Here at Stratus Medicine, we have the challenge of figuring out how to secure code that we didn’t write. Think of us as the middleman between healthcare providers wanting to test innovative applications and healthcare application creators looking to get their new software running with real users and real data sets. Our Stratus Platform brings these groups together, which leaves us with the task of securing sensitive patient data along with code we didn’t write.
In theory, this security task would be easy: wrap the code up in a box, and prevent it from ever talking to the outside world. Unfortunately, that approach simply isn’t feasible. We all know that applications today are complex pieces of machinery that need inputs from many sources – not just from within our enterprise networks but also from the outside world. Supporting the code and data we have running on our platform opens up a whole set of security threats that we need to manage. To complicate matters further, most applications get a user interface to deal with user inputs, which might expose a set of APIs as well. And we still haven’t talked about malicious attacks on the underlying network, poorly configured IP/port configurations and whitelists, or the control plane! We have a lot to protect….
Because we believe the task of managing security threats for the applications we run in our environment is bigger than our team can handle alone, we embarked on a journey to find external solutions we could include in our stack to close a few of the gaps (pun intended).
Today I am proud to announce that we have integrated StackRox into the Stratus Platform to provide runtime security, intrusion behavior analysis, and static policy-based application gating. We believe the features of the StackRox Kubernetes Security Platform, as integrated into our standardized, secure application deployment workflow for healthcare apps, provides a necessary layer of protection for our workloads. It will help us ensure that we can protect both the internal and external applications we run in our environment and protect the data these applications access.
The Search for a Container Security Platform
At Stratus, we’ve focused our product development efforts on being able to deploy container-centric applications. By “container-centric,” I mean that while the applications might access cloud services like a scalable SQL data store or hosted machine-learning tools, the majority of the code and application architecture continue to be deployed as a set of containers. This architecture implies that the majority of the attack surface for these applications lies within the container definition/image (source code and third-party packages) and the orchestrator resources that describe how these containers are deployed (volumes, privileges, IP/port configurations, network policies, etc.). We rely internally on Kubernetes as our container orchestration engine – specifically the cloud-hosted Google Kubernetes Engine (GKE). Given our architecture, our search for security tools was quickly narrowed to those that were built for containers and integrated deeply with Kubernetes. We also needed a solution that plays well with GKE, where access to the control plane and the ability to configure compute nodes is limited.
With this search criteria, we quickly ruled out many solutions that didn’t meet our needs. We performed proof-of-concept work with a number of container-centric platforms and eventually settled on StackRox.
Important Features We Sought
In the proof-of-concept work we did, we valued several specific product features when looking at the small pool of container-focused security platforms . We needed
- a full-featured API so that we could integrate the platform with our product,
- a scale-out and multi-tenancy model that meshed well with our view of the world, and
- a focus on static analysis and runtime security that integrated well with the software development lifecycle.
This last feature is where things really get interesting. In our product demonstrations to our customers, we need to be able to show how we can stop data breaches before they occur and how we can help them deploy container-centric workloads while also maintaining visibility and control. With StackRox, we are now able stop applications from being deployed should they violate our pre-defined policies, we are able to kill Kubernetes pods when we identify known intrusion behaviors, and we are able to bubble up violations to increase visibility. For us, this integration of container-centric and Kubernetes-centric security policies into our standardized deployment workflow creates great peace of mind.
Great Partnerships Lead to Success, and to the Future
Last but not least, I tip my hat to StackRox for providing a high-touch customer experience to us during our entire integration process. The team has been ready to field the many questions we’ve had as we have built our implementation, and StackRox developers continue to roll out new product features that increase the range of security and compliance features. We are looking forward to working with StackRox as we move our platform forward, expanding the ways that our customers are able to deploy applications as part of their healthcare innovation initiatives.