management and marketing for NeuVector, says the rise of containers is forcing DevSecOps issues that require access to more detailed reports. Developers and cybersecurity professionals alike want actionable intelligence that identify avenues of attacks before and after applications are deployed in a production environment.
To that end, the deep packet inspection capabilities NeuVector includes with its Layer-7 container firewall can be employed to, for example, view summaries of network application protocol usage or determine what application protocols are being employed. A sudden increase in the volume of gigabytes being transferred over a network protocol would be indicative of data exfiltration, while new application protocol would suggest someone has gained unauthorized access.
NeuVector contends a Layer-7 container firewall understands the intent of applications based on metadata and behavioral analysis rather than relying on Iptables and Layer3 and 4 rules. That approach also makes it possible to implement a zero-trust model based on Layer-7 analysis of the microservices built using containers. That may not sound like a traditional firewall, but this approach does serve to protect the ingress and egress from external networks and legacy applications like a traditional gateway firewall does, by whitelisting rules for different microservices. Because the firewall is container-native, it also can scale up and down or across hosts as needed. That container-native capability also serves to advance adoption of best DevSecOps processes because a container firewall can be deployed and updated within the context of a continuous integration/continuous deployment (CI/CD) platform more easily than legacy next-generation firewalls (NGFWs) that many organizations currently rely on to secure applications.
There’s a massive debate underway concerning the degree to which containerized applications will require a dedicated container-native security platform such as the one provided by NeuVector versus extending the reach of existing security tools by adding support for containers. Naturally, there will be plenty of greenfield Kubernetes deployments that will require a dedicated cybersecurity platform. But most enterprise IT organizations have already made extensive investments in cybersecurity platforms. That said, it’s not uncommon for different teams within the same enterprise to implement different security technologies.
The biggest obstacle, however, remains culture and process. Many developers still don’t view security issues to be a natural extension of the quality assurance process. But as more application developers find their applications aren’t being deployed because they can’t pass a security gate embedded with a CI/CD pipeline, chances are good those cultural issues will soon be overcome as a matter of practical requirement.