With the popularity of container environments on the rise, we’ve seen many Threat Stack customers undergoing infrastructure transitions of late. Whether they’re deploying containers for the first time or moving to container orchestration platforms, the shift is one that requires careful consideration when it comes to security. Often, however, organizations just don’t know where to begin in terms of integrating security with their evolving infrastructure.
Recently, I sat down with Pat Cable, Threat Stack’s Senior Infrastructure Security Engineer, to get his point of view on the challenges posed by evolving infrastructure and how Threat Stack can help ensure a secure transition.
Ray Suarez: When we talk about “evolving infrastructure,” what are the moves that you’re most often seeing customers make?
Pat Cable: Different classes of customers come to us at different stages of infrastructure development. Some are just starting out with containers and are excited about the easy, off-the-shelf solutions in this brave new world. Others already have established tech stacks and are starting to weigh their options and consider container orchestration platforms like Kubernetes. These are usually midsize organizations that are thinking about how they want to redeploy containers in their new environments.
Ray Suarez: What are some of the major challenges these organizations face as their infrastructure evolves?
Pat Cable: Any time you’re restructuring your infrastructure, it’s a struggle to simply find the time to do the work. You have all these existing processes and code, so it becomes a matter of figuring out what your roadmap looks like and deciding which parts of your infrastructure will work well in containers. Most of our customers have already invested heavily in their current infrastructure, so it’s a balancing act between dedicating time and resources to the old way and the new. We’re going to see this hybrid model stick around for a while.
There are also the questions of what to do about stateful apps when you move to a container infrastructure. For instance, putting databases in containers could be a risky move in this stage of container maturity (or operational maturity), so often folks stick to the hybrid model that I mentioned earlier. Realistically, many organizations will still have some servers and infrastructure that will be deployed in non-container form, so you’ll need to make decisions about what to containerize and what to leave behind while considering the operational complexity of keeping both of these worlds running.
Ray Suarez: What kind of role does security play in the conversation about infrastructure transition?
Pat Cable: It’s the age-old question of whether or not people are prioritizing security in the same way that they’re prioritizing operations. An orchestration platform like Kubernetes will force the issue of security on you at setup, but many companies don’t go beyond the basics of secure configuration. Once we start zooming out, there are a lot of other considerations that could fall by the wayside.
People always have the idea that they’ll deal with security once they get things up and running. It’s a nice idea, but even the best-intentioned have trouble keeping their focus on security once they’re operational. There’s always more work to be done, right? It’s important to be aware of the risks from the outset, because if you don’t know what you’re trying to protect against, the conversation about security will continue to be deferred.
The problem with security in general is that it seems abstract — until it’s not. You don’t know what the pain feels like, so you put it off until it’s too late. And dealing with an attack is always going to be more painful than getting security right in the first place.
Ray Suarez: So, what’s at stake? Why is a proactive approach to security so important during an infrastructure transition?
Pat Cable: Systems like Kubernetes are incredibly complex, so if you’re not approaching it with a security mindset from the beginning, you’re most likely going to make decisions that you’ll regret later on. There are organizations that get deep into deployment and then realize that they set the wrong parameters because they didn’t go through the exercise of determining their threat model. If you don’t have a highly skilled individual on your team, you can find yourself in a situation where it may be easier to completely redeploy than it is to reconfigure, which is obviously going to slow you down.
Ray Suarez: How does Threat Stack help to secure evolving infrastructure specifically?
Pat Cable: Threat Stack’s role in any infrastructure is as an insertion engine. As organizations build and deploy new infrastructure, they often make assumptions that their infrastructure is being built and deployed in a certain way. Unfortunately, they’re often mistaken, and Threat Stack provides deep visibility so they can see what’s actually going on. Once Threat Stack is installed, companies may suddenly see that developers are manually copying files, for instance. Our Cloud Security Platform® provides insight into what engineers are doing wrong so you’re able to improve the deploy pipeline.
At Threat Stack, we often say that “good operations is good security.” The visibility Threat Stack provides is incredibly helpful in knowing how to prioritize work in your organization, which is going to allow you to move more quickly and efficiently during an infrastructure transition.
What’s interesting about containers is that we went from one system doing one workload to containers running multiple workloads. When running a number of different containers on the same server, it can be difficult to gain visibility into your environment using standard tooling.
Threat Stack’s integration with Docker and with container orchestration tools like Kubernetes allows you to get that extra context you need to secure your infrastructure.
If you’re thinking of making a transition in your own infrastructure and are wondering where to start when it comes to security: