Report & interview: Plan your container security as a core component
Container technology is more widespread than ever, but a report has found that security standards are unable to keep up with the pace. We interviewed Ali Golshan, CTO and co-founder of StackRox about what causes container security issues and how to improve the way security is approached.
StackRox, purveyors of a Kubernetes security platform, and AimPoint Group, a research and consulting firm, have published a report entitled The State of Container and Kubernetes Security (data submission required). The report contains data from 392 IT professionals who were asked a series of questions regarding the use of containers in their companies, and the security concerns and infrastructure surrounding them. They compared the responses with a similar survey they conducted in late 2018, in which they found the main concerns about container strategy were security, the lack of security strategies in place, and the type of security risk and the life cycle phase impacted.
This new report shows some interesting developments over the six-month interval between surveys. Chiefly, that more and more companies are adopting containerization and Kubernetes. The report also found, however, that although defining a strategy for container security is becoming more important, security and lack of detail are the biggest challenges.
As the above graphic shows, 40% of respondents don’t think their company invests adequately in security, and as the graphic below shows, 34% either have no security strategy or are in the planning stages of implementing one. Add to this the fact that 86% of the respondents’ organizations have adopted Kubernetes and it seems difficult not to conclude that there must be containers in production out there with little to no security strategy in place.
Misconfigurations and vulnerability management
The report also found that 60% feel misconfigurations and accidental exposures are their biggest security concern, and that vulnerability management, compliance, and visibility are the three most important “must have” features for their container security.
Interview with Ali Golshan, CTO and co-founder of StackRox
After reading the report, we got in touch with Ali Golshan, CTO and co-founder of StackRox, and asked him some questions about security.
JAXenter: How can we make security more of a priority in the minds of those who think it only matters in production?
Ali Golshan: We need to remind people that 90% to 95% of all security incidents – which occur on systems that are in production – happen because of misconfigurations or other accidental exposures. What’s new with the cloud-native stack is the ability to directly tie security into how we build the systems. We need to take advantage of the declarative nature of the cloud stack. Containers, microservices architectures, and DevOps have become so prevalent largely because they make development, deployment, porting, and updating applications faster and more reliable, giving cloud-native startups a big competitive advantage over their more traditional counterparts. But when security becomes an afterthought, and not taken seriously during the build/deploy phases, then organizations are losing a core advantage of containerized application development. Anytime a vulnerability or misconfiguration is detected when an app is about to go in production, you spend far more time and money fixing the problem – and you likely delay the release of that app – than if you included more stringent security in the build and deploy phases from the start.
JAXenter: How can security be improved and moved forward?
Ali Golshan: Look for opportunities to make security part of the code. Security will be significantly advanced with more automation and more attributes built directly into the infrastructure. Kubernetes, which has been adopted at a faster rate than any other infrastructure people can recall, gained popularity in part because of the built-in security features. People can look at resources such as the Kubernetes Security 101 guide to understand the key components of Kubernetes, some of the security considerations of containers and Kubernetes, and the must-know security questions you should be able to answer about your container environment.
JAXenter: What are some best practices on how to implement the security aspect into the DevOps process?
Ali Golshan: One of the first things you should do is embed security checks into the CI/CD pipeline. DevOps moves fast, so security must be as automated as possible. For example, ensure compliance checks and audits for CIS Benchmarks, PCI, HIPAA, and other security specs are on-going. Any failures of those checks should include a full explanation of the remediation steps needed, in terms that developers and DevOps will understand. In other words, security and DevOps must speak the same language, and security learnings from deploy or runtime phases should seamlessly inform and affect the build phase of future deployments.
JAXenter: I read in your report that misconfigurations are viewed by the respondents as the greatest source of risk. Do you think removing the human factor from the equation and adopting an “automate everything” approach would be the best way to go, or are there things that could actually get worse when done automatically instead of by a designated developer or operator?
Security should be brought into the mix as early as possible…
Ali Golshan: We absolutely believe that automation will help a lot. And if the setup itself can’t be automated, then at least the checks on those configurations should be automated, so that as soon as a developer is done with a task, he or she knows if something is off, and any improper build or deployment cannot succeed. The industry has taken a lot of steps in this direction already. The CIS benchmarks have outlined a set of configuration recommendations for container and Kubernetes hardening. We don’t think it’s feasible for a developer to go line by line through the hundreds of configuration checks in CIS. This checking process should be automated, end-to-end. With that said, you will have times where you need to run a container in a way not recommended by CIS, such as running a container in privileged mode, so you also need a way to enable exceptions that don’t continually raise a red flag. That will take human intervention. But the on-going checks should definitely be automated.
JAXenter: How long do you think it will be before certain tasks can be performed securely by an artificial intelligence?
Ali Golshan: If we classify AI as an extension to Machine Learning, which we see it as, plenty of tasks can be completed using AI. ML is great at classification problems, such as when you’re trying to automatically classify various families of malware or build signatures and heuristics based on known patterns. ML is very well suited to solving problems that are bound and do not require situational or contextual awareness. The question then really becomes when will ML / AI solutions be able to take on the more complex tasks that require depth in context of an organization or user behavior – for those types of approaches, we are still years out from providing.
JAXenter: Do you think there’s merit to a hybrid approach where specific tasks are outsourced to AI and others are taken care of by humans?
Ali Golshan: Yes. If users can provide curation and ensure that the data provided is clean, then the training of ML systems will have much higher fidelity. The current problem is our systems for collecting and parsing data are somewhat built for more manual workflows. As a result, they don’t provide clean and properly tagged data for ML systems. To move ML / AI to truly autonomous modes, the entire ETL pipeline needs to mature and advance.
JAXenter: What’s the one thing that all companies should be doing about security right now, but not all of them are?
Ali Golshan: The first thing we are noticing, that we alluded to earlier, is that too many companies are waiting until they’re ready to go into production to bring in security. Most of these environments are often complex, with multiple security, monitoring, logging, and event management solutions deployed. Waiting until production to bring in a container and Kubernetes security solution in your cloud-native stack sometimes will limit the gains of your DevOps processes because you will encounter additional delays as unknown factors get looked at only at the end of the development pipeline. Security should be brought into the mix as early as possible, and it must become a core component of the container infrastructure build and deploy cycles as well.
Thanks very much!