There is a digital transformation underway in how applications are being built and released/delivered to production. This is primarily propelled by the success of the DevOps paradigm and the cloud native technologies such as Containers & Microservices. Many organizations are now able to release software more frequently and efficiently and there are many that deliver software multiple times even within a given day.
This is all great but how is security going to keep up? The traditional approach to security is not going to cut it and a transformation is needed here as well. There is already a shift left happening by baking security into the products as they are being built. A typical example is to scan the images that are being built for known vulnerabilities before pushing them into container repositories.
In addition, what is needed is automation around developing/updating security policies such as access control rules, configuration hardening compliance, image deployment policies, etc. and suitably apply them as and when applications are getting deployed or infrastructure is being provisioned. As traditional applications are getting modernized or new cloud native applications are being built they generally run on public/private cloud environments where infrastructure is dynamically provisioned and torn down. Such dynamic changes to infrastructure needs to be properly secured as well. Similar to what has happened with Infrastructure as code (e.g. HashiCorp Terraform) to facilitate infrastructure automation, there is a need to automate security policies as code to keep up with the dynamic nature of DevOps and cloud native computing. The problem is further exacerbated as customers adopt a multi cloud strategy where applications are deployed on multiple clouds.
To keep up with the dynamic nature of the cloud and the rapid pace at which DevOps is pushing new builds into production environments, security needs to be agile as well. To address these and more importantly seamlessly fit into the DevOps and cloud native methodologies, HyTrust CloudControl 6.0 has taken a declarative approach to security and various security policies could be defined as code thru YAML documents called Trust Manifests. The Trust Manifest is made up of different sections each corresponding to a security policy type such as access control, configuration hardening, container/image deployment control etc.
The Trust Manifests could be authored thru a rich intuitive UI or directly using a favorite editor such as vi. Similar to application code, the Trust Manifests could be version controlled in Git repositories. As and when a new version of a given application is built or when new infrastructure is dynamically provisioned, the suitably revised Trust Manifests could be checked out from the respective Git repository and programmatically pushed into HyTrust CloudControl thru REST APIs.
Such Trust Manifests could be assigned to resources at various levels such as AWS accounts or Kubernetes clusters or vSphere Virtual Centers and the various security policies would automatically be enforced. These could be done programmatically as well via REST APIs.