The demand for software applications is increasing exponentially, so is the need to secure the software supply chain, and one sure way to make a software development process more secure is to switch from a public registry to a private one.
One thing for sure, protecting all the data of a software supply chain is a complex task that involves much more that just choosing an enterprise-level password management system, and it’s an effort that can’t be avoided by software developers.
Few months ago Mirantis launched version 3.0 of its Mirantis Secure Registry (MSR), so we asked their Field CTO, Shaun O’Meara, to explain the benefits of having a secure software supply chain, and how MSR helps achieve that.
How did Mirantis start, and how has it evolved so far?
Mirantis was established in 2005, empowering developers and innovators to create extraordinary products and services by automating the discovery, integration, and operation of the best cloud and open-source software for their unique needs. Mirantis delivers tools and services that enable easy delivery of cloud native applications in the most efficient manner, ensuring that developers and operators can focus on building value for their customers. Mirantis provides a fully-managed, as-a-service experience across any platform from on-prem to public cloud. Mirantis is a leading open-source contributor to Lens, Kubernetes, OpenStack, and numerous other open cloud technologies.
We are privately-held with over 600 employees in locations worldwide and continue to encourage developers by providing the best data and cloud experience possible. Mirantis serves a wide range of industries, such as financial services, government & education, healthcare, manufacturing, and telecommunications providing distinct value.
What services do you offer?
Mirantis offers three types of services; world-class support, training and professional services for those critical skills needed to deploy and manage your Cloud-Native and Kubernetes infrastructure. Our OpsCare Managed Services & Support provides 24×7 access to support teams located across the globe to help manage your infrastructure.
Mirantis provides certified experts with world-class skills for operations, security, or development services to help address a customer’s unique requirements and objectives, guaranteeing a successful future, giving their team the ability to focus on development and innovation versus management. Lastly, we want others to learn about cloud technologies and provide hands-on courses learning how to deploy cloud technologies – in production and at scale. We empower our customers throughout their journey in the Cloud.
Can you tell us a little bit about your Mirantis Secure Registry (MSR)? What made you decide to build it?
Yes, Mirantis Secure Registry (MSR) provides a container registry solution that protects your deployments at every step, ensuring images are scanned for common vulnerabilities and exposures and managed to protect the cloud-native environment from risks while controlling the promotion of images from the testing stage to the production stage. We built this product to guarantee security and integrity of images and Helm charts being deployed into your infrastructure to meet all your security requirement needs. This is a crucial factor when delivering a secure software supply chain for all our customers.
A secure software supply chain includes everything that is necessary to deliver our applications into production, it has become a long, complex, tangled web of different software components that when brought together work in unison to deliver the required functionality necessary for an application. This complex web enables developers to build applications faster and with lower effort by using pre-existing tools and libraries available from a myriad of sources.
As software supply chains continue to grow and intensify – Mirantis Secure Registry a highly secure platform for enterprises to leverage containers, and workflows across the software lifecycle – provides the essential tools to organize and accelerate.
What are the reasons to choose a private registry instead of a public one?
There are many reasons to choose a private registry instead of a public one. Firstly, container registries are repositories for container images — standalone packages of software that can be executed by container engines to quickly build and run applications and all their dependencies. Registries are often run by organizations involved in cloud technology (such as Google, Docker, or Amazon) and they can be either; however, we see more organizations using private registries to increase the security of an environment.
Private registries can be hosted in-house or by an external provider though enhanced privacy, security, and governance capabilities such as role-based access control and image scanning are only available when using private registries. This provides an organization with the control to inspect their container environment and dictate who can interact with it and how.
Whether a customer needs to meet regulatory compliance obligations or hardening the supply chain, enterprises require a reliable private repository like Mirantis Secure Registry (MSR). Mirantis Secure Registry (MSR) is not only designed to meet all security needs but to simplify and accelerate workflows granting role-based access control (RBAC), image scanning, image signing, policy-based image promotion and run-on Kubernetes. These features help streamline development and delivery all on a private registry leaving room for minimal security risks.
What are the most common cyber threats caused by not having a secure registry?
The most common cyber threats caused by not having a secure registry are lack of awareness around vulnerabilities and supply chain attacks. A great example of lack of awareness around vulnerabilities is SSL which is a critical component to most applications’ security. If SSL has a security vulnerability and an update is released, any software with the previous SSL version could be exposed to this threat. Any CVE within the registry itself will provide an attacker with another surface to potentially gain unauthorized access to your images or worse, manipulate or destroy them.
