In a news release today, we detailed new capabilities in the latest version of the StackRox Container Security Platform that enable better visibility, more nuanced risk profiling, and more streamlined network policy enforcement. In every case, these new features derive directly from our deep integrations with Kubernetes.
About a year ago, we faced a difficult decision – continue our support of a broad array of orchestrator platforms or narrow our focus to supporting just Kubernetes. Supporting multiple orchestrators ensured compatibility with more of our existing customers’ environments, but it forced us to build to the lowest common denominator in orchestrator capabilities. Because we couldn’t expect certain orchestrator capabilities to be present, we had to limit the feature set of the StackRox Container Security Platform.
Focusing on just Kubernetes would mean we could enrich the StackRox platform by tying into the rich capabilities of the ever-improving orchestrator. But it would also mean we couldn’t support some customer environments. Sitting here at the start of 2019, betting on Kubernetes looks like an easy decision – it has taken the container world by storm. But a year ago, this bet was not easy to make, and in fact, narrowing our orchestrator support lost us some customers come renewal time. But sitting here today, we’re more sure than ever that betting on Kubernetes was the right call.
Container and Kubernetes Security: An Evaluation Guide
Download our 20-page detailed guide that identifies the most critical security controls required for your containers and Kubernetes environments.DOWNLOAD NOW
Why should you care about a philosophy decision we made? Because it directly affects the technical capabilities of the StackRox Container Security Platform – for the better. In today’s news, we’re highlighting three areas benefiting from our deep integration with Kubernetes:
- Deployment-Centric Visibility – most container security platforms take an image-centric viewpoint, sharing information about the software contents of the image and its provenance so that you understand details about vulnerabilities and registries. StackRox, in contrast, presents visibility centered around deployments. This approach ensures DevOps and Security teams are building policies in the same infrastructure and leveraging a common source of truth. They share one world view of all their deployments and pods across namespaces and clusters. This deployment-centric perspective also helps teams address the challenges of misconfigurations in Kubernetes that can leave an environment unnecessarily exposed.
- Multi-Factor Risk Profiling – with rich visibility at the deployment level, the StackRox platform can apply data around cluster information, labels and annotations, privileges, secrets, network reachability, and running processes to provide a nuanced look at risk. Taking into considering whether a cluster is running in test or production, what application is involved, the type of data and secrets in use, whether the deployment is reachable from the Internet, and whether risky processes are running all contribute to stack-ranking the risk factor of every deployment. This deep information, derived from integrating with Kubernetes, helps Security and DevOps teams prioritize that handful of truly risky deployments that need to be addressed immediately.
- Network Policy Management – StackRox ties into Kubernetes for a robust, scalable, and portable approach to segmentation at the network layer. Leveraging the native controls in Kubernetes ensures the power of the whole community is behind the segmentation capabilities vs. a handful of engineers inside a startup. Plus, when Kubernetes is doing the policy enforcement, the organization can be sure the controls scale with the power of Kubernetes and apply consistently across the environment. If a third-party firewall is used instead, the organization can’t be sure it’ll be applied everywhere there’s a Kubernetes deployment, and it can’t ensure consistency across different environments – prem, cloud, or multi-cloud. To support network policy enforcement, StackRox supports new network graph, policy recommendation engine, and policy simulator capabilities. The network graph displays both allowed and actively used communications paths among namespaces and deployments, and it shows which deployments are reachable from the Internet. The policy recommendation engine highlights which allowed paths are not being used so you can disable them. The policy simulator lets organizations preview the network policies in YAML files visually to confirm their accuracy before applying them in Kubernetes.
We plan to continue these types of deep integrations with Kubernetes to enhance the richness of the StackRox Container Security Platform, and we’re also extending these integrations to the Istio service mesh. By tying into the infrastructure of the cloud-native development stack, StackRox is ensuring DevOps and Security stay tightly aligned and teams get the strongest possible security functionality across their containers and orchestrators.