Securing Modern Applications - Solution Guide

Introduction

Overview

Kubernetes is improving operations concerns like resource utilization and spending, cloud migrations, and application upgrades. However, the challenge of meeting security and compliance requirements has increased.

According to VMware’s Kubernetes Survey, “security concerns for multi-cluster and multi-team Kubernetes use has become a focal point”.

In 2022, for 59% of organizations, the first challenge encountered in deploying Kubernetes is “Meeting security & compliance requirements”.

This year saw a rise in security concerns for multi-cluster and multi-team Kubernetes use. We asked people to choose up to two security concerns, and here is what they said:

What we see here are concerns that are driven by growing use. As organizations make Kubernetes available for use by other teams, you will want to make sure those new teams are following policy and that the team’s environments are isolated from each other. The focus on secure software supply chains that is going around in the industry now comes up as a concern as well, with a third of respondents pondering securing containers.

If you are putting together your Kubernetes plan, this means you should get ahead of these concerns and start planning for multi-team use right from the beginning. Applying security at the end is rarely ever fun.

The goal of Modern Apps Security is to shift left security, and to involve development team in the security of container, it means that Dev, Sec and Ops owns the security together.

Following this overview, the solutions guide provides information on individual products. This solutions guide will cover:

• Carbon Black Container

• Tanzu Service Mesh

• and VMware CloudHealth SecureState

  .

VMware Carbon Black Container

Product Overview

VMware Carbon Black Cloud Container enables enterprise-grade container security at the speed of DevOps by providing continuous visibility, security, and compliance for containerized applications from development to production—in any on-premises or public cloud environment. This solution provides security teams with visibility and the ability to enforce compliance while integrating seamlessly into existing DevOps processes to avoid adding operational complexity. With VMware, organizations can reduce risk,

 

Key Advantages for Modern Apps Protection:

• Gain complete visibility into the security posture of Kubernetes
• Enable prioritized vulnerability reporting
• Easily define and customize security policies
• Address vulnerabilities and misconfigurations at build
• Enable speed of delivery without compromising security
• Easily deploy and set up products
• Seamlessly integrate into the CI/CD pipeline and existing processes

 

Get Hands-On

At VMware, there are several ways to get hands-on with our products today. Launch VMware Carbon Black Container Lab on VMware TestDrive: https://portal.vmtestdrive.com/products/intrinsic-security:

 

Additional Resources

• To learn more about VMware Carbon Black products, visit our Product Paths in TechZone. Product learning paths are designed to take you from A-Z to understand everything from product overviews to optimization/best practice content per product.

• To learn more about VMware Security Solutions, visit our Solution Path in Tech Zone!

A solutions path is a curated learning experience designed to walk you through security challenges and how to get hands on and solve for your organization with VMware Security. Don't miss out on Securing Modern Applications - Solution Path: https://carbonblack.vmware.com/securing-modern-applications

• If you are trying to put the Dev into DevSecOps, the most critical piece in securing modern applications is notifying Dev early and often if something is not meeting security requirements. Watch this demonstration to see how VMware Carbon Black Container can integrate into your development pipelines.

 

• Kubernetes continues to gain traction as the leading open-source platform for managing containerized workloads and services. However, the increased agility, portability, and scalability are juxtaposed with susceptibility to vulnerabilities specific to Kubernetes environments. This session will analyze each of the four layers of the Kubernetes tech stack (code, container, cluster, cloud/on-prem data center) to uncover emerging threats and common security pitfalls to avoid. Gain insights into the vulnerabilities, how they came to be, and mistakes to avoid – all to help you strengthen your security posture.

 

VMware Tanzu Service Mesh

Product Overview

Within the Modern Bank Heists 5.0 report, 94% of the 130 Banks suffered attacks via API, VMware Tanzu Service Mesh provides advanced, end-to-end connectivity, security, and insights for modern applications—across application end-users, microservices, APIs (Application Programming Interface), and data—enabling compliance with Service Level Objectives (SLOs) and data protection and privacy regulations.

