KubeCon San Diego Pancakes: Shifting Cloud Native Security All the Way Left
Palo Alto Networks sponsored this podcast. Palo Alto’s Prisma is the industry’s most complete cloud security suite, helping customers accelerate their journey with risk visibility and consistent security.
Many IT teams begin moving their applications to containers and Kubernetes after their managers mandate the switch. Then in the rush to deploy they may forget, or simply delay, some fundamentals. Only six to 12 months later does integrating security into their CI/CD pipeline becomes a priority.
This gradual evolution toward cloud native security best practices is worrisome, but it’s the norm among organizations adopting Kubernetes today. This is what we learned from a panel of cloud native security experts at The New Stack’s pancake and podcast from KubeCon+CloudNativeCon North America this week. The New Stack founder and publisher Alex Williams was joined on the panel by:
- Keith Mokris, product marketing manager, container security at Palo Alto Networks.
- Maya Kaczorowski, product manager at Google.
- Santiago Torres-Arias, Ph.D. student at New York University Center for Cyber Security.
- Sarah Allen, co-chair of the Cloud Native Computing Foundation’s (CNCF) Security Special Interest Group (SIG).
- Sean M. Kerner, senior editor at InternetNews.com.
Cloud Native Security Shifts Left
Security practices have evolved along with cloud native technologies, which are built on DevOps practices. Developers now expect all aspects of cloud native technologies to work in the same iterative, declarative and automated way, security included, the panelists agreed. They need to deploy to production quickly.
Similarly, security is no longer just the realm of operations teams. Developers are increasingly responsible for securing the applications they build as security “shifts left” to the beginning of the software development life cycle.
“Ideally, you would give developers feedback as early as possible that they are not doing something securely,” Kaczorowski said. “Because unless you’ve built a CI/CD pipeline that’s really fully integrated from code to build to test everything, you probably don’t have the capability to do that today. You’re probably giving them feedback at the very last step.”
“If you’re going to shift left, shift all the way left,” Kerner quipped.
Open Source Tools Aid Cloud Native Security
While it’s easier and faster to integrate cloud native security practices into the software delivery pipeline from the start, most teams are building these practices in as they migrate more workloads to Kubernetes and become familiar with the development methods and tools, Kaczorowski said. “Then [they’re] maturing and getting into the CI/CD pipeline and getting into more complex policy management.”
There are, however, several ways that open source projects, vendors and IT teams themselves can improve security practices in the software development life cycle so that teams no longer need to compromise between going fast and being secure.
Building tools to make software development practices “secure by default” is not only helpful, but it’s also necessary for the health of the Kubernetes ecosystem, Allen argued. The companies building those tools have a responsibility to make security practices easier to implement.
“Open source projects, the tools, have to work a little bit harder to build in secure practices,” she said. “We can’t leave everything to the developers… ‘Okay, here’s a sharp knife. It’s sharp on both ends, wear gloves, and we don’t have any gloves for you.’”
Using cloud native security tools, IT teams can also set goals for the migration to cloud native and track metrics such as how long it takes to patch vulnerabilities in your workloads. Are you patching faster and does that improve your security posture? Teams also need a good communication plan and policies in place so that others in the organization can know what needs patching.
“Maybe not secure by default, but secure by intention,” Kerner said. IT can provide a set of policies to help developers build and deploy independently while still maintaining a level of control that reduces risk.
While the integration of security into CI/CD pipelines and processes and tooling is still emerging, open source projects such as the Cloud Native Computing Foundation’s Open Policy Agent and In-toto, and Google’s Grafeas and Kritis, are helping to address these needs.
But it’s important to remember that tools are not the answer, Torres-Arias said. “You can’t catch everything with tools. You have to work with your team, a group of humans, to evaluate risk.”
Mokris agreed. “Step one, like everyone here has shared is, I want to get visibility. I want to start prioritizing risk,” he said. “But then ultimately, how do I just even get these teams communicating at my organization to understand we all have different roles and responsibilities to contribute with all these different abstraction layers that are also a challenge.”
KubeCon+CloudNativeCon and the Cloud Native Computing Foundation are sponsors of The New Stack.