Moving to the cloud? Think cloud security.

As your organization modernizes existing applications for the cloud or builds new cloud-native apps, you need ways to maintain tight security. Adopting a container-based approach to deployment can help isolate your app and all of its dependencies from other workloads in a cloud environment. But to be truly safe, you need to enhance container security.

IBM® Cloud Kubernetes Service is a managed Kubernetes offering that adds protection for your applications both within the container and on the cloud infrastructure. Automated features deliver powerful security and isolation to safeguard your cloud-native apps while reducing administrative complexity.

Recent research on securing cloud-native apps

Though application developers and executives alike have initial concerns about cloud platform security, they end up citing better security across their company and its customer data.

68%

of cloud-native adopters report improved security for company and client data

70%

of IT executives report better app security with the cloud-native model

Securing applications and environments on the cloud

You must rethink your security architecture and the methods to secure cloud-native applications. Here are some functional requirements to build secure cloud-native apps:

Isolate infrastructure

To secure cloud-native apps, you must isolate the infrastructure where containers reside. Every IBM Kubernetes cluster is a single-tenant cluster, but you have three isolation options for containerized worker nodes:

  • Shared model: This infrastructure-as-a-service (IaaS) offering provides a virtual machine (VM) on a multi-tenant hypervisor and hardware. You have sole use of the VM with base-level isolation.
  • Dedicated model: This offering includes a VM, hypervisor and hardware, delivering additional isolation.
  • Bare-metal worker nodes: This option offers greater isolation and performance for containerized workloads, including demanding workloads, such as artificial intelligence (AI).

Use vulnerability detection to scan containers before and after deployment

Detecting vulnerabilities in your containers is critical not only for spotting malware but also for identifying problems such as poor control of user access. IBM offers a Vulnerability Advisor (VA) system to provide both static and live container scanning. Integrated seamlessly into IBM Cloud Kubernetes Service, VA inspects each layer of each image in your cloud container registry to detect vulnerabilities or malware before image deployment.

Scanning the static registry image alone could miss problems such as “drift” in the image as it moves from your registry to deployment. VA also scans running containers for anomalies and provides recommendations in the form of tiered alerts.

Employ encryption and policy enforcement to protect container images from tampering

It’s vital to ensure your container images have not been tampered with inside the cloud registry, and are not exposed to tampering or theft as they are moved from the registry and deployed within your Kubernetes cluster.

IBM Cloud Kubernetes Service protects against these threats in powerful ways:

  • Docker Notary, an open-source, image-signing capability to safeguard against tampering
  • Encryption of images at rest and in flight
  • Image deployment enforcement that allows you to define what can be deployed in your IBM Cloud Kubernetes Service clusters. You can choose to simply flag any vulnerability found in an image, or completely block an image from deployment until it passes vulnerability scanning.

Enhance development pipeline efficiency with automation

IBM Cloud Kubernetes Service provides an integrated DevOps toolchain that allows developers to create, test and deploy containerized applications automatically to a Kubernetes cluster.

The toolchain performs sanity checks prior to building or deploying, and it helps ensure privacy by using a private container registry and namespaces for the container registry and the Kubernetes cluster. This toolchain also leverages Vulnerability Advisor to make sure only secure images are deployed.

Implement security you can trust

As you build new cloud-native apps or modernize your existing applications, you need ways to protect your data from an increasing number and variety of threats. Implement IBM security capabilities to safeguard your apps and identify any potential issues.

Connect with IBM Cloud Garage experts for additional guidance on security and other aspects of cloud-native development and application modernization.