VMware Tanzu Service Mesh - Connectivity and Security for Modern Applications

Key Advantages for Modern Apps:

• Multi-cloud and multi-runtime secure connectivity for distributed applications
• Zero Trust application security, with automated DevSecOps workflows
• Visibility and analytics across app end-users, microservices, APIs, and data
• PII detection and protection

Get Hands-On

VMware Tanzu Service Mesh HOL (Hands-On Lab): https://labs.hol.vmware.com/HOL/catalogs/lab/8509

 

Additional Resources

VMware Tanzu Service Mesh Product Page: https://tanzu.vmware.com/service-mesh

 

VMware CloudHealth Secure State

Product Overview

Reducing misconfigurations, monitoring malicious activity, and preventing unauthorized access are foundational activities necessary to ensure the security and compliance of applications and data in the cloud. As criminals become more sophisticated in their abilities to exploit cloud misconfiguration vulnerabilities, security teams need a smarter approach to prevent security breaches. CloudHealth Secure State is an intelligent cloud security and compliance monitoring platform that helps organizations reduce risk and protect millions of cloud resources by remediating security violations and scaling best practices at cloud speed.

Introduction to CloudHealth Secure State

Improve Visibility

Gain Real-Time Visibility Across Cloud & Kubernetes Infrastructure

Monitor multiple cloud providers and understand how a minor configuration change can elevate risk across connected cloud objects

• Quickly discover inventory, explore cloud topology, and drive investigations with a unified search engine for multiple cloud providers, regions, and accounts  
• Detect security risks within seconds and monitor ephemeral cloud resources with an event-based approach that minimizes API calls to cloud  
• In a single graph view, get deep security context including cloud resource relationships, misconfigurations, threats, metadata, and change activity
• Audit configuration changes and track progress developers make in resolving security and compliance violations across the organization and sub-projects

Define Governance Standards

Establish Security and Compliance Best Practices

Build cloud security and compliance program to establish organization-wide standards and fine-tune policies

• Assess misconfiguration and compliance risk by automating benchmarks such as CIS, GDPR, HIPAA, ISO 27001, MITRE ATT&CK Cloud, NIST, PCI, & SOC 2 
• Eliminate security and compliance blind spots by defining custom frameworks and rules specific to technical needs 
• Reduce false positives and allow exceptions to security policies by automatically suppressing rules or findings based on pre-defined criteria 
• Prioritize security of most vulnerable cloud resources with an intelligent risk-scoring algorithm that makes it easy to identify critical findings

 

Remediate Violations

Resolve Violations with a Secure Auto-Remediation Framework

Use automation to improve security and compliance posture and build guardrails that prevent mistakes 

• Safely embrace auto-remediation with a framework that takes actions without writing permissions to a customer cloud environment  
• Mitigate risks at scale with a rich library of pre-defined remediation jobs and the ability to create custom jobs as code  
• Click to fix known violations and precisely target resources based on filtering criteria such as a cloud provider type, region, account, or tag 
• Proactively prevent mistakes by enabling guardrails that automatically resolve new violations that match specified filtering criteria

 

Increase Collaboration

Empower Developers and Streamline Security Operations

Automate cloud security operations in the company with an API-first platform that easily integrates with other IT, security, and developer tools 

• Shift-left security to proactively identify and resolve violations through API based verification within CI / CD pipelines 
• Enable developers to manage cloud risk with Role-Based Access Controls for monitoring security and compliance findings 
• Prioritize security and incident response by correlating threats ingested from third-party sources with native security and compliance findings 
• Streamline SOC investigations by easily exporting native findings for additional analytics in Security Information & Event Management systems

 

Key Advantages for Modern Apps:

Mitigate security and compliance risk with real-time security insights, CloudHealth Secure State does provide the following capabilities to help secure Modern Apps:

• Improve security visibility with real-time inventory search and investigation capabilities for multi-cloud environments.
• Reduce misconfigurations and prioritize threats with visual risk context and a more secure auto remediation approach.
• Benchmark compliance with industry standards with over 950 out-of-the-box rules and enterprise customizations.
• Plan how to operationalize your cloud security program through better collaboration between developers, security, and operations team

 

Additional Resources

VMware CloudHealth Product Page: https://cloudhealth.vmware.com/

VMware CloudHealth HOL (Hands-On Lab): https://labs.hol.vmware.com/HOL/catalogs/lab/10903

Summary and Additional Resources

Summary

Discover how VMware Security Solutions address Modern Apps protection.

Additional Resources

• Carbon Black TechZone: https://carbonblack.vmware.com/
• NSX TechZone Security Resources: https://nsx.techzone.vmware.com/security-resource

Changelog

The following updates were made to this guide:

Date	Description of Changes
5/24/2022	Guide was published.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware Carbon Black Technical Marketing techzone-sbu@vmware.com.