Securing The Backbone Of Your Digital Business Transformation Initiatives

Three technology trends are driving digital business transformation.

The first is DevOps, the combination of practices, principles, and technologies that enable organizations to deliver applications and services at high velocity. Gartner has called out DevOps as a key driver for competitive advantage. Rapid iteration also improves customer experience through faster time to service.

The second is the adoption of containers, a standard unit of software that packages up code and its dependencies, enabling applications to run quickly and reliably across computing environments. Developers embrace containers to drive agility, lower costs, and ensure portability across multicloud and hybrid-cloud platforms.

The third major trend is the rise of Kubernetes — the de facto standard for container orchestration. Kubernetes is an open-source system that takes certain features (scaling, management, deployment) of containerized applications and automates them. Often referred to as the operating system of cloud-native application architecture, Kubernetes is key to running multi- and hybrid-cloud deployments and is supported by all major platform providers.

So how do DevOps, containers and Kubernetes impact security? Well, the mission of security and DevOps teams (the “what”) remains the same: harden environments to keep out the bad actors, and if they manage to get in, detect and stop them. However, the “how” of achieving this mission must adapt to the new world.

As the CEO of a company that provides a platform that protects cloud-native applications built and deployed in containerized Kubernetes environments, I’ve seen firsthand how organizations struggle not only with adopting cloud-native infrastructure but also how to secure it. Existing security tools are not effective at securing this new infrastructure. They don’t understand the immutable and ephemeral nature of containers. Plus, you have to align security with DevOps practices, workflows and automation.

As DevOps, containers and Kubernetes merge into mainstream implementation, organizations undertaking digital transformation journeys have an opportunity to embed security as part of the application development process. We can seize the opportunity to have security built-in versus bolted-on.

So, as we’re learning the new processes, workflows, and tooling critical to business transformation, we’re also learning how to make progress on our security and compliance journey at the same time.

Get to know the soft underbelly of your digital transformation

Most IT pros, including those supporting containerized environments, claim that security is a top concern and that leadership does not take security seriously enough. They frequently identify areas of disconnect between the reliance on containers and Kubernetes and their organization’s resources to secure these technologies.

Containers offer many inherent security advantages. They take a declarative approach to building and deploying applications and provide additional layers of protection compared to VMs. But these advantages do not mean that security can be an afterthought. As container deployments become more widespread, they will be targeted more frequently, and it’s unlikely that bad actors will be half-hearted about creating new exploits.

Therefore, organizations need to make sure that security is addressed across the entire container lifecycle, from build to deploy to runtime. Focusing on runtime only is not sufficient — you have to shift left and put controls in place during the build and deploy phases. For example, you need to prevent an image with a critical vulnerability from ever getting built, much less deployed, in your environment. You also should ensure that a misconfigured container is not allowed to deploy. You should immediately stop a just-launched microservice that doesn’t adhere to internal policies. And you should make sure that the system governing your containers, Kubernetes, has been configured securely.

Build bridges and break down silos

DevOps, containers and Kubernetes allow security measures to be built into the application code. So DevOps has to implement this embedded security, which means they need to work collaboratively with security teams. I challenge today’s leaders to ensure they are prioritizing the integration of developers and security teams more closely. Cybersecurity experts will continue to be vastly outnumbered by their DevOps counterparts, so everyone needs to take ownership of building security into the development process. You must find opportunities to cultivate security champions on the DevOps team who can guide and educate their fellow developers.

Address all critical security use cases

Attacks and exploits will be more common as containers and Kubernetes are more widely implemented across a variety of environments. While cloud-native applications create opportunities to optimize, streamline and embed security, care should be taken to make sure that all critical use cases are addressed. Vulnerability management is important, as several documented examples of Kubernetes vulnerabilities have been published.

A Kubernetes-specific DoS vulnerability and a runC vulnerability that allows attackers to obtain host root access have made headlines. Beyond vulnerability management, Kubernetes configuration is tricky, and last year we learned how misconfigurations can lead to data exposure. An additional use case that should be addressed is compliance with CIS benchmarks, as well as NIST, PCI and HIPAA. Despite best efforts, unknown bugs and vulnerabilities will lead to compromises during runtime. Therefore, threat detection, incident response and network segmentation to reduce the blast radius of a breach are also critical use cases that should be addressed.

Do first things first

Agile technologies like containers and Kubernetes are critical for digital business transformation. As a result, it is tempting to dive into implementation before ensuring that all the security know-how, tools and preparations are in place. There’s no plug-and-play answer to these challenges, and they call for careful consideration and leadership attention. Each business will have its own security and compliance requirements, its own risk management framework and its own set of technical dependencies. Leaders should prioritize executing thorough, ongoing assessments of each of these factors.

Security is often an afterthought, and we’ve seen the consequences splashed across headlines time and again. By strategically converging DevOps and security (dare I say DevSecOps) along with cloud-native architecture, containers, and Kubernetes, your business can have its cake and eat it too — evolving fast enough to stay ahead of the curve while at the same time protecting your assets, customers and partners.