StackRox this week extended the reach of its container security platform into the realm of compliance by adding the ability to automatically check whether a cloud-native application includes the controls required by mandates such as the Payment Card Industry Data Security Specification (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).
Wei Lien Dang, vice president of product for StackRox, says that, given the dynamic nature of containerized applications that are frequently updated and the rise of DevSecOps processes that rely on developers to implement controls, the way compliance is achieved by organizations needs to evolve.
The latest version of the StackRox Container Security Platform for Kubernetes clusters provides a dashboard that surfaces compliance violations as well as views into compliance details at the cluster, node or namespace level. IT teams can also drill down into noncompliance issues involving specific controls and generate reports that can be shared with auditors.
It’s only a matter of time before organizations that deploy containerized applications find themselves navigating potential complex compliance challenges. One of the most appealing attributes of containers is they allow developers to rip and replace functionality at will. That same capability, however, can be problematic for auditors tasked with tracking when and how updates were made to any given application. In fact, being unable to document those changes can create a significant impediment to deploying containerized applications in heavily regulated industries.
StackRox aims to help IT organizations address that issue by including PCI DSS and HIPAA frameworks for both automating the deployment of controls and monitoring them on an ongoing basis. StackRox has also included support for the National Institute of Standards and Technology (NIST) SP 800-190 framework, which provides a set of controls that can be applied more broadly across a range of vertical industries.
Dang says any potential compliance issue identified by the StackRox platform can then also be shared with continuous integration/continuous deployment (CI/CD) platforms for developers to address within the context of a larger set of best DevOps practices.
In general, Dang notes that it’s not only a matter of time before compliance becomes a natural extension of any set of DevOps practices that include cybersecurity. In fact, the rise of microservices based on containers will drive more organizations to embrace DevSecOps as the next logical extension of those DevOps processes.
The end goal, of course, is not to incorporate auditors into DevOps processes. Rather, IT organizations should first make it easy for developers to implement those controls. Cybersecurity professionals and auditors should then be able make sure those controls are in place without negatively impacting the rate at which applications are being built and deployed.
It may take a while for IT organizations to hone those processes. After all, auditors, cybersecurity professionals and DevOps teams come from three completely different worlds. The real challenge and the opportunity going forward is to find a way to meld those cultures to create more secure applications in a way that doesn’t require everyone to constantly get in each other’s way.