Today, we are excited to announce the first release of Container Security capabilities in the Carbon Black Cloud. Building on our Cloud Workload Protection solution announced at VMworld, our new Container Security offering supports VMware’s Intrinsic Security vision to protect data and applications wherever they live, for cloud native applications in Kubernetes environments. This release demonstrates our commitment to VMware’s Intrinsic Security vision, and our focus on delivering world class workload security solutions to help our customers build modern applications, operationalize security and collaborate more effectively across Security, Infrastructure, and Development teams.
In our first release, the Carbon Black Cloud will:
- Provide full visibility into on-premises and public cloud Kubernetes clusters to better identify and reduce the risks posed by misconfigurations.
- Help customers maintain compliance with customizable policies to ensure configuration doesn’t deviate from the desired state.
- Enable Security teams to integrate into the developer lifecycle to analyze and control application risks, from build to deployment in production.
Kubernetes Requires A New Approach to Security
As organizations embrace Kubernetes for developing and deploying applications, they also embrace its philosophy of configuration-as-code. Resources in Kubernetes are created based on specifications defined by the application developers. This new paradigm has given development teams a great deal of independence and agility, resulting in much shorter times to market for applications.
However, giving power to developers creates the need to monitor and enforce policy over those configuration changes to ensure that they do not introduce new security vulnerabilities that when exploited, could not only compromise a single application, but also potentially the entire cluster. Distributed ownership creates a challenge for how to create a standard of security across organizations when different teams have different levels of expertise in Kubernetes and container security.
Integrating Security into the Developer Lifecycle
With Kubernetes, we’re moving into immutable infrastructure, which means that security needs to be integrated earlier in the development lifecycle rather than applied as an afterthought. It gives teams who might not have security expertise control over the infrastructure, a responsibility that they didn’t have before. It has shifted business critical operations, such as security, left. Organizations moving to Kubernetes need to set boundaries for development teams through configuration and compliance policies so that the misconfigurations are avoided, and critical changes to infrastructure after deployment are flagged for review. These policies must protect the complete development and deployment cycle without impacting development agility and speed to market.
Developers need a frictionless solution which oversees the whole CI/CD pipeline, to define a security policy in conjunction with security operators. This ensures the security policy is executed at every stage of the process, which will ensure that developed code is secure in every step of the pipeline. When this moves into runtime, the requirements need to adapt, the need for scanning features such as vulnerability management to ensure the application is harden and secure before the deploy stage.
Container Security with VMware Carbon Black
VMware Carbon Black Cloud helps organizations reduce risk, obtain compliance, and achieve simple, secure cloud-native Kubernetes environments at scale. With a simple, no-friction deployment process, this user-friendly solution provides the visibility and control that Development and Security teams need to secure Kubernetes clusters and the applications deployed on them. It provides everything you need to automate DevSecOps, delivering continuous cloud-native security and compliance for multi-tenant, multi-cluster Kubernetes workloads. Harness the power of Carbon Black Cloud Container for your build and deploy pipelines, with instant visibility into all your Kubernetes workloads, and the ability to enforce compliance, security, and governance from a single dashboard.
Capabilities that will be available in the first release (December 2020) focus on reducing the most risk and simplifying operations for Security and Development teams:
- Security Posture Dashboard – Provides a single pane of glass for complete visibility into your security posture across k8s clusters and namespaces, including visibility into rules violations and configurations.
- Prioritized Risk Assessment – Enables Security teams to focus on the most severe risks to Kubernetes environments with the ability to detect and prevent vulnerabilities before containers are deployed by scanning Kubernetes manifests at continuous integration (CI/CD), and on Kubernetes clusters.
- Governance & Enforcement – Ensures the integrity of your Kubernetes configurations through control and visibility of workloads that are deployed to your clusters. Customizable policies enforce secure configuration by blocking or alerting on exceptions.
- Compliance Policy Automation – Helps Security teams shift-left into the development cycle to detect and prevent vulnerabilities at build. Create automated, customizable policies to enforce secure configuration and ensure compliance with organizational requirements and industry standards such as CIS benchmarking.
- Custom Queries – Provide deep visibility into workload security posture and governance to ensure compliance, with the ability to freely explore Kubernetes workload configuration via customized queries.
Container image vulnerability scanning and runtime threat and anomaly detection capabilities will also be coming soon to help simplify DevSecOps and enable cloud native environments to be more secure, from development through runtime. Combined with native integrations with vSphere, Tanzu and NSX, we’re creating a unique and compelling solution to better secure workloads wherever they live.
