This post:
-
Defines and explains the concept of Runtime Analysis.
-
Shows how Runtime Analysis integrates into the DevOps life cycle.
-
Provides pointers to Red Hat partners that can help with Runtime Analysis
September is “runtime analysis” month in Red Hat’s monthly Security series! Since March 2021, the Red Hat Security Ecosystem team has published monthly articles and videos on DevOps Security topics to help you learn how Red Hat can help you master the practice called DevSecOps.
By explaining how to assemble Red Hat products and introducing our security ecosystem partners, we aim to aid in your journey to deploying a comprehensive DevSecOps solution.
Runtime Analysis defined
Runtime analysis methods are only found in a running Kubernetes cluster, and the goal is to provide a defense-in-depth approach to protecting a running Kubernetes cluster. The following security methods make up the runtime analysis category:
-
Admission control: functions as a Kubernetes workload gatekeeper that governs and enforces security policies on what is allowed to run on the cluster or not.
-
Runtime application behavioral analysis: examines system activity and intelligently detects suspicious or malicious actions in real time.
-
Threat defense, Runtime application self-protection (RASP): responds to detected threats, like blocking cyberattacks in real time. Threat defense shouldn’t be confused with threat detection, which is part of behavioral analysis. While most vendors in the runtime analysis category have capabilities in both, we’ve broken these two terms up to highlight their distinct functions.
While the runtime analysis security category may seem a bit light in security functions, it serves as a centerpiece in DevSecOps by consuming or integrating with other security category methods. For example, admission controllers and behavioral analysis typically assess data from vulnerability or compliance scans.
With this in mind, it’s important to note that Red Hat security partners in this category typically also play in several other categories, like vulnerability and configuration management and compliance.
Runtime Analysis integrated in DevSecOps
As pictured in the DevSecOps framework figure here, Runtime Analysis integrations are found on the right side of the DevSecOps life cycle in a running cluster. The table details some, but not all, of the common integrations to consider for Runtime Analysis.
Integration Point |
Description |
Container orchestration |
Admission control functions intercept requests to the Kubernetes API to validate resource requests, like a pod creation. By default, Red Hat OpenShift Container Platform comes with a default set of admission plug-ins, which do things like enforce security policies, resource limitations, or config requirements. One such admission plug-in is the Security Context Constraint (SCC), which specifically controls permissions for pods. Eight SCCs exist in Red Hat OpenShift, and by default, the restricted SCC is applied to each new running pod. A couple of the permissions you’ll see with the restricted SCC are that pods cannot run as privileged, nor can they mount host directory volumes. Red Hat Partners extend and enhance OpenShift admission control by using the webhook admission plug-in. For example, characteristics or policies about the image, like vulnerabilities, configs, and provenance, can be used to pass or fail admission before the pod is created. |
Running cluster |
Behavioral analysis is a generic method that spans a good amount of security functions with the intent of detecting threats to the running cluster. Monitoring running containers, network traffic, and configuration drift are some examples of what to include when implementing behavior analysis functions on the cluster. Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides capabilities to monitor system-level events and processes within containers to detect suspicious activity. RHACS uses prebuilt policies to detect crypto mining, privilege escalation, and various exploits. Threat defense is both about a response to what behavioral analysis may discover, and proactive protection of any possible malicious activity. While automated remediation responses seem ideal, sometimes it is not practical when it comes to affecting a critical production application. Another technology to mention in regards to proactive protection is Runtime application self-protection (RASP), which has emerged as a technology that takes defense a step further than a traditional firewall by understanding more about the application inputs. The RASP market is definitely interesting, but still seems to be in its infancy. Both Red Hat and our security ISV ecosystem provide capabilities in this category to add to a defense-in-depth approach to DevSecOps. |
Enhance and extend Runtime Analysis with Red Hat partners
As Red Hat Advanced Cluster Security for Kubernetes does strengthen the layered approach to container and Kubernetes security for Red Hat OpenShift Container Platform, Red Hat continues to work closely with its certified ecosystem of partners to enhance and extend Runtime Analysis capabilities for our customers.
Ultimately, Red Hat remains committed to a broad and deep ecosystem that provides customer choice and facilitates innovation in order to help your organization's DevSecOps practice.
If you are looking to enhance and extend Red Hat’s security capabilities in Runtime Analysis, take a look at the following Red Hat Partners:
-
Aqua Security free trial and Operator.
-
NeuVector Full Lifecycle Container Security and webinar on egress.
-
Palo Alto Prisma Cloud Compute Edition and webinar.
-
Sysdig free trial and webinar.
For more information, visit "Modernize and secure applications with DevSecOps," or begin your discussion with us on enhancing container security and adopting DevSecOps.
For similar blog posts on Red Hat’s DevSecOps Framework, search for previous months’ categories (Network Controls, Data Controls, Compliance, Identity and Access, and Vulnerability and Configuration Management) and stay tuned for upcoming posts.
執筆者紹介
Dave Meurer currently serves as a Principal Solution Architect on the Red Hat Global Partner Security ISV team, where he owns technical relationships and evangelism with security independent software vendor partners of Red Hat. Before joining Red Hat, he spent nine years in the Application Security industry with Synopsys and Black Duck, where he served in similar roles as the director of technical alliances and sales engineering.
Meurer also worked for Skyway Software, HSN.com, and Accenture in various management and application development roles. When he’s not thinking about Kubernetes, security, and partners, he enjoys being the VP Sales of North Central Tampa for his wife (the CEO) and 5 kids (Inside Sales).
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit