Securing Modern Applications - Solution Guide
Introduction
Overview
Kubernetes is improving operations concerns like resource utilization and spending, cloud migrations, and application upgrades. However, the challenge of meeting security and compliance requirements has increased.
According to VMware’s Kubernetes Survey, “security concerns for multi-cluster and multi-team Kubernetes use has become a focal point”.
In 2022, for 59% of organizations, the first challenge encountered in deploying Kubernetes is “Meeting security & compliance requirements”.
This year saw a rise in security concerns for multi-cluster and multi-team Kubernetes use. We asked people to choose up to two security concerns, and here is what they said:
What we see here are concerns that are driven by growing use. As organizations make Kubernetes available for use by other teams, you will want to make sure those new teams are following policy and that the team’s environments are isolated from each other. The focus on secure software supply chains that is going around in the industry now comes up as a concern as well, with a third of respondents pondering securing containers.
If you are putting together your Kubernetes plan, this means you should get ahead of these concerns and start planning for multi-team use right from the beginning. Applying security at the end is rarely ever fun.
The goal of Modern Apps Security is to shift left security, and to involve development team in the security of container, it means that Dev, Sec and Ops owns the security together.
Following this overview, the solutions guide provides information on individual products. This solutions guide will cover:
-
Carbon Black Container
-
Tanzu Service Mesh
-
and VMware CloudHealth SecureState
.
VMware Carbon Black Container
Product Overview
VMware Carbon Black Cloud Container enables enterprise-grade container security at the speed of DevOps by providing continuous visibility, security, and compliance for containerized applications from development to production—in any on-premises or public cloud environment. This solution provides security teams with visibility and the ability to enforce compliance while integrating seamlessly into existing DevOps processes to avoid adding operational complexity. With VMware, organizations can reduce risk,
Key Advantages for Modern Apps Protection:
- Gain complete visibility into the security posture of Kubernetes
- Enable prioritized vulnerability reporting
- Easily define and customize security policies
- Address vulnerabilities and misconfigurations at build
- Enable speed of delivery without compromising security
- Easily deploy and set up products
- Seamlessly integrate into the CI/CD pipeline and existing processes
Get Hands-On
At VMware, there are several ways to get hands-on with our products today. Launch VMware Carbon Black Container Lab on VMware TestDrive: https://portal.vmtestdrive.com/products/intrinsic-security:
Additional Resources
- To learn more about VMware Carbon Black products, visit our Product Paths in TechZone. Product learning paths are designed to take you from A-Z to understand everything from product overviews to optimization/best practice content per product.
- To learn more about VMware Security Solutions, visit our Solution Path in Tech Zone!
A solutions path is a curated learning experience designed to walk you through security challenges and how to get hands on and solve for your organization with VMware Security. Don't miss out on Securing Modern Applications - Solution Path: https://carbonblack.vmware.com/securing-modern-applications
- If you are trying to put the Dev into DevSecOps, the most critical piece in securing modern applications is notifying Dev early and often if something is not meeting security requirements. Watch this demonstration to see how VMware Carbon Black Container can integrate into your development pipelines.
- Kubernetes continues to gain traction as the leading open-source platform for managing containerized workloads and services. However, the increased agility, portability, and scalability are juxtaposed with susceptibility to vulnerabilities specific to Kubernetes environments. This session will analyze each of the four layers of the Kubernetes tech stack (code, container, cluster, cloud/on-prem data center) to uncover emerging threats and common security pitfalls to avoid. Gain insights into the vulnerabilities, how they came to be, and mistakes to avoid – all to help you strengthen your security posture.
VMware Tanzu Service Mesh
Product Overview
Within the Modern Bank Heists 5.0 report, 94% of the 130 Banks suffered attacks via API, VMware Tanzu Service Mesh provides advanced, end-to-end connectivity, security, and insights for modern applications—across application end-users, microservices, APIs (Application Programming Interface), and data—enabling compliance with Service Level Objectives (SLOs) and data protection and privacy regulations.
