Q. What is being announced?
On January 7, 2021, Red Hat announced that it has signed a definitive agreement to acquire StackRox. The acquisition is subject to certain customary closing conditions.
Q. What is StackRox?
StackRox offers the industry’s first Kubernetes-native security platform which protects cloud-native apps across the full lifecycle — build, deploy, and runtime. By using a Kubernetes-native architecture, organizations can more easily control and enforce policies, using the same declarative approach as Kubernetes to scale their applications while still maintaining their necessary security posture.
The StackRox software provides visibility across all Kubernetes clusters, by directly deploying lightweight components for enforcement and deep data collection into the Kubernetes cluster infrastructure, reducing the time and effort needed to implement security, and streamlining security analysis, investigation and remediation. StackRox also helps customers “shift left” to secure containerized applications earlier in the development lifecycle and enable DevSecOps.
Q. How many people are employed by StackRox and where are they located?
StackRox has approximately 60 employees and is headquartered in Mountain View, California.
Q. What does StackRox bring to Red Hat and how do StackRox’s products complement Red Hat’s commercial offerings?
StackRox is strategically aligned with Red Hat’s view on offering security capabilities that enable a full-stack solution for those looking for enterprise-ready hybrid cloud solutions. Red Hat already has a robust portfolio of Kubernetes and container management solutions, including OpenShift, the industry’s leading enterprise Kubernetes platform, which provides a layered approach to security and Red Hat Advanced Cluster Management for Kubernetes, which provides end-to-end visibility and control for all your Kubernetes clusters.
Completing this acquisition would allow Red Hat to further expand its security leadership, adding StackRox’s complementary capabilities to strengthen integrated security across its open hybrid cloud portfolio with greater simplicity and consistency. With StackRox, Red Hat will focus on transforming how cloud-native workloads are secured by expanding and refining Kubernetes’ native controls, as well as shifting security left into the container build and CI/CD phase, to provide a cohesive solution for enhanced security up and down the entire IT stack and throughout the lifecycle.
Specific plans and timeline around integrating the product into the Red Hat portfolio will be determined once the transaction closes. Red Hat is committed to continuing to support StackRox customers once the acquisition closes.
Q. Who uses StackRox’s offerings today?
StackRox has customers across different regions and industry verticals, including SaaS, FinTech, and government agencies. As StackRox CEO noted in a blog on this news, “Today, DevOps and Security teams at cloud-native companies, Fortune 500 companies and government agencies, rely on StackRox to implement security and compliance policies across the entire container lifecycle.”
StackRox’s software is included as a Kubernetes-native container security platform in the Iron Bank artifact repository, certified for compliance with the U.S. Department of Defense (DoD) Enterprise DevSecOps Container Hardening guide and accredited for use by the DoD to enable automated testing and container security.
Q. What can customers do with StackRox’s technology?
Customers can use StackRox to enhance their container and Kubernetes security posture across clusters with:
- Comprehensive visibility, including views of:
- deployments, including images, pods, and configurations;
- network traffic, spanning namespaces, deployments, and pods;
- critical system-level events in each container; and
- asset and inventory information and tracking.
- Vulnerability management, including:
- scanning images for known vulnerabilities based on specific languages and packages and by image layer with vulnerabilities correlated to running deployments, not just images.
- enforcing policy enforcement based on vulnerability details – at build time using CI/CD integrations, at deploy time using dynamic admission controls, and at runtime using native Kubernetes controls.
- Configuration management by:
- delivering pre-built DevOps and security policies to identify configuration violations related to network exposures, privileged containers, processes running as root, and compliance with industry standards;
- analyzing Kubernetes role-based access control (RBAC) settings to determine user or service account privileges and misconfigurations;
- tracking secrets and the deployments that use them to limit access;
- analyzing Kubernetes YAML files and Helm charts with KubeLinter, the open source linter, for privileges, labes, root user, resource requirements; and
- enforcing configuration policies at build time with CI/CD integration and at deploy time using dynamic admission control.
