Supply Chain Council of European Union | Scceu.org
News

Red Hat Unveils New Levels of Security from the Software Supply Chain to the Edge

BOSTON—RED HAT SUMMIT–()–Red Hat, Inc., the world’s leading provider of open source solutions, today announced new security innovations and capabilities across its portfolio of open hybrid cloud technologies. Designed to help organizations mitigate risks and meet compliance requirements across increasingly complex IT environments that mix cloud services, traditional systems and edge devices, these enhancements are intended to minimize complexity, while helping customers improve their security posture and enable DevSecOps.

According to Red Hat’s 2021 Global Tech Outlook report, 45% of respondents put IT Security as their top funding priority. IT security, however, is not a static demand – regulatory controls, compliance demands and threat actors shift on an almost daily basis, requiring almost constant vigilance from IT security teams.

Red Hat has long been a leader in security for enterprise open source solutions, beginning with Red Hat Enterprise Linux, viewing security as a fundamental component and not an add-on. KuppingerCole Analysts recently recognized Red Hat as the Overall Leader in its Leadership Compass for Container Security. According to KuppingerCole’s evaluation, “With a massive market presence and proven expertise in container management, enhanced by the recent acquisition and integration of StackRox, a leading container security company, Red Hat is recognized as the Overall Leader in this Leadership Compass.”

With today’s news, Red Hat continues a relentless march of innovation to advance security across hybrid cloud environments—from on-premises to multi-cloud to the edge—across the entire technology lifecycle and software stack.

Enhancing software supply chain security

Securing applications from development through the entire lifecycle can be complex and frequently requires multiple components to work together. To help simplify the process of implementing security features throughout the complete build, deploy and run process, Red Hat is introducing a software supply chain security pattern.

Delivered via Red Hat OpenShift, patterns deliver complete stacks as code and define, build and test the necessary software configurations. Available as a preview, the software supply chain security pattern will bring together the necessary components to architect cloud-native applications from trusted components.

The pattern uses a Kubernetes-native, continuously-integrated pipeline through Red Hat OpenShift Pipelines and Red Hat OpenShift GitOps for version control, helping to reduce complexity and save time. Additionally, through Tekton Chains, the pattern will incorporate Sigstore, an open source project aimed at making cryptographic signing of code more accessible. This addition makes it easier for artifacts to be signed in the pipeline itself rather than after application creation.

In addition, in Red Hat Ansible Automation Platform 2.2, Red Hat is introducing a technical preview of Ansible content signing technology. The new capability helps with software supply chain security by enabling automation teams to validate that the automation content being executed in their enterprise is verified and trusted.

Enhancing application security lifecycle from the datacenter to the edge

As organizations adopt cloud-native architectures, the core enterprise needs for hardened environments, lowered attack surfaces and faster detection and response to threats remain. Applications running outside of traditional IT environments, including at the edge, introduce further security requirements that compound these already complex challenges.

Beyond the physical security requirements of edge devices, CIOs and IT decision-makers are increasingly seeing a need to protect the container workloads running on these devices. An example could be implementing strategies and capabilities to prevent the lateral movement of potential attacks or breaches across edge deployments. Red Hat Advanced Cluster Security for Kubernetes brings a deployment-ready answer to these concerns, with key capabilities to protect edge workloads, including:

  • Automated DevSecOps in the CI/CD pipeline to help protect the software supply chain for edge environments through vulnerability management, application configuration analysis and CI/CD integration
  • Threat protection provides threat detection and incident response capabilities at runtime for common threats
  • Network segmentation to enforce workload isolation, analyze container communication and detect risky network communication paths

Integrated security starts with the operating system

In the 2022 Gartner® Board of Directors Survey, 88% of board members classified cybersecurity as a business risk; just 12% called it a technology risk.1 The broad ramifications of a cyber attack or data breach have led to increased scrutiny across IT environments by investors and regulators alike. Fortifying IT environments against these potentially damaging incidents is critical, and Red Hat believes that this effort starts at the foundation, at the operating system level, with Red Hat Enterprise Linux.

Red Hat Enterprise Linux 9 lays the foundation for runtime integrity verification of the operating system and application files by providing file digital signatures within RPM packages. The platform uses integrity measurement architecture (IMA) at the kernel level to verify individual files and their provenance. IMA file verification specifically helps to detect accidental and malicious modifications to systems, providing more remediation capabilities for security teams in addressing potential issues or breaches.

Additional key security features in Red Hat Enterprise Linux 9 include:

  • Enhanced security around root privileges by disabling root login via SSH by default. This helps to prevent the discovery of root passwords through brute force attacks and improving baseline security postures of an operating environment.
  • Support for latest cryptographic frameworks with the integration of OpenSSL 3. This enables IT teams to enact new ciphers for encrypting and protecting sensitive information.
  • Bolstered security best practices by disabling the cryptographically-broken SHA-1 hash function by default for digital signature, driving improved security hygiene.

Additionally, Red Hat and IBM Research are collaborating around expanding the core security aspects of the Linux kernel, such as through support for signing and verifying elliptic curve digital signatures. This work expands the algorithms supported and reduces the size of digital signatures used throughout the Linux kernel.

Availability

The software supply chain security pattern is expected to be available in the coming months. Red Hat Enterprise Linux 9 will be generally available in the coming weeks. Red Hat Advanced Cluster Security for Kubernetes is generally available now and can be accessed here.

Supporting Quote

Vincent Danen, vice president, Product Security, Red Hat

“IT security isn’t tied to a software edition or an add-on module; it needs to be baked into whatever technology an organization chooses, starting from the operating system foundation to the application level. The enhanced security capabilities across Red Hat’s hybrid cloud portfolio is intended to help deliver less complex operations with high levels of security no matter where an organization operates. This is Red Hat’s commitment to DevSecOps – making security not something bolted on, but a seamless integral part of moving applications from development to production to assist IT teams, both technically and organically.”

Additional Resources

Connect with Red Hat

About Red Hat, Inc.

Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies. Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.

Red Hat, the Red Hat logo and OpenShift are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the U.S. and other countries.


1 Gartner, Marketing insights, What Is Cybersecurity?, as on 25th April, 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Related posts

WFP Supply Chain Factsheet (November 2019) – World

scceu

‘Explosion’ in secondhand clothes helps fill gap created by supply chain, holiday demand

scceu

Shelves begin to empty as supply chain buckles under inflation

scceu
`