StackRox today extended the scope of a container security platform for Kubernetes to include a deployment-centric view of their environment to provide more context about potential risks.
Wei Lien Dang, vice president of product for StackRox, says by exclusively focusing the company’s container security efforts on Kubernetes, it becomes possible for StackRox to make more extensive use of the application programming interfaces (APIs) that the Cloud Native Computing Foundation (CNCF) has exposed as it continues to oversee development of Kubernetes. In contrast, other container security platforms are attempting to secure multiple container orchestration engines in a way that limits their ability to take advantage of every Kubernetes API. Rival container security platforms can only achieve a level of security that is common to all the platforms the vendor chooses to support, versus a StackRox approach that is solely focused on Kubernetes, argues Dang.
In addition, Dang notes the StackRox Container Security Platform is deployed as a set of containers using Kubernetes YAML files or Helm charts, which makes it easier to deploy on top of any instance of Kubernetes deployed on-premises or in the cloud.
New capabilities added to the StackRox Container Security Platform include being able to visualize all Kubernetes deployments and pods across namespaces and clusters, along with deeper insights into cluster details, labels and annotations, privileges, secrets and network reachability. A StackRox network policy enforcement capabilities have been extended to include a network graph, policy recommendation engine and policy simulator. The goal is to make it easier for IT teams to enforce network segmentation across a Kubernetes environment in concert with, for example, service mesh technologies such as Envoy and Istio, says Dang.
Container security is becoming a bigger concern in direct proportion to the increase in the number of container applications being deployed in production environments. As cybercriminals take note of the increased presence of containers in those production environments, it becomes more economical for them to target container weaknesses now that the number of potential opportunities is reaching critical mass. Most of those weaknesses stem from misconfigurations rather than any inherent weakness in core container technologies. Containers most frequently are deployed by developers that don’t always implement the latest security policy or make sure the versions of the software they are packaging in the container has all the latest security patches. That issue often makes it imperative for cybersecurity teams to constantly scan a container environment that could be updated several times a day by multiple development teams.
Dang says those cybersecurity issues also should drive organizations to embrace best DevSecOps practices more diligently. Cybersecurity teams are still in charge of defining and creating security policies. But implementing those controls needs to become an integrated element of the application development and deployment process.
It may take while for organizations to achieve DevSecOps nirvana. But it should be apparent to most IT organizations by now that current approach to securing their IT environments simply no longer works.