After considering nearly two dozen security projects, Gartner analysts included container security on their list of top projects to undertake in 2019 at the Security and Risk Management conference last week.
Analyst Brian Reed highlighted the flexibility and faster pace of application innovation that containers enable, noting that “with that speed comes the drawback that we haven’t started securing [containers] from the point of development.”
Brian’s advice at the conference, along with other written research from Gartner analysts, calls out a few requirements to consider:
- get further integrated into the development side
- make the process seamless to the developer
- tie into the CI/CD pipeline
- look for comprehensive APIs in the container security platform so you can tie these capabilities into other security products for reporting and configuration
- ensure capabilities that span from build and deploy, such as vulnerability scanning, to runtime protection
The StackRox Kubernetes Security Platform delivers on a broad range of use cases to fulfill all the stated Gartner requirements for container security platforms. Even more compelling, the unique advantages of the StackRox platform address the parameters Gartner outlines for how to prioritize security projects. Gartner encourages organizations to look for projects that:
- enable the business
- reduce the most risk
- support CARTA strategies (see last year’s blog post for an overview on CARTA)
Download Gartner Report: Best Practices for Running Containers and Kubernetes in Production
Learn about Gartner's recommendations for securing your containers and Kubernetes before and during runtimeDOWNLOAD NOW
Let’s look at how the StackRox platform meets this bar.
Enable the business
StackRox enables developers to work faster and safer in containers because we can apply vulnerability management, configuration management, and visibility early in the dev cycle and tie into Jenkins or whatever CI/CD tools they’re running to highlight security gaps during the build phase. Our platform also enables developers and security staff to work together more easily, leveraging Kubernetes as the common source of truth and tapping into its controls for native enforcement. As Gartner analyst Brian Reed noted at the conference, “Don’t make the mistake of only focusing on risk reduction when choosing projects for 2019 – think about enablement.”
Reduce the most risk
StackRox provides multi-factor risk profiling that enables organizations to zero in on the riskiest deployments in their environment. If the security team hands over a list 48 vulnerabilities, developers will fix exactly zero of them. But if instead, the security team says, “you’ve got 48 vulnerabilities, but these three really matter, because they’re in production clusters that are serving a critical app and open to the Internet,” then those three have a great chance of getting fixed. In wrapping up his talk at the Gartner conference, Brian pointed out the balancing act with risk – security professionals are chartered with reducing risk, but “if you don’t take on risk, you don’t get business opportunity,” he said.
Support CARTA strategies
Gartner defines CARTA as Continuous Adaptive Risk and Trust Assessment – essentially, continually monitoring the environment to understand how risk changes. CARTA, correctly, recognizes that we can no longer be confident about known good vs. known bad behavior – we have to watch traffic over time and compare to baselines to understand whether behavior looks suspect.
StackRox applies these principles to our threat detection and incident response capabilities. We also go one step further – applying a feedback loop that leverages information we learn during build and deploy to affect our runtime security priorities and vice versa – using information about exploits during runtime to improve how we assess and control risk during build and deploy. The outcome of this feedback loop – continuous hardening in your environment – significantly improves your security posture.
Container security success in 2019
StackRox makes it easy for you to address the technology and tooling piece of your container security project, and the information our platform delivers helps you address the people and process side of containers security as well. Security information, delivered how DevOps needs to receive it, and with security rationale and remediation steps embedded, will help your team succeed with the critical project of Container Security this year. Get started by requesting a custom demo.
And to satisfy your curiosity about what else made the Gartner list of Top 10 security projects for 2019, they are:
- privileged access management
- vulnerability management
- detection and response
- cloud-security posture management
- cloud access security broker
- business e-mail compromise
- dark data discovery
- security incident response
- security ratings services