In January of this year, Red Hat announced that it was acquiring StackRox, a leading provider of container and Kubernetes security software solutions. The acquisition was expected to add a number of complementary application security capabilities to Red Hat’s already impressive portfolio of Open Source solutions for application developers.
According to Red Hat, the addition of StackRox will function to, “…transform how application developers secure cloud-native workloads by expanding and refining Kubernetes’ native controls…and providing a cohesive solution for enhanced security up and down the entire IT stack and throughout the lifecycle.”
To learn more about the security and application development trends necessitating solutions like those offered by StackRox, and to discuss why the StackRox acquisition made sense for Red Hat, we sat down with Michael Epley, the Chief Architect and Security Strategist for Public Sector at Red Hat.
In this three-part Q&A interview series, we asked Michael about the security challenges that are unique to Kubernetes and containers, the ways in which StackRox can help development teams overcome these challenges, and the increasingly sophisticated cyber threat landscape that is making application security of paramount concern in the government today.
Here is what Michael told us:
GovDevSecOpsHub (GDSOH): Can you tell our readers a little bit about StackRox platform and what it’s used for?
Michael Epley: StackRox is a platform for continuous security for cloud native applications. The foundation of these applications today is containers and Kubernetes, because of the tremendous benefits they offer for development teams practicing DevOps principles.
Organizations turn to DevOps methods and tools to resolve the fundamental tensions that historically existed between developers and operations. Pulling security professionals into the same practices has given rise to DevSecOps. StackRox preserves these much sought-after DevOps benefits by introducing security controls, compliance, vulnerability analysis, and risk governance.
GDSOH: Why is securing containers and Kubernetes clusters so important? What unique security challenges do they create? How does StackRox help with this?
Michael Epley: Adapting security tools to the needs of containers and Kubernetes is essential as they both present unique risks and require specialized approaches. For example, Kubernetes is completely API-driven as one of its core design principles is “no backdoors.” Protecting this API while also allowing developers to build applications or SREs to maintain deployments is made possible through complex RBAC controls. Correctly configuring these without inadvertently creating security concerns or allowing access policy violations is difficult and error-prone.
The unique configuration and management of containers require a unique approach to security. Existing solutions take a VM-centric approach and attempt to apply the approach to containers and Kubernetes with varied success. StackRox recognized the change in development and operational workflows and sought to secure the new methodologies in a secure and scalable manner. The various new workflows along with the complexity of Kubernetes called for a tailored, solution to address the problem.
“Container base image layers are reused, often widely, making the potential impact of security threats and vulnerabilities significantly greater and warranting heightened scrutiny.”Michael Epley
StackRox focuses its security capabilities and policy context at the container, deployment, namespace, and cluster level to generate an application context recognizable for each unique application service. While containers offer process and tenant isolation as a core feature, They are only secure because of the correct application of namespaces, SELinux policies, kernel capabilities, users, storage mounts, and other configurable aspects.
Validation against these container safeguards is critical in a typically multi-tenant Kubernetes deployment and is performed by StackRox.
GDSOH: The application development community is increasingly turning to cloud native applications – software built as a collection of microservices that are developed and deployed in the cloud. How does the movement to cloud native applications impact application security and how does StackRox help in this regard?
Michael Epley: Like all useful applications, cloud native applications, by definition, need to be exposed over the network, but Kubernetes — via container network interfaces (CNI) — provides its own network endpoint management and routing layers and abstractions. Its network policies and objects are understood by StackRox, which can be tuned to detect and prevent over-provisioning of access and monitored for anomalous activity or indicators of threats.
Among the specialized approaches to cloud native security is an emphasis on full lifecycle concerns. StackRox delivers capabilities tailored to protect cloud native applications across the build, deployment, and runtime phases, with integrations into the major CI/CD platforms for policy enforcement.
Immerging container technologies pushed this specialized approach. Immutable container image layers force us to shift responses early in the supply chain – a so-called “shift-left” approach. StackRox provides vulnerability scans against languages in use, images, or included dependencies, CI/CD integration to catch usage of vulnerable images, and further correlates images against runtime deployments.
Container base image layers are reused, often widely, making the potential impact of security threats and vulnerabilities significantly greater and warranting heightened scrutiny. Should container processes be compromised, StackRox also monitors their activity from multiple sources to alert on threats. In-container events, Kubernetes-native alerts and activity, and system-level data can all be used to detect anomalous activity at deployment such as crypto-mining, privilege escalation, or other exploits.
“Visibility, automation, and rich policies are the keys to creating and enabling the feedback loops that accelerate our DevOps processes.”Michael Epley
Protection of containers and workloads is automated by StackRox’s native awareness of containers and Kubernetes. StackRox provides reliable visibility and inventory of cloud native application resources using the standard constructs of namespaces, images, pods, deployments, and other objects.
