Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage Articles Evolving DevSecOps to Include Policy Management

Evolving DevSecOps to Include Policy Management


Key Takeaways

  • The development landscape is flooded with tools, and with more demands being placed on engineers, the traditional role of a developer has left a gap for organizations to address in order to get the most out of DevOps. Closing the gap requires companies to take a secure, continuous, iterative approach that also includes policy management.
  • Without a thorough implementation of policy management tools, compliance and security will hamper efficiency in agile and DevOps and interfere with critical go-live deadlines — and that’s not an option in a fast-paced business environment.
  • Companies that accept policy management in DevSecOps as a way of development and have adopted some level of policy management best practices tend to operate more efficiently
  • According to the Nirmata State of Policy Management report, the top use case for policy management is for Kubernetes Admission Control (31%)
  • By having a framework in place, teams can operate more smoothly, leading to more secure code committed more frequently, and a minimized level of security and compliance errors reported by the QA team.

Policy management is essential to scale cloud environments and is key to secure DevOps practices. It enables organizations to manage policies put in place that secure the cloud environment, ensure Kubernetes configurations are secure, and enable the continuous monitoring of a company’s overall security posture.

As businesses migrate workloads across multi-cloud architectures to achieve the agility and scalability needed to keep up with the pace of digital transformation, the growing demands placed upon developers often leaves a gap that exposes potential threats and risks in the configuration settings, making security an even greater focus in DevOps. In fact, IDC's 2020 survey found that 67% of breaches in the cloud are caused by misconfigured applications or infrastructure, including some of the industry’s largest breaches like Marriott’s second breach.

To add to this, the first State of Policy Management report by Nirmata and the creators of the CNCF project Kyverno, revealed that nearly 50% of users in cloud native environments have now adopted some level of policy management solution.

This tipping point of mainstream adoption across production cloud native environments is making it critically important for DevOps teams to look at their practices and simplify and operationalize policy management across their Kubernetes stack by eliminating vulnerabilities through built-in, curated policies, without the barrier to learn complex policy languages.

But this widespread adoption also nods to the idea that organizations are finally realizing the need to put attention, investment, and innovation into addressing security and compliance gaps as they adopt Kubernetes through proper DevSecOps practices and tools, so applications being built can empower businesses.

To confidently build cloud applications in Kubernetes, DevSecOps teams need to lay the foundation that avoids pitfalls by accepting these DevSecOps realities and apply policy management effectively.

Customization Creates Security Risks

Kubernetes can be highly customized, but DevSecOps teams need visibility into what’s happening in each cluster as organizations scale to ensure application reliability and security. Exploits on containers including malware installation, crypto mining, host access, and privilege escalation offer opportunity for more security vulnerabilities. They can exist in images, production-accessible container registry, failed builds, and third-party admission controllers in Kubernetes clusters.

To address these risks in applications running on Kubernetes, it’s important to protect your environment with 3 A’s: Authentication, Authorization, Admission. This should be done at the cluster layer which enables secure access to authenticated entities that are authorized to perform certain actions. One way to accomplish this is through policy management. In fact, according to the State of Policy Management report, the top use case for policy management is for Kubernetes Admission Control (31%).

When a request is authorized, having a policy in place ensures the request goes through another set of filters. For example, an authorized request may be rejected by an admission controller due to quotas or due to other requests at a higher priority. In addition to validation, admission webhooks can also mutate incoming requests as a way of processing request objects for use before reaching the Kubernetes API server.

Configuration Issues

Container images, namespaces, runtime privileges, persistent storage, and control plane, together with network policies that are not compatible with best practices are a source for misconfiguration and risk exposures. It’s this potential for greater risk exposures that have led configuration management to be a key driver of policy management adoption. In the Nirmata State of Policy Management report, it ranked third in security tools that are adopted today, and fourth for organization’s plans for future adoption.

There are several ways to define security policies to protect cloud environments. Policies can be used for auditing purposes, to reject pod creation, or to mutate the pod and limit what it can do. By default, pods can receive traffic from any source and send traffic to any destination. Network policies allow you to limit the ingress and egress access for your pods. The network policy typically translates to firewall rules.

Lack of Adequate Authorization

Cloud authentication allows authorized users to securely access information stored in the cloud with authentication provided through cloud-based services. In the The State of Policy Management report, key findings revealed that more than 24% of respondents today are using tools like policy management to authenticate users accessing applications. With data theft being one of the fastest growing and most expensive cybercrime, the ability to process information and have strong authorization measures needs to be part of DevSecOps best practices.  
In Kubernetes environments, as a user request is authenticated, it goes through an authorization workflow which decides if the request should be granted. It evaluates the request attributes against all policies and allows or denies the request. The main authorization mechanism is role-based access control (RBAC). Each authenticated request has an HTTP verb like GET, POST, or DELETE, and authenticated entities have a role that allows or denies the request. Other authorization mechanisms include attribute-based access control (ABAC), node authorization, and webhook mode.

