IT Science Case Study: Finding Reliable Container Security Across Clouds

eWEEK IT SCIENCE: Mux, a video production SaaS and analytics company, needed to provide security and compliance for its container and Kubernetes-based environments across Google and Amazon clouds. StaxRox to the rescue.

Here is the latest article in an eWEEK feature series called IT Science, in which we look at what actually happens at the intersection of new-gen IT and legacy systems.

Unless it’s brand new and right off various assembly lines, servers, storage and networking inside every IT system can be considered “legacy.” This is because the iteration of both hardware and software products is speeding up all the time. It’s not unusual for an app-maker, for example, to update and/or patch for security purposes an application a few times a month, or even a week. Some apps are updated daily! Hardware moves a little slower, but manufacturing cycles are also speeding up.

These articles describe new-gen industry solutions. The idea is to look at real-world examples of how new-gen IT products and services are making a difference in production each day. Most of them are success stories, but there will also be others about projects that blew up. We’ll have IT integrators, system consultants, analysts and other experts helping us with these as needed.

Today’s Topic:  Finding Reliable Security Across Google, AWS Clouds

Name the problem to be solved: Mux, a video production SaaS and analytics company, needed to provide security and compliance for its container and Kubernetes-based environments across Google and Amazon clouds. The company runs its systems in geos around the world, and its customers include global media companies with stringent compliance requirements. Mux needed to provide that compliance data and protect its infrastructure against attacks and accidental exposure from customer files. As with many software companies today, Mux uses a lot of open source software in its offerings, so it needed to understand the risk profile of that software it can't control, and it needed runtime detection to monitor the video files it ingests from its customers, to find and stop malicious activity.

Describe the strategy that went into finding the solution: Mux IT staff knew they needed an "out-of-the-box" solution that didn't require extensive staff resources or infrastructure changes to run. The company started doing research online, looking for container security companies, and at trade shows. The focus was on finding a solution that addressed security across the full container life cycle with a special focus on Kubernetes security. Mux found the StackRox Container Security Platform at the DockerCon trade show and was piloting the software within weeks.

List the key components in the solution: Mux had a few key requirements for their Kubernetes security solution. The company needed a container security platform that supported:

  • Full security across build, deploy, and runtime phases of the container life cycle
  • Protection against known Kubernetes attack vectors
  • Automatic identification and blocking of malicious activity, based on behavior and not just whitelists
  • Full portability across cloud and on-prem deployments

Describe how the deployment went, perhaps how long it took, and if it came off as planned:  Mux deployed the StackRox software in a couple hours, tying it into Mux's CI/CD pipeline, developer notification tools, and Kubernetes deployments. The company ran the software on its test systems for a few weeks, experimenting with various known attack vectors, misconfigurations, and privilege settings. Then the company incorporated its production systems under the StackRox security framework. About an hour later, during an all hands where the head of infrastructure was showing off the newly deployed StackRox security software, the StackRox risk profile dashboard flashed a critical alert showing a container break out. As he clicked through on the dashboard to see what was happening, an engineer sheepishly raised his hand that he'd been behind the problem, breaking protocol and short circuiting the typical process. Immediately, the company saw the value of the StackRox software.

Describe the result, new efficiencies gained, and what was learned from the project:  In addition to flagging that real-time container violation, the StackRox software has helped Mux automate the process of ensuring builds and deployments adhere to Mux best practices. The software automatically stack-ranks the company's riskiest deployments, and it provides both the violation details as well as remediation steps needed. Because the StackRox software links these violations to the dev teams responsible for the deployments, Mux has dramatically increased efficiencies of having build and deploy problems resolved. Mux calls this process "automatic triage," where StackRox instead of people figure out the biggest issues Mux has to resolve.

Describe ROI, carbon footprint savings, and staff time savings, if any:  Mux has gained tremendous staff time savings in the automatic triage of the StackRox risk profile dashboard. What used to take hour and days, in an on-going fashion, now happens immediately and continuously, constantly updating the dashboard with any critical issues and automatically flagging the involved development team. The company estimates they would have needed to hire a full-time engineer just to dedicate to hardening the container and Kubernetes environments and tracking down runtime problems - StackRox saves that headcount.

Other references: You can read how Mux thinks about this deployment here; you can watch a video of Mux's head of infrastructure here. Additional details on StackRox can be found here.

If you have a suggestion for an eWEEK IT Science article, email [email protected].

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...