Similarly, automated and tailored responses using Kubernetes APIs can be configured when threats are detected, with overlapping enforcement points in the correct places for the type of response. StackRox makes use of admission controllers, gateways for all resources into Kubernetes to prevent further vulnerabilities from being reintroduced.
Implementing robust security governance is already a complex task for most enterprises in itself and helping ease this burden for security engineers is the primary function of StackRox. It can become daunting or nearly impossible when layered with relatively new, complex, and fast-changing technology ecosystems.
Securing a Kubernetes platform and containerized workloads are often only the first steps before governance and compliance take over. Stackrox allows users to accurately assess their risk based on Kubernetes specific threats and Kubernetes specific details of user’s deployments and workloads.
Compliance is tailored to the needs of these cloud-native technologies policy definition, taking into account container platform-specific standards such as NIST SP 800-190, and enforcement tailored via container build CI/CD pipeline integration and Kubernetes dynamic admission controllers. Simulations can be executed to evaluate the effect on compliance and risk of changes to policies before implementation — so changes can be made with confidence. Audit and continuous monitoring records can be captured by StackRox for compliance and accreditation purposes.
GDSOH: Why is a platform like StackRox essential in today’s modern DevSecOps environments? What changes are we seeing in application development that make a solution like this particularly important and timely?
Michael Epley: Tools like StackRox are essential, and always have been. Traditionally we just called these Anti-Virus (AV) or Anti-Malware (AM) when we worried about the simple, single host operating systems and the attacks targeting them. If Kubernetes is the “operating system of the cloud” we need the AV/AM equivalent for cloud/Internet scale threats.
Modern DevSecOps happens in the cloud to allow application developers to focus time and energy on delivering application code that offers business value and frees developers from having to worry about concerns that might otherwise slow this down. The entire goal is speed and scale. To execute at speed and scale, developers rely on two major factors: automation and feedback loops.
Visibility, automation, and rich policies are the keys to creating and enabling the feedback loops that accelerate our DevOps processes. Kubernetes is fundamentally an automation tool. Its declarative constructs allow developers and operators to inform the automation what their desired end state is, and then its resource controllers take over to realize that state.
“Implementing robust security governance is already a complex task for most enterprises in itself and helping ease this burden for security engineers is the primary function of StackRox. It can become daunting or nearly impossible when layered with relatively new, complex, and fast-changing technology ecosystems.”Michael Epley
Speed, scale –and I’ll add complexity– mean an increased risk of making the errors that StackRox guards against. These errors can include failures to correctly express the DevOps intent, understanding the impacts of this intent, and failures of automation to convert intent to implementation. Capabilities like StackRox’s built-in network policy analyzer, and container security policy all help reduce these errors alongside pipelines, including tools like KubeLinter, from expressions of the application developer’s intent.
The network policy analyzer – in particular – helps safely navigate the compounded complexity of modern network-centric microservice-oriented applications, component tagging and naming metadata, Kubernetes’ ingress and egress components, network policy objects, anomalous traffic flows, and software defined networks common to Kubernetes deployments.
Attackers are also operating at ever-increasing speed and scale. Proactively hardening and securing our systems to prevent the rapid initial loss of control is critical and we must be ready to respond quickly to detect threats at using StackRox Runtime Defense and reassert control if threatened. To do so, we need to understand the threats in more detail, including the risks to our systems and data, and the vulnerabilities we must guard against.
Each of these aspects is linked to the underlying implementations, making it critical to use platforms like StackRox that operate natively on Kubernetes and container platforms. StackRox provides detection and automated responses to known, published Kubernetes and container-specific vulnerabilities, such as privilege escalation attacks (eg, CVE-2018-10021) or man-in-the-middle threats (eg.,CVE-2020-8554) by watching the threat feeds from trusted sources like CISA, MITRE, and Red Hat security researchers.
We can also measure and prioritize the risk against vulnerabilities tailored to the native technologies’ strengths — for example, a container that mounts only read-only ephemeral storage is generally going to present less risk than the exact same container mounting a read-write shared back end. Knowing what threats are important or which are mitigated via other protections allows DevSecOps practitioners to focus their limited time and resources on the biggest risks.
Naturally, StackRox itself is also implemented as a cloud-native application — a set of containers and Kubernetes — allowing it to keep up with the pace and scale of the application and platforms it is safeguarding. It is also protecting itself against the same threats and vulnerabilities to ensure protections of the security-critical components for the enterprise.
To learn more about Red Hat’s acquisition of StackRox, click HERE.