StackRox Adds Kubernetes-Specific Security Capabilities
When we last checked in with container security firm StackRox, it was focused on covering the entire lifecycle from build to runtime, with a feedback loop to better add security information earlier in the process.
Now it’s doubling down on Kubernetes and building on top of the security capabilities already offered in the orchestration platform.
“There’s a ton of great and powerful features being built into Kubernetes and the platform is meant to be hugely extensible, so we’ve really drawn on that framework to provide some innovative security capabilities aligned to things specific to Kubernetes,” said Wei Lien Dang, StackRox vice president of product.
Supporting a range of orchestrators forced the company to offer the “lowest common denominator in orchestrator capabilities” and meant it couldn’t adequately support some customer environments, according to a blog post explaining the focus.
The enhancements added to its v2.4 release:
- Deployment-Centric Visibility — Rather focusing on the image used to launch a container and its provenance, it’s concerned with metadata and context around that deployment. It gives security and DevOps teams a single view of all their deployments and pods across namespaces and clusters to address misconfigurations that can leave an environment exposed.
“What StackRox is doing is giving security the same view, the common language to collaborate with DevOps to address security issues with their applications,” Dang said.
“We’ve seen the emergence of new vulnerabilities with Kubernetes — there was that flaw discovered last month. Vulnerabilities exist, and what we’re giving customers is better context around how a particular vulnerability could be exploited within their environment based on certain conditions or circumstances that might be present at any given time.”
- Multi-Factor Risk Profiling taking into account information such as labels, privileges, network reachability, and running processes. It considers things like whether an application is running in production, whether it’s exposed to the Internet and whether it uses secrets.
“Not all the information for that is available across orchestration platforms,” he said. “Kubernetes has secrets built in, so we can tie into that, where other platforms don’t have that capability built in.
Kubernetes exposes information via API, and StackRox wants to build upon that.
“We’re not looking to replicate secrets-management functionality; we want to use the information that’s already built in via Kubernetes to help customers manage their secrets more effectively,” he said.
- Network Policy Management using the native controls in Kubernetes to ensure segmentation at the network layer is scalable, consistent and portable across environments. StackRox has added a network graph to enable customers to visualize their allowed traffic, a policy recommendation engine for a particular application, and policy simulator using network YAML files to provide visibility into how a proposed change will affect an application’s security risk.
The recommendation engine points to potential changes to configured network policies to scope down allowed access based on what a deployment actually requires, Dang said.
The StackRox Container Security Platform is deployed as containers using Kubernetes YAML files or Helm charts. It supports self-managed clusters; managed services such as Amazon EKS, Azure AKS, and Google GKE; and Kubernetes distributions such as Red Hat OpenShift and Docker Enterprise Edition.
While the company might focus on other technologies later, Dang said of its Kubernetes focus: “That’s the direction we’re going because that’s where companies are going in regard to orchestration.”
Multiple recent surveys show increased enterprise adoption of Kubernetes, which The New Stack’s Lawrence Hecht attributed to three factors: 1) more organizations using containers in production; 2) Kubernetes has emerged as the leading orchestration platform; 3) organizations are choosing to adopt Kubernetes earlier in cloud native voyage.
In an episode of The New Stack Makers podcast last month, Rancher co-founder Shannon Williams discussed the recent Kubernetes vulnerability (CVE-2018-1002105) and the work to plug the Kubernetes security holes: