As a pioneer of Linux and open source, SUSE has a rich history of helping companies with their digital transformation and mission-critical computing. In this episode of TFiR: T3M, Swapnil Bhartiya sits down with two guests from SUSE — Head of Product Security Glen Kosaka and VP of Security Strategy Fei Huang — to discuss the evolution of security, particularly in Kubernetes and cloud-based infrastructures.
Key highlights of this video interview:
Kosaka and Huang have been working in the security space for over 20 years. They were there when virtual machines came out, then containers, Kubernetes, and eventually serverless. As technologies evolve, so does the security for those technologies. They are excited to be part of the whole cloud, Kubernetes container movement, and then to focus on security for those specific infrastructures and use cases.
With Kubernetes and cloud-based infrastructures, security has shifted to the declarative model:
- Traditional security model: reactive, declare all the bad stuff you want to block via blacklists, constantly chase signature keywords, maintain a huge virus database which can slow down processing and make it difficult to scale.
- Declarative security model: proactive, declare the state of what you want, define the right behavior your application should always do. It provides a way to do zero trust at runtime and is a better fit for the cloud environment.
Traditional security teams who know how to operate next-generation firewalls, but don’t know about the dynamic declarative nature of Kubernetes. Operations and developers are being asked to care about security issues (e.g., what network connections are allowed, what process and file activities should be allowed in their app), but they don’t understand zero-day attacks and deep packet inspection to maintain runtime security. There is currently an educational process and subsequently, cultural change going on with these teams.
Vulnerability management, compliance, auditing, and things like that are very specialized fields. While companies need them to look at vulnerabilities, figure out which ones are most impactful, and figure out how to remediate those and track those, they also need a traditional security team to diagnose zero-day attacks during runtime, investigate if there is a kill chain in progress, or what data is being compromised.
At the recent RSA Conference, they spoke on the topic of “zero effort, zero trust security.” It is striking the balance between making things easier for developers but not taking away the advanced capabilities.
SUSE customers run the gamut:
- Some have embraced the whole dynamic declarative, automated security-as-code, infrastructure-as-code, and integration of DevSecOps – kind of combining traditional security with modern security.
- There are companies who are stuck in the old culture where they have silos, they’re trying to apply traditional security concepts to a modern architecture, the security team doesn’t really talk to the operations or Cloud team or development.
Production-grade security is not a one-point solution. The full stack (operating system, orchestrator, Kubernetes, container engine, application workloads) needs to be secured. SUSE does that with its Linux OS, Rancher Prime, and NeuVector for zero trust container security.
Advice for companies looking to improve their security posture:
- It’s a journey of many steps, so start taking the first steps and go as far and fast as your organization can.
- If you’re starting out, do vulnerability scanning. Use other traditional tools around it.
- Make sure you are on that journey to get to the modern cloud declarative, zero-trust security model.
- Start with something quick and easy. Do more based on your situation or your plan. (SUSE has a step-by-step security guide for Kubernetes. It is something you can do quickly to get some level of security.)
- Think full stack, i.e., secure all the layers of software infrastructure.
This summary was written by Camille Gregory.