IT Briefcase Exclusive Interview: Kubernetes Security & Compliance: How Software Development is “Shifting Security Left”

Tim Hinrichs, CTO and Co-Founder of Styra and Co-Founder of Open Policy Agent, sees the world of Kubernetes security and compliance evolving rapidly. Here, he shares insights about how software development teams are “shifting security left,” focusing on prevention, rather than detection.

• Q. What are some challenges to Kubernetes security and compliance?

A. Kubernetes (K8s) has matured. Companies aren’t just investigating how to use Kubernetes, but are moving to full-fledged production deployments. As that happens, companies are going to have to address new security and compliance issues. We’ve seen many people turn to RBAC to try to solve these issues, but it’s just too coarse.  This has led to expanded use of admission controllers as companies look for ways to lock down production risk and prevent missteps in production.

App developers shouldn’t be expected to be security experts. Instead, DevOps and DevSecOps teams are working to address security challenges and compliance issues directly in the environment, to free dev teams to focus on delivering code quickly. We expect a paradigm shift in the enterprise development lifecycle where policy and compliance will move to a declarative model. DevOps will shift policy left to detect and prevent issues and ensure compliance much earlier.

• Q. How is security shifting left?

A. “Shifting Left” is an established practice in software development. The focus is on problem prevention, rather than detection; the focus is on early testing.“Shifting Security Left” is the same principle—from a security perspective. Security policy works best when it eliminates risk early, vetting security issues from the early phases of development. The goal is to prevent security concerns from cropping up at the end of the delivery pipeline, or worse, in runtime.

Developers need the right toolset to detect issues and ensure compliance early. Policy enforcement capabilities for development at code check-in and for continuous integration at the build/test phase will prove to be essential to this process.

• Q. What role does open source software play in this shift?

A. We see the role of Open Source in the cloud-native world, first hand.  Since authorization and policy are growing more complex than ever, we at Styra launched the Open Policy Agent Project back in 2016 to help meet this need. OPA recently moved from the Cloud-Native Computing Foundation (CNCF)’s sandbox to the incubating stage; and we’re seeing the multiplier effect that has in the community through further increased interest and adoption.

OPA provides decoupled policy enforcement, with greater flexibility and expressiveness than hard-coded service logic or ad-hoc domain-specific languages. Whether it’s Kubernetes admission control, HTTP API authorization, remote access, data filtering or all the custom integrations out there – we’re seeing once again that Open Source projects can indeed provide enterprises with the solutions they need. It’s key to bring in the varied expertise of a strong community, to innovate and accelerate delivery – without adding risk.

• Q. What are the advantages to policy-as code?

A. Policy-as-code is a way to get security right in the cloud-native world. Not only is it really the only way to secure today’s software-defined infrastructure, but it can also be created, tested, validated, and managed as part of established DevOps processes.  It just makes sense to include policy as part of CICD.  This type of automation is the best way to address needs for compliance and regulation, and ensure that policies have the intended effect—to mitigate risk, reduce errors, and speed development.

• Q. How does Declarative Authorization support Kubernetes security?

A. Styra’s Declarative Authorization Service (DAS) provides compliance guardrails, based on dynamic business context. It’s a way to define and enforce the desired state of your clusters at a very granular level – to move away from tribal knowledge and paper-based policy, to true policy-as-code for Kubernetes:

– Simplifying policy authoring. Styra provides a built-in library of security best practices and policies, all derived from real-world use cases.

– Policy validation prior to enforcement. Users can pre-run policies for impact analysis before deployment. DevOps can see current violations in the running clusters, as well as how new policy changes would have affected previous workloads – it’s like using the past to predict the future, for more confident and accurate deployment.

– Policy distribution and enforcement. Styra leverages OPA as the policy decision point on each Kubernetes cluster, to enforce policies and provide status and audit information for Ops validation.

– Continuous monitoring. Once policies are in place, Styra continuously monitors decisions for violation of current policy, to ease remediation efforts.

– Policy visualization. All the monitoring data is provided in high-level visualizations of including denials, and audit violations. These help non-dev teams like compliance, audit or IT security prove compliance with internal and external regulations.

Tim Hinrichs is co-founder and CTO of Styra. After receiving his PhD in Computer Science at Stanford and doing postdoctoral work in computer security at the University of Chicago, he worked with Nicira and VMWare.