Posts under kubernetes security
As we close another inspirational KubeCon and look ahead to future gatherings, let’s also pause to reflect on the accomplishments we’ve achieved together as members of the cloud-native community. For most of us, 2020 was one of the most challenging periods in our personal and professional lives. Most of us experienced unprecedented stress and anxiety as our lives were altered by the pandemic. Some of us experienced far worse – severe illness or grief over the loss of loved ones.
AppSec Has Changed Application security has matured, transformed, “shifted left”, been rebranded, de-centralised and even to an extent re-centralised over the past 10 years. Keeping up with what is relevant, with a keen eye on what is coming, is a juggling act of Cirque du Soleil proportions and something that even the keenly enthused must work above and beyond to get a firm yet perpetually slippery grasp on. The Catalyst Kubernetes won the orchestration battle – so decisively that just last year (2019) Kelsey Hightower was elucidating his not-so-distant vision of a world where it was so ubiquitous, we no longer considered it.
Organizations are rapidly moving their Kubernetes applications to production to accelerate feature velocity and drive digital transformation and business growth. Our latest State of Kubernetes Security survey report shows that companies have standardized on Kubernetes, and this rapid adoption offers equal parts promise and peril. Promise, in the form of infrastructure that enables far greater inherent security than ever before. And peril, as companies struggle to overcome a skills gap and configure the technology in the most secure manner.
Several years ago, few would have thought that a government agency would be at the forefront of application development tooling and processes, daring the civilian world to keep up with their shift-left knowhow. But that’s exactly what’s happening in the U.S. Department of Defense, which is implementing the Enterprise DevSecOps Initiative to enable agencies to increase the warfighter’s competitive advantage by developing applications more rapidly and securely. As StackRox found in our recent survey, 83% of organizations currently have a DevSecOps initiative, and the DoD is leading the charge.
To understand how to effectively secure your Kubernetes environments, it is informative to understand the architecture of Kubernetes itself as well as where and how to focus efforts on valuable mitigations, especially those which require administrator or user configuration when provisioning clusters. Kubernetes is a robust yet complex infrastructure system for container orchestration, with multiple components that must be adequately protected. Each Kubernetes cluster consists of two sets of components: (1) the control plane which is used to manage operations throughout the cluster, and (2) the cluster’s worker nodes which run containerized applications in pods.
We were already having a great day yesterday – responding to all the congratulations messages on our funding, our huge 240% increase in revenue, and our customer momentum – when news hit that we were named amongst that select group of SINET 16 Innovator Award winners. Wow. The tally of security vendors hovers around 2500, and we’re called out as one of the 16 most innovative across that entire landscape. This recognition is just one more indicator of the power of our unique approach to securing cloud-native infrastructure.
Today we’re excited to announce our $26.5M round of funding led by Menlo Ventures, with participation from Highland Capital Partners and Hewlett-Packard Enterprise along with existing investors Redpoint Ventures and Sequoia Capital. The influx of capital will enable us to meet rapidly growing demand driven by two of the biggest trends in IT and Security — Kubernetes and DevSecOps — and deliver on our vision to enable organizations to securely build, deploy, and run cloud-native applications anywhere.
I’ve had the good fortune to get to know Pathik Patel, head of cloud security at Informatica, over the past 18 months since he became a StackRox customer, and today we’re sharing the news of our joint success story. Across our numerous conversations, he has repeatedly impressed me with his forward thinking on how to innovate security processes, approaches, and tooling to keep Informatica at the forefront of securely enabling sophisticated data management, detailed in this case study.
I’m very pleased to announce the launch of StackRox’s EMEA business, with my new role as vice president, international. Why StackRox, why now? Having spent the first half of my career evangelising the Cloud and the second half Cyber Security, I’m super excited to help cloud-native companies to secure and accelerate their business transformation and DevOps initiatives with StackRox. The boom of cloud-native start-ups here in London and across Europe has been largely assisted by the massive adoption of containers and Kubernetes - StackRox is building here at the right time to help enable this digital wave.
Right on the heels of last week’s news that we’re providing Kubernetes security for DoD’s Platform One software factory, we’re excited to share today that we’ve been awarded a Phase III contract with the Department of Homeland Security. In this stage of our partnership, we’re deploying our Kubernetes Security Platform to protect running systems at a large U.S. bank. The DHS Science and Technology Directorate (S&T) uses its Silicon Valley Innovation Program (SVIP) to invest in next-generation security technologies to protect critical infrastructure, including mission-critical, cloud-native applications for financial institutions.
StackRox is in the midst of our own “Fed ramp” of sorts, with news today that we’ve been awarded a Department of Defense SBIR Phase II Award, our long history with In-Q-Tel and multiple deployments in the U.S. Intelligence Community, and more news coming soon on additional Fed initiatives. We have deep roots in protecting the cloud-native apps of many civilian and Intelligence Community agencies, including our long partnership with In-Q-Tel.
What’s better than being named a Computer Reseller News Emerging Vendor? Winning that designation two years running! We’re thrilled to be included amongst these elite technical innovators. The advantages of our unique Kubernetes-native approach to securing today’s modern apps are earning us kudos across customers (see online reviews on Gartner Peer Insights and G2), cloud partners, resellers, and industry watchers. As companies of all stripes work to accelerate their digital transformation, resellers have a special opportunity to serve as trusted advisors on the path toward app modernization.
When you’re managing the distribution of people’s paychecks, you’ve got a high bar to meet on security. So for Namely, whose SaaS application supports payroll, people management, compliance and tax, and team collaboration for hundreds of thousands of users, security has been a priority from Day 1. The move to a microservices architecture, however, drove the need for a whole new approach to security. Namely’s flagship SaaS platform uses hundreds of services that are constantly being released and updated, so the company standardized on Kubernetes to scale and operationalize infrastructure management.
You learn from every customer, but some of the toughest requirements can come from our Intelligence Community customers. Occasionally, that group needs capabilities uniquely their own, but in the best of times, they push you in ways that benefit all your customers. Our recent developments in runtime security fall in that second camp, and we’re excited to announce their availability today. We collaborated with our IC customers along with some of our biggest enterprise customers to enhance our platform with new features that help streamline analysis, investigation, and response for runtime security events.
By every measure, Kubernetes is dominating the container orchestration market. Our latest State of Kubernetes and Container Security report found that 87 percent of organizations are managing some portion of their container workloads using Kubernetes. The same survey shows that 94 percent of organizations have experienced a serious security issue in the last 12 months in their container environment, with 69 percent having detected misconfigurations, 27 percent experiencing runtime security incidents, and 24 percent discovering significant vulnerabilities to remediate.
In Part 1 of this series on the Open Policy Agent (OPA), we gave a brief rundown of why you might want to use the OPA Gatekeeper controller for policy enforcement in your Kubernetes clusters. We also gave a few examples of OPA’s query language, Rego, and of the Kubernetes Custom Resource Definitions (CRDs) that OPA Gatekeeper uses and creates. This follow-up post dives into practical aspects of writing and implementing OPA policies for Kubernetes clusters, demonstrating a working example that can be used to restrict a pod’s allowed tolerations of node taints.