- Compliance, enabling users to:
- assess compliance across hundreds of controls for CIS Benchmarks, PCI, HIPAA, and NIST SP 800-190;
- deliver at-a-glance dashboards of overall compliance across each standard’s controls with evidence export to meet auditors’ needs; and
- drill down into compliance details to pinpoint clusters, nodes, or namespaces that don't comply with specific standards and controls.
- Network segmentation, by:
- visualizing allowed vs. active traffic between namespaces, deployments, and pods, including showing external exposures;
- simulating network policy changes before they’re implemented to minimize operational risk to the environment;
- baselining network activity and recommend new Kubernetes network policies to remove unnecessary network connections; and
- using network enforcement capabilities built into Kubernetes to enable consistent, portable, and scalable segmentation.
- Threat detection, by:
- monitoring system-level events within containers to detect anomalous activity indicative of a threat with automated response using Kubernetes-native controls;
- baselining process activity in containers to automatically whitelist processes, eliminating the need to manually whitelist;
- using pre-built policies to detect crypto mining, privilege escalation and various exploits; and
- enabling flexible system-level data collection using either eBPF or a kernel module across every major Linux distribution;
- Incidence response, by applying anomaly detection to pinpoint suspicious runtime behavior and supporting a range of responses with the ability to alert on such activity or kill the impacted pods or containers. When a pod has been impacted, before any actions are taken, forensics data is collected and sent to security information and event management (SIEM).
- Risk profiling, by:
- ranking running deployments according to their security risk, leveraging Kubernetes data to prioritize vulnerabilities using configuration or deployment details as well as runtime activity.
- tracking improvements in the security posture of Kubernetes deployments to validate the impact of actions.
- Integration with DevOps systems by providing a rich API and pre-built plugins to integrate with CI/CD tools, image scanners, registries, container runtimes, SIEMs, and notification tools.
Q. I’m a StackRox customer - what does this deal mean for me? Who do I call for support?
StackRox will continue to provide service and support as required through and following the closing of the acquisition. Customers should contact StackRox for support as they did before the announcement. After the acquisition closes, we believe that StackRox customers will benefit from Red Hat’s industry-leading container and Kubernetes expertise and world-class support.
Q. Can customers continue to use StackRox technology with other Kubernetes platforms?
Yes. In addition to Red Hat OpenShift, StackRox will continue to support multiple Kubernetes platforms, including Amazon Elastic Kubernetes Service (EKS), Microsoft Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE).
Q. What does this mean for existing Red Hat customers?
Red Hat customers will benefit from StackRox’s complementary Kubernetes-native security solutions. Our specific plans and timeline around integrating the product into the Red Hat portfolio will be determined once the transaction closes.
Q. What does this mean for existing Red Hat technology partners?
Red Hat will continue to work closely with our ecosystem of partners, including our container and Kubernetes security partners. We expect StackRox’s capabilities to provide added value to our partners’ technologies as they relate to Red Hat’s portfolio, and to jointly enable rapid adoption of hybrid cloud architectures. Red Hat believes strongly in providing choice to our customers to facilitate innovation and flexibility.
Q. How involved is StackRox in upstream open source communities?
StackRox’s solutions are Kubernetes-native and use open source technologies. In October 2020, StackRox launched KubeLinter, an open source project that analyzes Kubernetes YAML files and Helm charts for correct configurations, with a focus on enabling application production readiness and security earlier in the development process. StackRox has also contributed to the broader Kubernetes ecosystem, specifically via the grpc and d-graph/badger projects.
We expect StackRox’s contributions to open source communities to increase as Red Hat works to open source its offering following closing.
Q. Does Red Hat plan to open source StackRox's technology?
Yes. Red Hat has long shown its commitment to open-sourcing the technology it acquires when it is not open source, and we have no reason to expect a change in this approach. Our specific plans and timeline will be determined following the closing of the transaction.
Q. Does Red Hat plan to continue to foster the KubeLinter developer community post acquisition?
Yes. Red Hat has a long history of successfully guiding open source communities. KubeLinter community members can feel confident that Red Hat will continue to foster this ecosystem following the closing of the acquisition. As we open source any other technologies in the future, we plan to support those communities as well.