Mirantis puts significant effort into eliminating any identified CVEs in the product itself, while also MSR provides the ability to scan images in the registry for known CVEs, with daily updates to the CVE database, protecting users against newly-identified security vulnerabilities in their existing stored images.
The other comment on cyber threats – risks of “supply chain attacks” – is where you cannot validate that the image you are installing is the original unadulterated one. Without any form of image signing someone could replace or infect the image with malware, and you will potentially never know. MSR provides the ability to sign, and enforce signed images to ensure the integrity of the software being run by its users.
You’re not the only one offering private registries. What make MSR stand out from the competition?
Yes, you are correct – we are not the only one offering private registries, though Mirantis Secure Registry (MSR) stands on its own when compared to our competition. Security is often an afterthought during application development and lifecycle management, leading to images that contain vulnerabilities and putting an entire environment at risk. Mirantis Secure Registry puts security as a priority, a system that can easily be integrated to be the core of an effective secured supply chain.
Mirantis Secure Registry (MSR) gives you the choice of orchestration with zero lock-in – it is packaged with our Mirantis Kubernetes Engine (MKE), and Mirantis Container Cloud (MCC) products. When obtaining MKE, the secure registry is at default protecting your organization from any vulnerability. However, MSR can be deployed on any Kubernetes distribution (Amazon EKS or other Kubernetes offerings) granting users access to an image registry that has enhanced levels of security, along with 24/7 support guaranteeing zero downtime when an issue occurs. The Mirantis team will not leave you stranded to figure it out.
How do you envision the future of cybersecurity? What technologies and trends will be key in the upcoming years?
The future of cybersecurity clearly lies in the realms of AI and machine learning. But it’s important not to forget that these amazing technologies are far from being the whole story.
Software is something people make, test and authorize for production release, and then it’s a complex web of things that people use. So human errors, fallibility, the pressure to deliver software on schedule – all this stuff is absolutely critical to security. Over the next 5-10 years, we expect to continue improving tools for building and operating software-development workflows and dev/test/production platforms – and a lot of the ‘security improvements’ we expect to emerge may look like improvements in ease-of-use, user experiences that are more clear and informative, automation of best practices, and implementation of intelligent defaults recommended by the community (i.e., the largest, smartest technology workforce in the world, every one of whom has skin in the game of making things more secure). Ultimately, given increasing complexity of all these interdependent systems, making defaults smarter, helping people make good vs. bad decisions, and making mistakes harder to make is all massively important.
We expect continuous improvement in malware detection, better frameworks for encrypting more and more with less cognitive load and specialized skill required of developers, better methods of policy management so that questionable workloads aren’t executed, better hardware-assisted encryption options. And a defense-in-depth technology strategy means we’ll leverage all of this, potentially, in our products. We already see industry adopting what is commonly thought of as ‘mil spec’ security standards, and this general raising-the-bar is a good thing. Ideally, everything should be impregnable and the cost of making it so should be reasonable, in terms of time and money. Organizations should never be tempted towards a calculus that says “we can deliver faster and be first to market if we make the security just good enough.”
Meanwhile, AI/ML is having impacts everywhere. Obviously in malware detection, static analysis, traffic anomaly analysis, etc. Soon in security analysis of real-time system behavior, as an offshoot of AI-based automated operations. Software development is already being impacted. AI-assisted software writing, like GitHub CoPilot, in fact, is currently getting a thumbs-up from devs, not so much from OSS projects, and much-more-cautious examination by security experts, who see it as a way of potentially pasting exploit DNA into applications. Meanwhile, more AI may fix that: AI/ML is now being used by researchers to generate new exploits and find weaknesses in existing code.
Bottom line: it’s going to be interesting, at times scary, and customers need partners who are looking ahead with serious focus at emerging threats and mitigations, and helping them stay ahead of many curves.
Lastly, what’s in the future for Mirantis?
The future for Mirantis looks very promising. As organizations continue to transition to cloud native environments, security measures will need to be specifically tailored and managed for those environments. Mirantis intends to continue delivering products and services that will simplify complexity – allowing developers to build, and deploy cloud native applications. Mirantis will provide the support and security needed for organizations to accomplish their goals branching into a cloud native environment.