Migrating important workloads—or even major parts of your entire IT processes—to a Platform-as-a-Service (PaaS) model is happening more and more often. And why not? PaaS offers large enterprises and small to midsize businesses alike such attractive benefits as improved efficiency, lower Capex and increased agility for DevOps and cloud-native requirements.
In particular, organizations are accelerating adoption of public cloud-based Kubernetes services to leverage a container- and microservices-centric approach to application development and deployment. But even though organizations are increasingly comfortable using public cloud services for a wide range of applications, security concerns over running mission-critical workloads in the public cloud still linger. In fact, one study indicated that nearly three-quarters of IT decision-makers hesitate in adopting public cloud for important requirements because of security concerns.
Whatever the source of this hesitancy—fear of loss of control over mission-critical data, high-profile data breaches at public cloud service providers, worries over potential compliance violations or legal hassles, or the lack of visibility into the location and status of enterprise data—IT and security professionals need to dig deeper to develop stronger security frameworks for their PaaS architectures. This is particularly important in DevOps initiatives, where PaaS is used to facilitate rapid, frequent delivery of new, often lightweight software optimized for specific business requirements.
Building a chain of trust
In order to ensure the integrity of each component in the PaaS solution, organizations need to create a hardware-based “chain of trust” from the chip firmware through the container engine and orchestration system. By building and maintaining this chain of trust, IT and security professionals can ensure that critical data and workloads are safeguarded against the increasingly diverse and frequent number of threats, from zero-day attacks and advanced persistent threats to ransomware.
The chain of trust must ensure that the public cloud platform uses a policy-based managed trust boundary as a core element in automating PaaS security. And automation is a central element to PaaS security, since organizations typically have neither the budget nor the inclination to hire armies of security analysts, who are hard-pressed to keep up with the relentless march of new security events happening every minute of every hour of every day.
That trust also must be extended to containers which come with integrated approaches for establishing perimeters around the container and facilitate safe communication between those container components.
IBM’s security for public Kubernetes platforms
The IBM Cloud Kubernetes Service is a managed service that offers a wide range of tested and certified tools for PaaS requirements, and comes with a number of security safeguards to help give technical and business leaders alike a stronger sense of confidence that the chain of trust has been built, deployed and managed for PaaS in the public cloud.
IBM offers organizations three different deployment options for its PaaS service, in order to most closely align with each organization’s cloud security philosophy and priorities. For instance, organizations looking for the highest level of platform security can have the service deployed as bare metal. Those who don’t need a bare metal solution can deploy the service as isolated clusters, while those with more confidence and trust in a public cloud environment and the experience of their service provider may opt for a multi-tenant architecture.
The IBM service offers other important functionality, including:
- IBM Vulnerability Advisor, which supports image deployment policy settings based on different types of image failure situations, as well as support for checking 26 different ISO 27000-based rules and security misconfiguration detection. It also identifies and captures security intelligence from five different third-party threat intelligence sources with prioritized ratings and recommended fixes for each vulnerability.
- IBM Cloud Container Registry, which detects container vulnerabilities by storing and distributing Docker images in a managed private registry. The private images are pushed to the IBM Cloud Kubernetes Service after being checked for security issues, thereby maintaining the chain of trust.
Rather than investing considerable time and money to build a Kubernetes-based PaaS solution in-house, organizations can leverage a publicly available solution with its own team of highly experienced, market-tested security experts and operators.
As more organizations continue to prefer a PaaS solution for DevOps and cloud-native requirements built around containers and microservices, there remains an important need to build confidence in public cloud security. This is done by selecting a platform engineered to deliver a chain of trust at every point during the software development and deployment process.
IBM Cloud Kubernetes Service offers organizations the many operational and financial benefits of a public cloud architecture, enhanced with a robust, open source-based approach to platform security.