A Zero Trust, Open Source, Cloud Native Security Model

By now, you’ve probably heard about zero trust security. Zero trust is more than the latest tech marketing buzzword; it’s a practical approach to securing container environments. This model emerged as the application/service perimeter began to disappear as we evolved from physical devices to VMs, microservices and finally, distributed workloads in the cloud and at the edge. This evolution has forced improvements in the security model – from a reactive model that uses deny lists and firewalls to protect the known perimeter to proactive, zero trust models. With zero trust, we’re minimizing the attack surface by using an “allow” list that blocks unapproved network connections and processes so that teams can stop attacks before they start and stop zero-day threats by their suspicious behavior activities.  

The dynamic nature of microservices – with shared resources, dynamic IPs and containers that spin up and down quickly – demands real-time automated security. Zero trust models are a logical, practical approach for enterprises to secure container workloads – and something we have been working on at NeuVector as the next-generation cloud native security vendor. Prior to SUSE’s acquisition, the NeuVector team was focused on providing enterprise-grade security capabilities for containerized workloads and data.  

Introducing SUSE NeuVector 5.0

We’re excited to announce the latest release of NeuVector (and our first as part of SUSE): SUSE NeuVector 5.0. This release expands NeuVector’s critical and practical zero trust controls with innovative security functions like zero-drift, which adds another layer of intelligent protection by detecting authorized processes and file activities and stopping rogue processes or malicious executables. Other enhancements to our zero trust workload controls include web application firewall (WAF) and data loss prevention (DLP) protections, automated protection mode migration and improved support for security policy as code automation. Other big improvements like protection mode auto-switch will make behavior learning to protection fully automated. Finally, our integration with the SUSE Rancher Kubernetes gives customers a smooth path to manage security directly through our container management platform.  (Read more about the features in Glen Kosaka’s SUSE NeuVector 5.0 blog post).  

Embracing open source 

Another significant milestone in SUSE NeuVector 5.0 is that it is the first open source release of our enterprise-grade cloud native security platform. Now part of SUSE, NeuVector has adopted SUSE’s commitment to open source. Open sourcing NeuVector furthers our commitment to providing enterprise-grade security capabilities for containerized workloads and data. Kubernetes, the industry’s default container orchestration platform, is driven by its active open source community.  

What’s more, we’re furthering our commitment to open source by contributing the Open Zero Trust (OZT) project to the Cloud Native Computing Foundation (CNCF). Open Zero Trust is the upstream project for SUSE NeuVector. It includes all the core technologies and functions being validated and used by our customers worldwide. We will actively work with the CNCF and our community to grow the project and improve the security for the Kubernetes ecosystem. 

NeuVector’s solid foundation 

Cloud native security platforms have some fundamental requirements. You’ll find them all in SUSE NeuVector 5.0. 

Security must go deep and be able to block at runtime. Vulnerability management, posture hardening, compliance checking, event monitoring and post-analysis are all good practices that are inherent in SUSE NeuVector. For production applications, security needs to be able to block malicious activities in real-time and in the first place. As the most common attack surface, the network must be guarded with proper technology so hackers cannot peek and then attack with zero-day or unpatched Common Vulnerabilities and Exposures (CVEs) or even distributed denial-of-service (DDoS) attacks.   

Security needs to be able to stop the bad modules or containers from rolling into the pipeline.  For example, unpatched Log4J modules should be tagged from the supply chain. With SUSE NeuVector 5.0, the new advanced WAF and DLP sensors can be used to customize and block any suspicious network payload with application context awareness. For example, you can quickly apply a Log4j WAF policy so that all the running clusters will be protected from this type of attack in seconds. 

Security platforms must be easy to use and simple to manage. As a pure container-native solution, SUSE NeuVector can be deployed, managed and updated through any container management platform, including Rancher, OpenShift, Amazon EKS, IBM IKS, Microsoft AKS, Google GKE or vanilla Kubernetes. Whether you are on a single cloud, private cloud or multi-cloud environment, SUSE NeuVector can manage the security for all your clusters together. With Rancher integration in 5.0, single sign-on capabilities make this even easier. 

Finally, security must scale as a service grows — and automation is the best way to manage it. Security as code is not only for the configurations but also should apply for runtime zero trust policies like WAF and DLP policies.  

What’s next for SUSE NeuVector?  

Zero trust security is a reality for cloud native environments. SUSE will continue to build out zero trust controls in NeuVector and help customers migrate to a proactive security model.    

The future will bring further core integration with SUSE Rancher as well as other platforms.  

We are committed to being open — learning, sharing and contributing to open source communities to make the cloud (and beyond) a more secure place to work together. 

To learn more about a smooth and straightforward migration process, watch our Zero trust Security for Kubernetes and Container Workloads webinar.