Container Security

[Jason Borinski <jason.borinski () DEXCOM COM>]

Hi all,

I'm looking for input from this group on how you are handling container security. Are you primarily relying on native 
container platform features, open source or commercial third party tools? We're ramping up our use of Google Kubernetes 
Engine (GKE) and are both assessing it's native security features while also considering third party tools to augment 
capabilities, particularly around detection/response.

On the plus side GKE seems to have cluster/node security covered. Google also offers a number of native add-on services 
such as Container Analysis<https://cloud.google.com/container-registry/docs/container-analysis> (image scanner, still 
in beta), Cloud Security Scanner<https://cloud.google.com/security-scanner/> (light weight web app scanner), and Event 
Threat Detection<https://cloud.google.com/event-threat-detection/> which shows promise but has recently been put on 
hold. There is a WAF in alpha for Cloud Armor<https://cloud.google.com/armor>. Cloud Security Command 
Center<https://cloud.google.com/security-command-center/> shows promise but has so far been underwhelming. These 
add-ons seem to be low in maturity and lacking threat detection and response capabilities.

So evidently NGFW/IPS is out of fashion and kludgy for container security, so we're exploring cloud-native security 
architectures. Also looking at third party products - does anyone have any experience with tools like Twistlock, Aqua, 
Stackrox, or Trend Deep Security? If so would appreciate your recommendations or lessons learned.

Thank you,
Jason

Jason Borinski
Senior Manager Information Security | Dexcom
6350 Sequence Drive, San Diego, CA 92121
858-203-6178 | jason.borinski () dexcom com<mailto:jason.borinski () dexcom com>