Tackling Security in the World of Containers, Hybrid Cloud, and DevSecOps

Traditional perimeter-based network security comes up short in the new world of containers and hybrid cloud.

istock 1331364419
iStock

More organizations are transforming their businesses by embracing DevOps principles, microservice design patterns, and container technologies such as Docker and Kubernetes. But, as traditional infrastructure evolves to a mix of bare metal, virtual, cloud, and container environments, security teams are increasingly finding it challenging to keep up with the shifting risks, compliance requirements, tools, and architectural changes introduced by new technologies.

Organizations value the portability of containers and Kubernetes and many plan to deploy them across different environments, but they need to be security aware as they do so.

These increasingly popular technologies can help organizations improve processes such as configuration management, patch management, compliance, and governance. Furthermore, they can enable and improve cross-collaboration between different teams, which is even more important when dealing with hybrid IT environments. A 2021 survey of more than 500 DevOps, engineering, and security professionals found that 47% of respondents run their containers in a hybrid setting compared to 28% who run only in public cloud.

Shift-left mentality

Too often, security is treated as a final add-on in the software development process and siloed with little interaction with development and IT operations teams. Organizations need security that runs the same way no matter where workloads are deployed, so it needs to be tightly integrated, which DevSecOps aims to do.

“DevSecOps is a culture shift in the software industry that aims to bake security into the rapid-release cycles that are typical of modern application development and deployment, also known as the DevOps movement,” according to CSO. “Embracing this shift-left mentality requires organizations to bridge the gap that usually exists between development and security teams to the point where many of the security processes are automated and handled by the development team itself.”

Layered security approach 

Traditional perimeter-based network security comes up short in the new world of containers and hybrid cloud. Security must expand to wherever the data lives, whether it’s on premises, in the public cloud, or at the edge. 

According to Lucy Kerner, Red Hat’s Director, Security Global Strategy and Evangelism, “A layered approach to security is key and requires plans for data security, software supply chain security, cloud and containers security and management, compliance and governance, and people and processes.”

Security must integrate seamlessly with the organization’s infrastructure, tools, and workflows to deliver fine-grained security throughout the stack and lifecycle. Otherwise, it could increase the workload or negatively impact business operations.

This won’t happen overnight. Security teams must rethink their approach to security with automation and DevSecOps, which aims to continuously address and continuously monitor security across the entire application lifecycle, infrastructure lifecycle, and software supply chain. This is essential to ensure that organizations can smoothly and fully integrate security into their application and deployment environments and future architectural plans, maximize the value of existing tools, and facilitate key workflows.

Organizations can build, deploy, and run security-focused applications on top of a hybrid cloud using DevSecOps practices. With containers, Kubernetes, and cloud services, organizations can do DevSecOps at scale.  

To learn more, visit us here.

Copyright © 2021 IDG Communications, Inc.