VMware Tanzu Service Mesh - Connectivity and Security for Modern Applications
Key Advantages for Modern Apps:
- Multi-cloud and multi-runtime secure connectivity for distributed applications
- Zero Trust application security, with automated DevSecOps workflows
- Visibility and analytics across app end-users, microservices, APIs, and data
- PII detection and protection
Get Hands-On
VMware Tanzu Service Mesh HOL (Hands-On Lab): https://labs.hol.vmware.com/HOL/catalogs/lab/8509
Additional Resources
VMware Tanzu Service Mesh Product Page: https://tanzu.vmware.com/service-mesh
VMware CloudHealth Secure State
Product Overview
Reducing misconfigurations, monitoring malicious activity, and preventing unauthorized access are foundational activities necessary to ensure the security and compliance of applications and data in the cloud. As criminals become more sophisticated in their abilities to exploit cloud misconfiguration vulnerabilities, security teams need a smarter approach to prevent security breaches. CloudHealth Secure State is an intelligent cloud security and compliance monitoring platform that helps organizations reduce risk and protect millions of cloud resources by remediating security violations and scaling best practices at cloud speed.
Introduction to CloudHealth Secure State
Improve Visibility
Gain Real-Time Visibility Across Cloud & Kubernetes Infrastructure
Monitor multiple cloud providers and understand how a minor configuration change can elevate risk across connected cloud objects
- Quickly discover inventory, explore cloud topology, and drive investigations with a unified search engine for multiple cloud providers, regions, and accounts
- Detect security risks within seconds and monitor ephemeral cloud resources with an event-based approach that minimizes API calls to cloud
- In a single graph view, get deep security context including cloud resource relationships, misconfigurations, threats, metadata, and change activity
- Audit configuration changes and track progress developers make in resolving security and compliance violations across the organization and sub-projects
Define Governance Standards
Establish Security and Compliance Best Practices
Build cloud security and compliance program to establish organization-wide standards and fine-tune policies
- Assess misconfiguration and compliance risk by automating benchmarks such as CIS, GDPR, HIPAA, ISO 27001, MITRE ATT&CK Cloud, NIST, PCI, & SOC 2
- Eliminate security and compliance blind spots by defining custom frameworks and rules specific to technical needs
- Reduce false positives and allow exceptions to security policies by automatically suppressing rules or findings based on pre-defined criteria
- Prioritize security of most vulnerable cloud resources with an intelligent risk-scoring algorithm that makes it easy to identify critical findings
Remediate Violations
Resolve Violations with a Secure Auto-Remediation Framework
Use automation to improve security and compliance posture and build guardrails that prevent mistakes
- Safely embrace auto-remediation with a framework that takes actions without writing permissions to a customer cloud environment
- Mitigate risks at scale with a rich library of pre-defined remediation jobs and the ability to create custom jobs as code
- Click to fix known violations and precisely target resources based on filtering criteria such as a cloud provider type, region, account, or tag
- Proactively prevent mistakes by enabling guardrails that automatically resolve new violations that match specified filtering criteria
Increase Collaboration
Empower Developers and Streamline Security Operations
Automate cloud security operations in the company with an API-first platform that easily integrates with other IT, security, and developer tools
- Shift-left security to proactively identify and resolve violations through API based verification within CI / CD pipelines
- Enable developers to manage cloud risk with Role-Based Access Controls for monitoring security and compliance findings
- Prioritize security and incident response by correlating threats ingested from third-party sources with native security and compliance findings
- Streamline SOC investigations by easily exporting native findings for additional analytics in Security Information & Event Management systems
Key Advantages for Modern Apps:
Mitigate security and compliance risk with real-time security insights, CloudHealth Secure State does provide the following capabilities to help secure Modern Apps:
- Improve security visibility with real-time inventory search and investigation capabilities for multi-cloud environments.
- Reduce misconfigurations and prioritize threats with visual risk context and a more secure auto remediation approach.
- Benchmark compliance with industry standards with over 950 out-of-the-box rules and enterprise customizations.
- Plan how to operationalize your cloud security program through better collaboration between developers, security, and operations team
Additional Resources
VMware CloudHealth Product Page: https://cloudhealth.vmware.com/
VMware CloudHealth HOL (Hands-On Lab): https://labs.hol.vmware.com/HOL/catalogs/lab/10903
Summary and Additional Resources
Summary
Discover how VMware Security Solutions address Modern Apps protection.
Additional Resources
- Carbon Black TechZone: https://carbonblack.vmware.com/
- NSX TechZone Security Resources: https://nsx.techzone.vmware.com/security-resource
Changelog
The following updates were made to this guide:
Date |
Description of Changes |
5/24/2022 |
|
Feedback
Your feedback is valuable.
To comment on this paper, contact VMware Carbon Black Technical Marketing techzone-sbu@vmware.com.