Embracing DevSecOps is key to ensure software development workflows and tooling have adequate guardrails and control for increased security and compliance.

Here are five ways to rethink policy management in DevSecOps: Integrate Security and Compliance, Place in Guardrails, Create a Framework, Develop a Centralized Update Management System, Automate Processes.

Integrate Security and Compliance

With the adoption of cloud services being operated by a distributed workforce, security and compliance has become increasingly important, yet it is even more challenging to implement. Having governance controls and practices in the development pipeline is critical to manage threats and risks across the Kubernetes clusters and the applications running on those clusters. This means knowing how to use the tools to build guardrails and secure defaults into the pipeline to ensure compliance with security policies.

For example, a policy might pertain to vetting the supply chain of an application, which should prompt security teams to learn to script those policies or figure out how to use API calls to collect the information for every build and get that into a dedicated inventory type of system, so it becomes easier to ensure processes and controls are being followed during the development lifecycle.

Place in Guardrails

With the transformation to a cloud-first world, the rapid pace of software delivery required to enable businesses are challenging developers with increased responsibility in shorter cycle time. This acceleration is forcing organizations to refine their security practices into the build pipeline.

In addition to integrating controls for ensuring code security, DevSecOps teams must now also acquire new skills to build guardrails into the pipeline to ensure compliance with policies across on-premises and cloud environments. This is where policy management tools can help deploy and enforce effective and agile intelligence guardrails to help reduce risk and prevent non-compliant configurations while enabling developers to focus on innovation.

Create a Framework

There are many users across the application lifecycle who may be managing policies including developers,IT operations, security, and compliance professionals. You should create a framework with clear ownership for each member in the process.

For example, security and compliance testing traditionally happened at the end of a release cycle, which usually meant the development team received a list of issues that needed to be fixed. But in DevSecOps, security and compliance checks apply continuously, in every cycle. By having a framework in place, teams can operate more smoothly, leading to more secure code committed more frequently, and a minimized level of security and compliance errors reported by the QA team.

Develop a Centralized Update Management System

A centralized update management system can enable an organization to maintain security policies set by their security team — while also ensuring the process of creating new Kubernetes clusters is easy and automated. When using tools like Nirmata Policy Management to centrally manage the changes from a single view, it can be helpful to identify when clusters across the organization require upgrades.

With Kubernetes clusters being constantly provisioned and deleted, the ability to secure them and enforce policies is a major challenge. Added to this, open-source Kubernetes upgrades are released about every six months, with a consistent stream of patches in between. Managing the security and compliance of these upgrades can become burdensome for platform teams and slows the deployment of the most recent updates consistently.

Automate Processes

At the heart of scaling applications in Kubernetes environments, while maintaining regulatory requirements and security best practices is the ability to automate. It is foundational to make security processes repeatable so that keeping up with application delivery cycles and changes becomes easier. When security processes are automated, applications can better scale, which is especially helpful as cloud adoption continues to rise within organizations.

For example, by automating security, compliance tests and logging, large amounts of data can be collected and used to create an end-to-end audit trail without any manual intervention or extra time spent scouring through various tools to prepare compliance reports. With DevSecOps, traceability, compliance reporting, and the automation of testing allows for a secure development framework on a continuous basis.

As the trend of security moving further to the left in the application lifecycle accelerates, developers are being required to take active responsibility for it, which thereby creates a higher desire for automation. The rapid releases can expose applications to many vulnerabilities, raising the risk of a breach. With DevSecOps, organizations can transform the development pipeline by shifting security and compliance to the left, enabling developers to check the code before every commit. In doing so, the security and compliance can be identified and fixed in development, saving the organization from high costs and negative publicity from potential breaches.

There’s no doubt that Kubernetes is complex and challenging to adopt. On top of this, the development landscape is flooded with tools, and with more demands being placed on engineers. These shifts are changing the traditional role of a developer, leaving a gap for organizations to address to get the most out of DevOps. But by taking a secure, continuous, iterative approach that also includes policy management, companies can reduce the risk and exposure of their cloud environments.

The more mature an organization’s DevOps practices are, then generally, the stronger the security and compliance practices are - they grow in relation to each other. The faster companies accept policy management in DevSecOps as a way of development and adopt some level of policy management best practices. With the right implementation tools like policy management and security and compliance best practices, organizations can remain efficient in agile and DevOps, while adhering to critical go-live deadlines — which are not an option to miss in this fast-paced business environment.

About the Author

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p