Kamal Shah, CEO, StackRox sits down with Jeff Frick for Sumo Logic Illuminate 2019 at Hyatt Regency SFO in Burlingame, CA. #StackRox #SumoIlluminate #theCUBE https://siliconangle.com/2019/09/17/why-securing-kubernetes-and-containers-cant-come-after-the-app-sumoilluminate-startupoftheweek/ Why securing Kubernetes and containers can’t come ‘after the app’ Where would hybrid information technology be today without containers? The virtualized method for running distributed applications zips workloads from on-premises to cloud and back. Kubernetes — the open-source platform for orchestrating containers — helped solve the challenge of running them at scale. Now, with more and more enterprises deploying containerized apps in Kubernetes, security is up for review. Are these technologies — so key to many companies’ IT — wandering about scantily defended from cyber threats? It’s easy to see why most companies choose hybrid cloud over 100% public-cloud or on-prem environments. Estimates of hybrid-adoption vary; 69% of organizations use at least one public cloud and at least one private cloud, according to the “RightScale 2019 State of the Cloud Report.” Some legacy applications might be safest on-prem, perhaps for compliance reasons; new, cloud-native apps may perform best in public cloud. Hybrid companies want to be able to change their minds; they want to be able to run apps in any environment and move them around easily. “The underlying infrastructure that makes that a reality are containers and Kubernetes,” said Kamal Shah (pictured), president and chief executive officer of StackRox Inc., which was founded in 2014 to help enterprises secure their containerized, cloud-native applications at scale. Albeit, there are still some kinks to work out in hybrid and multicloud. Likewise, Kubernetes is not ancient. There has been a strong collective effort to mature and simplify Kubernetes for enterprise use over the last couple of years. The Cloud Native Computing Foundation — the project’s home — and the wider open-source community, as well as various vendors, have made significant progress. Yet, there are still some green spots here and there. Security and data protection for Kubernetes is an area with a bit of uncertainty, an emerging set of new practices, and some promising startups. Shah spoke with Jeff Frick, host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the Sumo Logic Illuminate conference in Burlingame, California. They discussed the unique security needs of Kubernetes and containers (see the full interview with transcript here). (* Disclosure below.) The week, theCUBE spotlights StackRox in its Startup of the Week feature. Cloud-native security shows up bright and early Security objectives for cloud-native technologies like Kubernetes are the same as those in traditional IT: Fortify the environment and enable speedy response and recovery in the event of a break-in. But the how of cloud-native security is quite different, according to Shah. The techniques and technologies involved must be agile enough for the brief life cycle of containers. Containers are immutable and ephemeral infrastructure. “In a traditional monolithic application, you go spend six months building it, and then you can go spend a couple weeks or a month hardening and putting security around it. But when you’re launching applications every six hours, you can’t spend six days addressing security; it has to be built in,” Shah explained. One of the most endorsed startups in cloud-native security — Twistlock Ltd. — shares Shah’s philosophy. To keep pace with cloud-native operations, security should be present at dress rehearsal, according to John Morello, chief technology officer of Twistlock. “Cloud native has this notion of immutability and being able to take the same artifact from development to staging to production. That enables us to do things in a security fashion that you really haven’t been able to do in the past. As the developer builds the application, every build they do, Twistlock can scan that and see the vulnerabilities,” Morello told theCUBE last December. Kubernetes’ knob problem It is not just the container that needs securing; the orchestrator is just as important. Companies everywhere are deploying thousands or even tens of thousands of containers into production with Kubernetes. Many of them are now waking up to the lack of proper security measures in place, Shah stated. And the CNCF itself recently rallied its community to perform a Kubernetes security audit. The audit discovered 34 vulnerabilities on the platform. ... (* Disclosure: TheCUBE is a paid media partner for Sumo Logic Illuminate. Neither Sumo Logic Inc., the sponsor for theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)