This post was authored by Michael Santarcangelo, founder of The Security Catalyst, host of Business Security Weekly, and former contributing editor for CSO online. This post is sponsored by Layered Insight.
Are you feeling overwhelmed? Struggling to keep pace?
Security must adapt to the constant shifts across our ecosystem. At the same time, the adoption of agile and similar approaches moves faster than security can. Many organizations struggle with monthly scans and the resulting actions they require. Modern container approaches require daily scans. The result is often a lot of friction between teams and frustration around security. “The next wave of security is all about protecting applications, users, and data,” says Matt Alderman, Chief Strategy & Marketing Officer at Layered Insight. “Our focus is protecting the application, which means protecting containers at runtime. By embedding security within the container, Layered Insight solves the portability and scalability challenges of other container security solutions without impacting development or operations.”
Embrace the changing role of security
The role of security is changing from operations to governance. This means guiding internal teams and third parties. It puts importance on the knowledge and skill of security professionals while supporting other teams to move at the pace they need. This change also reveals the challenge of existing tools to provide the visibility and control needed to fulfill the governance role. The solution lies in embracing the technology and approaches of the teams we support. The container becomes the focal point for security because it’s the central foundation for the application. Containers are the bridge to actually build security into the process.
What it looks like when done right
The right approach to containers catches security up without holding anyone back. It takes a combination of empowering developers to scan and fix on their own and building security into the process. Developers build. When ready, they scan their build and get rapid feedback on any needed changes. This approach keeps pace with developers while letting them address security concerns as part of the development process. The key is injecting security into the container image with the visibility and controls baked in from the start. As a result, the orchestrator only picks up properly scanned and instrumented images.
Even more benefits from this approach
Most people deploy containers in virtual machines. Why? Because security is embedded in the virtual machine. Of course, this defeats the purpose of using containers. That’s why we need to embed security into the container. No more curious violations of least privilege in an effort to enforce security. The benefit of embedding security into the container is a dramatic reduction of friction between teams and a cost savings on the operation.
As Richard Seiersen, CISO at Lending Club explains:
“Security with low friction and low cognitive load wins in a software defined world. If your capabilities create development drag and restricts deploy – you and those you protect will lose. Layered Insights security model targets this reality with a “deploy fast anywhere” intent.”
Make the changes now to overcome friction
Instead of struggling to keep pace, act now to reduce friction and improve results. Gain the visibility and controls you need to boost your security posture. Adopt the right approach to container security by empowering developers and building security in. Too good to be true? It’s easier than you realize. Our Security Weekly Partner, Layered Insight, shows you how. Matt Alderman has created a series of short videos, blogs, and eBooks to walk through the process. To learn more, visit layeredinsight.com.