This post originally appeared on DevOps.com.
If you work in DevOps, you’ve likely heard the mantra that DevOps success is all about the right people, tools and processes.
Below, we take a look at how you can address the “tools” part of that equation when it comes to security. Specifically, we’ll discuss which questions to ask and what features DevOps teams should look for when choosing a security tool for today’s cloud native infrastructures.
Background: What is Cloud Native, and What Does It Mean for DevOps?
Our discussion is informed by two main considerations. First, we’re going to focus on the security challenges that arise in cloud native environments—which means those built with technologies that include, but are not limited to, containers, serverless functions and (of course) virtual servers.
Second, we’ll focus on the security needs of DevOps teams. Although DevOps positions may not explicitly involve security, we now live in the age of DevSecOps, and everyone on the DevOps team has a role to play in keeping infrastructure and applications secure. In this article, we’ll consider which types of tools are best suited to help DevOps teams do that while also promoting the visibility and collaboration that are essential parts of a healthy DevOps strategy.
So, those are our goals. Now, let’s look at the questions you should ask as you evaluate cloud native security platforms for a DevOps organization.
What are you actually securing?
This question may seem obvious—so obvious that you may not give it much real thought. But because today’s infrastructures and environments vary so widely, it’s important to step back and figure out what, exactly, you need to secure.
Are your workloads running in containers? Are you also using serverless functions, or do you plan to add them? How are you orchestrating your workloads? (With the native orchestrator provided by your cloud vendor, Kubernetes running as a service, your own Kubernetes build, or something else?) Which new cloud native technologies do you expect to adopt in the future?
Answering questions like these is important in order to ensure that you choose a security platform that can support all of your current and future cloud native environments. In most cases, you’ll find that security platforms that are purpose-built to secure a range of environments (not just containerized ones, which are usually the focus of most self-proclaimed “modern” security platforms) are the best and safest fit for your needs.
What are your security threats (and how can you stop them)?
This is another question that might seem overly obvious. But here again, the fast-changing nature of threats means that it’s worthwhile to take some time to assess what your threats actually are.
Keep in mind, too, that the threats faced by your particular team, or the app you deliver, may be different from those that threaten other teams. This is one place where the DevOps principle of cross-organization communication is crucial for effective security management.
Which layers does the security platform secure?
Scanning container images for known vulnerabilities is good. On its own, however, it hardly amounts to a complete container strategy. The same could be said for setting up a firewall or locking down access control.
In order to achieve true security, you need to secure all layers of your infrastructure (including those managed by other teams) against all vectors of attack. For that reason, you want a cloud native security platform that is designed for holistic security, not a tool that only secures one or two layers.
Where does the security platform get its vulnerability information?
When it comes to identifying vulnerabilities, security platforms can get their information from lots of sources. They could look at a public CVE database, or at a list supplied by the tool’s vendor.
The best security platforms, however, will pull vulnerability data from multiple sources. After all, if you’re only relying on one data source to figure out where the threats are, you are unlikely to catch them all—and just like in the world of Pokémon, catching them all is one of your main priorities for DevOps security.
How automated is the platform?
Automation is the mother of DevOps (or something like that).
What I mean is that without automation, you can’t do DevOps very effectively.
You also, incidentally, can’t do cloud native security unless you rely heavily on automation. That’s because the highly dynamic nature of containerized, serverless and other cloud native environments means that trying to interpret all of the data they generate, identify vulnerabilities, and react to them manually just doesn’t work. That’s why you want a cloud native security platform that automates wherever and whenever possible.
You should still expect to have to perform some tasks manually, of course (which is actually a good thing—If we could automate everything, DevOps engineers wouldn’t need to exist anymore). But to the extent possible, your security platform should automate your security-related workflows.
Interested in learning more? Check out these 7 Tips to Navigate Operationalizing DevSecOps.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
Cloud Platform Discovery: Identifying All Your Cloud Native ServicesRead the Blog
Using Twistlock to Secure Workloads on Pivotal Cloud FoundryRead the Blog
Twistlock, Azure Container Instances, and AKS virtual nodesRead the Blog
Twistlock 18.11 Release NotesRead the Blog
CVE-2018-1002105: Critical K8s VulnerabilityRead the Blog