With the acquisition of my company, StackRox, by cloud-native technology vendor Red Hat, it seems like a good time to reflect on the state of cloud-native security. Security in the cloud has been my life for the past five years, and it’s changed very quickly as new cloud-native platforms have taken over the industry. We’ve had to create new tools and approaches to meet today’s cloud’s latest technologies and workflows and will need to continue evolving them to meet the challenges of tomorrow’s. Before we get into the future of cloud-native security, though, let’s look at where we started in the distant past of … seven years ago.
Our industry started focusing on basic security hygiene for containers, which formed the basis for “container security.” While container-related technologies had existed for over a decade, Docker provided the toolset that popularized the Linux container as a standard distribution format for applications, making it widely accessible and adopted. While it started with developers building and running containerized apps on their local machines, Docker containers rapidly found their way into many software environments.
RELATED CONTENT: 4 reasons the future of cloud-native software is open source
Suddenly, with thousands of applications being distributed via Docker Hub, people realized this new, emerging stack area created new security problems. One of the most straightforward to address first was preventing vulnerable software from being introduced into production environments. Container image scanning became commonplace, with many options available, including open-source scanners like Clair and OpenSCAP, paid offerings like Black Duck, and ones proprietary to cloud providers.
“The Clair team built it in 2015 to detect vulnerabilities as soon as images were pushed to a registry. By making your container contents more visible, we helped mitigate the distribution of vulnerable applications across servers and workstations. This may sound historical, but many popular public container images are still vulnerable,” remarked Louis Delossantos of the Clair project.
Image scanning was “good enough” for most users since they were still running containers in a limited context, such as non-sensitive web apps or strictly in development and testing. But then organizations started running containers in production, and everyone had to think about baseline security best practices for the underlying container infrastructure, which led to the Center For Internet Security (CIS) Benchmark for Docker and other tools and guidelines such as those published by the National Institute of Standards and Technology (NIST). Like OpenShift and CoreOS, a few platforms extended this approach with security modules to further lock down the operating system on the underlying nodes.