The RSA Conference — ”Where the World Talks Security”—begins today. It’s a perfect time to take a hard look at security, and to investigate new solutions that help us all stay ahead of attacks and minimize risks. The team from Styra and Open Policy Agent will be there—eager to discuss advances in security for the cloud-native world.
The RSAC agenda is chock-full of dynamic presentations — Kara Swisher! Astronauts! — but one thing doesn’t appear to be getting extensive coverage yet: Kubernetes. Styra will be discussing Kubernetes security guardrails on Wednesday at 10 am, but we know that the conversation is bigger. Like, really big. Because Kubernetes—rapidly increasing in popularity—not only revolutionizes the way we build and deploy applications, but also opens the door to new operational, security, and compliance risks. But a quick search of the RSAC site shows that Kubernetes appears only a handful of times. But the time is now to build security into containerized apps, and Kubernetes environments. Companies that unite their development teams with security, compliance, and audit folks will be best prepared to both mitigate risk—and accelerate app delivery.
The need for speed
Kubernetes is taking off because it speeds app delivery—but K8s also introduces a host of new risks. Too often, security for microservices and K8s is handled as tribal knowledge, where policies are checked manually and individuals have to remember to get processes right. It’s a world of security best intentions. We all know where that leads.
Security best practices and mandates are all well and good, but when it comes to the actual enforcement, are rules being truly enforced in your modern application infrastructure? It’s time to bridge the gap between security best practices and actual policy-as-code. We must meet DevOps’ goals of automation and simplification, while still enforcing compliance guardrails to prevent human error, minimize risk, and get Kubernetes security right.
Today’s reality is that businesses are running legacy systems AND Kubernetes
True, the reality is that cloud-native is here. But it’s also true that enterprises are still running older technologies. AIX, Cobalt, old hardware, and more are all still in the mix. So while teams are scrambling to keep up with security best practices for new solutions, the reality is that many teams are facing huge workloads; they’re not yet able to shift focus entirely to the newest things—Kubernetes and all that it implies. There’s seemingly no end to the backward management that IT security needs to handle. Speaking from experience—it’s exhausting! And as work continues to evolve, as all of us adapt to new habits and relearn processes, we find that “traditional work models aren’t nimble enough and adaptive, nor scalable,” as detailed in IDC’s January 2020 “Future of Work: Strategies for the New Work Experience” report.
However, the good news here is that the new crop of security is built to work with modern pipeline automation and “as-code” models which reduce both error—and exhaustion. Policy-as-code solutions allow security teams to do things once, then push them off to developers; security can check in and make sure the process is done right, but it shouldn’t require ongoing manual work. There simply isn’t time for that.
Feel overwhelmed? Underprepared? Unfamiliar? You’re not alone
Just like “the old days,” it takes care and consideration to manage risk. Without guardrails, modern containerized environments are no more secure than yesterday’s monolithic apps. We’ve seen very real risks, across industries and maturity levels:
A telecommunications company’s “whack-a-mole” model of enforcement slowed time to market, eliminating the advantages of modern pipeline automation and process.
A global automotive company struggled to support its growing developer base, and accidentally allowed an external load balancer that stole all internet traffic and redirected it to non-production code.
A major bank—with trillions in assets—was trying to stay on top of role-based access control policy over 31 million roles (yes, 31 million) spread across over 10,000 applications. The bank had multiple “inadvertent data disclosures” and a public breach.
The risks are real, but so are the advantages. It’s not right to turn a blind eye to progress. Instead, the most efficient, safest way for DevSecOps to provide the “continuous governance and compliance” required in this fast-past environment is through policy-as-code.
Policy as code reduces risks posed by best intentions, inconsistencies and errors
Policy-as-code allows DevSecOps teams to enforce business policy within, and around, modern applications Significant benefits include:
Automation: Policy and security becomes consistent, secure, and un-get-aroundable, without the need to scale out staff as apps scale.
Speed: When policy is codified directly into infrastructure and GitOps processes, developers can focus on delivering quickly, and not slowing down to remember (or worse, re-invent) security along the way.
Reduced operational risk: Policy-as-Code Guardrails are like super-sophisticated bumper bowling – by defining what can and cannot occur, you save time and rework costs since you take the “gutter balls” (human error) out of the equation.
All these “as-code” benefits are available through the open source Open Policy Agent (OPA) project, and through Styra’s Declarative Authorization Service (DAS). Both provide developers with the tools they need for policy-based control of cloud-native environments, offering solutions for access control, compliance management, container security, policy management, and security architecture.
What’s your take?
If you’re at RSAC, swing by to say hi—and to discuss best practices for navigating around Kubernetes risks. We’ll be discussing this on Wednesday, February 26, from 10–10:20am PST in the session “Best Intentions Do Not Equal Risk Prevention: Where are your K8s security guardrails?” (Session code BC-W2ESE). Hope to see you there!