The technology expert Ali Golshan also considers the intersection of DevOps and security, among 2020’s key technology development themes. A key focus is with Kubernetes, which is a portable, extensible, open-source platform for managing containerized workloads and services.
Consolidates around Kubernetes
First, according to StackRox‘s Golshan, a key theme will be about ‘orchestration consolidates around Kubernetes’. With this he notes: “A lot of companies have gone down the path of DevOps, building and using containers and microservices. As a result, workloads are getting more complex, and companies are getting a much better sense of the functionality they need from the container ecosystem.”
He adds that: “The Kubernetes ecosystem is very rich, and as more companies find value in using Kubernetes as a container orchestrator, they will adopt more solutions in the ecosystem. These advances mean we’ll see increasingly complex workloads running in Kubernetes.”
Golshan also notes how: “We’re seeing a pattern where different types of workloads are becoming possible because of Kubernetes. This proliferation is particularly true among companies building SaaS solutions – these applications are data heavy and very complex. These applications also lend themselves well to wider adoption of service mesh.”
Kubernetes maturity
Golshan ‘s second theme is that ‘Kubernetes maturity means businesses can build bigger, better things.’ With this he states: “The results of Cloud Native Computing Foundation’s (CNCF) first full Kuberenetes audit revealed that Kurbentes is foundationally secure and fully functional. But it also forced Kubernetes users to take a closer look at potential vulnerabilities, configuration issues, and other weaknesses.”
He adds further: “Up to this point, a lot of organizations were running Kubernetes to build and test applications, or run in environments that didn’t have external exposures. They didn’t have mission-critical applications with web-facing services exposed. The pattern towards the maturity of Kubernetes is similar to other technologies. Virtualization went through something very similar in the early 2000s. Public cloud went through it from roughly 2008-2012. Kubernetes is following a very natural progression”.
Rise of service mesh
Golshan ‘s third point is that ‘service mesh comes into its own’. In relation to this, he finds: “While service mesh technology is in its early stages in comparison to Kubernetes, we’re starting to see new requirements for how tools such as Istio, Envoy, and Linkerd are going to be used. As customer deployments of service mesh technologies get more complex, the applications it supports will increase in complexity and criticality.”
Golshan says: “The general progression of microservices deployments is that you lock down your CI/CD, continuously conduct image scanning, and then harden your deployment process. Then you put the services into runtime and segment your network. You get more sophisticated as you move up the stack and incorporate additional controls and visibility into the application.”
In addition, Golshan ‘s analysis finds: “That last piece is what service mesh provides, and from a productization and application perspective, the evolution of service meshes is still unclear, since – unlike with k8s – no clear winner has emerged. The needs for observability, tracing and application-level controls using policies and routing are clear – however we have yet to see which technology emerges as the dominant player.”
Making cloud native more functional
Golshan’s fourth point is how ‘advanced third-party tooling makes cloud native more functional.’ Here he surmises: “The CNCF security audit of Kubernetes demonstrated a high degree of security. That success, however, doesn’t necessarily mean that Kubernetes is operationalized in a way that it can run a massively scaled business. Getting to this state will require continued development of third-party tooling.”
Golshan adds: “This challenge has many components. Kubernetes itself must scale. Then organizations need further maturity of tools that form part of the DevOps and CI/CD deployment ecosystem to deliver features including observability and security. While Kubernetes gives you the functionality to do some of these functions, it can’t derive and share the intelligence an organization needs to take security or other operational actions. As the tools evolve to support this added functionality, technology stacks built around Kubernetes will become more feature rich, programmatic, programmable, and scalable.”
Golshan also finds that: “You need third-party tools to ingest data, analyze it, and deliver actionable intelligence. In an ideal scenario, that intelligence will then programmatically update infrastructure for various use cases. For example, Kubernetes has a function called pod security policies, where you can write policies based on how you want pods in a container to run. But this functionality requires something to automate it – otherwise, you would have to do it manually a hundred times a day, tens of thousands of times a week, and countless times over a year. You need a tool to automatically produce these policies for you based on your application development, deployment, and runtime environment. This example is just one of the dozens where Kubernetes needs third-party tools to augment its native functionality.”
Importance of operational safety
Golshan’s fifth prediction is that ‘Kubernetes use cases move towards operationalization safety’. He states here: “To date, the most standard use cases for Kubernetes security across all organizations are visibility and configuration management. These use cases dominate when deployments are still early. As organizations scale and mature their deployments, the security use cases will evolve and grow as well.”
Golshan adds: “What’s interesting is how organizations of a certain profile are more advanced in their deployments. In some industries, such as healthcare, startups tend to be more advanced than established businesses.”
He also finds: “Companies that are in transition are also likely to adopt Kubernetes more aggressively. Organizations such as Sony and Disney are rebuilding streaming services using Kubernetes, because they want to move as fast and offer services as quickly as companies such as Netflix. So sometimes Kubernetes adoption is tied to getting a leg up on innovation, and other times it’s a matter of survival.”
“While the initial adoption of Kuberentes has to do largely with enabling business innovation, the technology offers powerful opportunities to build security directly into the development process. Developers are realizing that if security isn’t built in, they will suffer from undetected vulnerabilities, misconfigurations, or other factors out of their control. Security is increasingly part of the developer’s consciousness – it’s becoming an integral part of running services and applications safely for optimal business value.”
Security as code
Golshan’s sixth point is that ‘security as code translates security to safety’. In terms of what this means: “The concepts of security and safety are often conflated. But the difference is the same as the difference between walls and doors. Treating both infrastructure and security as code allows security to move from being probabilistic to deterministic; DevSecOps teams can use the declarative nature of Kubernetes and microservices to automate processes that can scale.”
And with what businesses need to do: “The fact is, you have to build security into development for automation because you’re dealing with so much data, so many users, highly distributed infrastructure, and much larger scale. You can’t just keep adding firewalls and agents and point solutions in the way security teams are used to. To transition security into safety, you have to bake it in to the entire process.”
Primacy of operational issues
Golshan’s seventh and final point relates to the importance of placing ‘operational issues over security issues.’ By this he means: “This past year has seen a number of Kubernetes CVEs emerge, but the community response has been strong and effective. We should expect to see more operational issues with Kuberenetes than security issues in the coming years. Addressing questions such as “how can I deploy Kubernetes to thousands of clusters and tens of thousands of nodes?” will be driving changes in Kubernetes more than responding to security vulnerabilities or breaches.”
He goes on to state: “As these operational challenges get addressed, we’ll see an acceleration in improvements that results in increased scalability, performance, and functionality. As a result, Kubernetes will be adopted by a much larger arena of applications, including IoT, autonomous vehicles, and popular consumer technologies that need processing power and the ability to build and deliver applications and services more effectively. These technologies will really shine a light on the breadth and scale that Kubernetes-based applications can enable.”
