This is the second article of a three-part blog series reviewing Gartner Security & Risk Management Summit 2019. Don’t forget to read article one titled Gartner’s Top 10 Security Projects for 2019 - Container Security Makes the List, and article three titled Gartner: How-To Guide on Securing Containers.
Properly implemented, cloud-native apps will be the most secure applications your organization has ever developed or deployed.
So began analyst Neil MacDonald in his talk on “Security Patterns and Best Practices for Securing Cloud-native Applications” at the recent Gartner security summit. Combination promise and challenge, that opening salvo strikes at the heart of the cloud-native security dilemma – this infrastructure is uniquely capable of providing inherent security, but at the same time, it’s not hard to get things terribly wrong.
Taking advantage of the native capabilities on this infrastructure, MacDonald went on to say, will demand that we “jettison the baggage” of our current thinking, tools, and processes. Since the developer is king in today’s digital business, we must orient our security approach around the CI/CD pipeline. Among the shifts in mindset and practice he advocated for, we must:
- stop patching – think Legos instead of Jenga – don’t swap the bricks, build a new tower with freshly minted bricks each time
- use the native infrastructure – use the capabilities of the systems and services you’re running instead of layering in separate sources of control
- design for short- not long-lived assets – intentionally pull the rug out from under your running environments, systematically and automatically, so you’re constantly rebuilding your microservices with known good building blocks
- rely on development parameters for runtime enforcement – the declarative nature of containers and Kubernetes makes it easier than ever to know when an asset isn’t running as built, evidence that it’s been compromised
Download Gartner Report: 12 Things to Get Right for Successful DevSecOps
Learn about Gartner's recommendations on how to successfully integrate security into existing DevOps processes and toolchainsDownload Now
“The Sec in DevSecOps should be silent,” quipped MacDonald, making the point that we should let developers do what they want and our security policies for cloud-native infrastructure provide the guardrails to help developers build things right the first time. We need to complement this development focus with runtime security as well, but security must start in development.
StackRox has put DevOps processes and tooling at the heart of our approach to container and Kubernetes security. The StackRox Kubernetes Security Platform provides out-of-the-box policies that span build, deploy, and runtime to ensure developers get the immediate feedback they need to know an asset they’ve created is out of compliance with internal policy or industry standards.
StackRox has also made leveraging the inherent control capabilities of Kubernetes a fundamental tenet of our enforcement – rather than give you an inline proxy or shim that operates out of band, we tap the power of Kubernetes for network segmentation, admission control, scaling to zero, or killing pods. That way, DevOps and security stay on the same page, looking to Kubernetes as their common source of truth.
To get more advice from Gartner on security best practices, check out our overview on the analyst firm’s Top 10 Security Projects for 2019 and stay tuned for additional blogs on other sessions from the conference.