Securing Hybrid Kubernetes Workloads on Google Anthos

Google introduced Anthos to allow organizations to build their

Kubernetes workloads once and run them anywhere. Customers can

leverage Anthos’ hybrid functionality to deploy their clusters in their own

data centers, with GKE on prem and in the cloud, and on third-party

cloud platforms such as Amazon Web Services (AWS) or Microsoft

Azure. To take advantage of the portability of Anthos, however,

organizations need to take specific steps to protect these workloads.

In sprawling Kubernetes environments that span multiple clouds as well

as on-premises data centers, attaining security parity can be difficult.

Much like Kubernetes enables workload portability, Kubernetes-native

security enables a portable security architecture. In multi-cloud

deployments, organizations need security tooling that can consistently

enforce the same set of security policies across all workloads and

environments and remove security gaps and blind spots.

The StackRox Kubernetes Security Platform integrates with Google

Anthos to deliver full life cycle container and Kubernetes security across

all Kubernetes workloads managed by Anthos—in GCP, multi-cloud,

on-premises, and hybrid environments.

Key Benefits

StackRox delivers a broad set of security capabilities for Anthos

environments, giving you:

• A single point of control to enforce your security, compliance, and

governance policies

• Security that goes wherever your workloads are deployed, without any additional work or operational risk

• A uniform and environment-agnostic security management tool that eliminates security gaps between environments

1

“StackRox delivers

business critical

threat detection

capabilities to

Kubernetes users,

and this

collaboration

enables strong

runtime security

controls for

enterprise

applications running

on Google Cloud.”

– Aparna Sinha,

Group Product Manager,

Kubernetes and GKE,

Google Cloud

2

Deep integration with DevOps systems

The StackRox Kubernetes Security Platform

Visibility Vulnerability mgmt Compliance Network segmentation

Risk profiling Configuration mgmt Threat detection Incident response

Integrations

Anthos Config ManagementUnderstand the security risk of configuration changes made to your clusters by the Anthos Config Management tool

Google Kubernetes Engine (in the cloud and on prem)Get Kubernetes-native visibility, compliance, risk profiling, policy enforcement, and threat detection across all your GKE clusters.

Google Container Registry (GCR)Secure your images with data from public or private GCR repositories, including vulnerabilities from GCR Container Analysis.

Container-Optimized OS (COS) from GoogleDetect attacks in your Kubernetes clusters running on COS at runtime and use multi-factor risk profiling to prioritize the deployment that need immediate fixing.

Google Cloud Security Command Center (Cloud SCC)Enhance your Cloud SCC dashboard with critical risk context and runtime threat detection for your Kubernetes clusters.

Use Cases

Visibility – see your entire landscape of images, registries, containers, deployments, and runtime behavior

Vulnerability management – go beyond vuln scores to enforce configuration best practices at build, deploy, and runtime

Compliance – check whether your systems meet controls for CIS Benchmarks, NIST, PCI, and HIPAA

Network segmentation – leverage the native controls in Kubernetes to enforce networking policies at scale

Risk profiling – See a stack-ranked list of all deployments with risk factors to identify

Configuration management – apply best practices for Docker and Kubernetes to build your systems securely from the start.

Threat detection – use rules, whitelists, and baselining to identify suspicious runtime behavior in your systems

Incident response – take action, from alerting to blocking deployments and killing pods to thwarting runtime attacks

Request a demo today!

info@stackrox.com+1 (650) 489-6769www.stackrox.com

StackRox helps enterprises secure their containers and Kubernetes environments at scale. The

StackRox Kubernetes Security Platform enables security and DevOps teams to enforce their

compliance and security policies across the entire container life cycle, from build to deploy to

runtime. StackRox integrates with existing DevOps and security tools, enabling teams to quickly

operationalize container and Kubernetes security. StackRox customers span cloud-native start-

ups Global 2000 enterprises, and government agencies.

LET’S GET STARTED

©2019 StackRox, Inc. All rights reserved.

Why StackRox

Richer context from Anthos

The StackRox platform evaluates risk using a

deployment-centric view, incorporating a wide variety

of factors derived from Anthos. CVEs aren’t enough:

the same vulnerability poses a higher risk in a publicly

exposed production service than in an isolated

development container. StackRox taps the declarative

data in Anthos to prioritize risk, improve visibility,

enhance compliance, and enrich all security use cases.

Native enforcement

Deep integration with Anthos and Kubernetes enables

the StackRox platform to tap into the power of open

source development, providing a more robust, scalable

security. You get universal, portable controls and full

alignment between DevOps and Security. StackRox

leverages Kubernetes to contain and respond to

security issues, and our visualization and simulation

capabilities simplify network policy enforcement and

secrets management.

Continuous hardening

The feedback loop at the heart of the StackRox

platform applies learnings across the container life

cycle to constantly shrink the attack surface. Data from

build and deployment enables more accurate

detection, and runtime activity monitoring yields.

Visibility and Asset Management

Risk Profiling Response

Detection

Build/Deploy Runtime