Security Automation


Image
For organizations shifting left, security practices that keep pace with accelerated software development and deployment are critical. Neuvector is the only container security platform to enable Security as Code, the easiest way to streamline the incorporation of security policies into the development process. It’s a win-win. Eliminate tension between development and security. Speed the CI/CD pipeline. Bake security into your DevOps team’s process. Security as Code can supercharge security in your DevOps transformation. Here’s how:

Define Application Security Policy

Developers can initiate creation of both the application deployment manifest and the security manifest. Images are built and automated vulnerability scanning is completed and reviewed by DevOps. Once those steps are passed, DevOps can test both the deployment manifest and the security manifest and provide feedback to developers on the results. The DevOps team can then deploy new apps and the security policy for those apps into the production environment, ensuring that apps are secured as soon as they start running in production.

Create CRDs Using NeuVector Behavioral Learning

To simplify the learning and creation of NeuVector formatted CRD yaml files, the DevOps teams can use NeuVector’s behavioral learning in a test environment to help create a security policy. This workflow begins with the DevOps/QA team deploying the app, as in the bottom right of the diagram above. Once deployed, NeuVector will learn the entire application behavior and automatically create the network, process, and file access rules for them. These are easily exported in the NeuVector CRD yaml format for review with developers. The CRD can then be edited if needed, tested by DevOps, then deployed into production.

Deploy Global Security Policies

Security policies are often required that are not specific to an application, or perhaps apply to a large superset of applications with similar characteristics. Security, compliance and operations teams also have the need to define these policies across an entire cluster or even multiple clusters. NeuVector simplifies deploying these ‘global’ rules. These teams can use the NeuVector CRD to define global security policies which are not tied to application workloads, or apply to other logical groupings of workloads in a cluster, including Global network ingress/egress rules; forbidden processes across all containers; and allowed processes for monitoring or diagnostics across all cluster.

Global CRDs can be used in conjunction with application specific CRDs to ensure complete security protection in the target clusters.

Migrate Policies from Staging to Production Clusters

The NeuVector CRD can be used to migrate all security policies or a selected subset from a staging environment into production after testing is complete. This way, the production environment can always stay ‘locked down’ in a Monitor or Protect mode while new services are deployed or updated.

The NeuVector console provides configuration for a ‘New Services Mode’ which can be set to Discover, Monitor, or Protect. By setting this to Monitor or Protect, all new services must have the security rules in place before they are deployed and begin activity to avoid process, file and network security alerts from being generated when they activate.

Image