The way enterprises design, build and run applications has changed significantly over the past several years with the evolution of microservices and containers. No longer are applications built using a monolithic architecture—evenly stacked and centrally organized in a way that made it easy to manage and secure. Today’s modern applications are spread out in thousands of microservices across data centers and the cloud—able to be spun up and down wherever users log in.
While microservices provide reusable elements to accelerate software development, the software supply chain itself could become an attack vector. In an effort to enable business agility without putting the enterprise at risk, organizations need to infuse security directly into DevOps processes and throughout the software supply chain at large. This makes security everyone’s responsibility—whether they are a user, a developer or a platform owner—to protect the applications that are consumed for work and for life.
The Rise (and Risk) of Kubernetes
Microservices applications need Kubernetes as an orchestrator to handle scheduling of containers in a cluster of servers, load balancing those containers, managing permissions and access control and many other Day 2 concerns. Kubernetes wasn’t the first orchestrator, but its rapid adoption makes it a defecto standard today for running scalable and resilient containerized applications. According to CNCF, 83 percent of enterprises use Kubernetes in production, and Gartner predicts that up to 15 percent of enterprise applications will run in a container environment by 2024. This makes Kubernetes a key technology in accelerated digital transformation initiatives.
Hackers are well aware of the increasing importance of Kubernetes in enterprise networks and see the technology as another attack vector. In fact, 97 percent of enterprises have security concerns that relate to containers and Kubernetes, according to a recent VMware’s State of Kubernetes survey.
And, honestly, they have reason to be concerned. Risks in container security include:
- Images with critical vulnerabilities
- Containers running with privileged flag
- Unrestricted communication between containers
- Containers running rogue or malicious processes
- Containers not properly isolated from hosts
Infusing Security into DevOps
The only way enterprises will truly enjoy the agile benefits of digital transformation and modern applications is ensure microservices applications are as secure as traditional monolithic applications. The way to do this is the implement security throughout the development lifecycle—starting with the design stage through build, deploy and operate. Applications and the platform then need to be continuously monitored in run-time.
And, finally, it’s important to assume that attackers are already inside your network. Rather than focus on trying to secure the diminishing perimeter, enterprise security teams need to monitor east-west and north-south traffic and root out threats as they try to spread throughout the network.
My colleagues Haim Helman, CTO of Carbon Black App Security, and Manish Chugtu, enterprise technologist, recently walked through how you can secure the software supply chain with container network security. Watch the session and download our latest ebook, Container Network Security for Dummies to learn more.