6 Things Partners And Customers Can Do To Make Containers More Secure In The Cloud
Stopping The Spread Of Vulnerabilities
Container technology allows organizations to reduce their attack surface and streamline and simplify their development process in a manner that allows for continuous iteration and improvement. Allowing for software to run reliably in a multitude of computing environments via containers, however, exposes companies to both new and enhanced security risks.
For starters, any vulnerabilities in the container host kernel could provide a way into the containers that are sharing it. But the security of containers has been enhanced in recent years through by having administrators sign for container images to ensure that untrusted ones aren't deployed.
It doesn't end there, though. Containers should continue to be scanned after signing in the event that any new, exploitable vulnerabilities emerge. From orchestration and pen testing to securing each piece of the application to leveraging the work of containers providers, here's what partners and customers can do to maximize the security of their containers.
Vulnerability And Pen Testing
Containers have become an essential component in the application deployment fabric, ensuring that companies can do continuous integration and delivery in a very repeatable manner, according to Rohit Gupta, group vice president, cloud security for Redwood Shores, Calif.-based Oracle.
"From a development lifecycle standpoint, containers have these days become the foundational building blocks of what modern digital enterprises use," Gupta said.
Container security has become embedded into the DevOps process, Gupta said, with classic vulnerability and pen testing conducted out of the gate to ensure the container is clean. Before deployment, Gupta said users should ensure there aren't any vulnerabilities, and that whatever's in the container is being continuously monitored.
Container security can address both static and dynamic vulnerabilities the container is exposed to, Gupta said, ensuring that the proverbial well isn't poisoned during deployment.
Change The Application Code
Containers are yet another way of looking at host-based security akin to bare metal and virtualization, according to Brian Roddy, vice president of cloud security at San Jose, Calif.-based Cisco Systems. As a result, Roddy said there's some consistency across the board around how to secure any individual host.
Container providers such as Istio and Kubernetes provide nice tools that can be used to apply security policies as well as chain in new security services into a micro-services framework, Roddy said. Kubernetes' increasing dominance in the space will help accelerate development around containers since most everyone will be using the same technology, according to Roddy.
In order for things to be container-native, Roddy said the code of the application itself must be changed to support that model. This is fairly easy to do for the hypervisor or virtualization models, Roddy said, but will take a while when dealing with bare metal servers.
Scanning And Orchestration
Containers require registry scanning, orchestration protection, and host OS security, according to Dean Darwin, senior vice president of sales and channel strategy for Santa Clara, Calif.-based Palo Alto Networks. But when it comes to specific container threats around searching models and visibility segmentation, Darwin said there's still work to be done.
Organization should keep an eye on the entire container architecture as it goes through visibility scanning and orchestrated protection, Darwin said. The threats usually come in through endpoint or network insertion and attack containers just like they would virtual private cloud or VMs today, according to Darwin.
Given the east-west traffic going between containers, Darwin said organizations run the risk of having the containers themselves infected and then having that replicated throughout the entire network. In-line defense is typically used with the containers sitting behind it, though Darwin said the protection is a little bit different since it's container-based rather than VM-based.
Pay Attention While Configuring
Containers tend to be configured in very vulnerable ways since many people are unfamiliar with how they work, according to Ryan Kalember, senior vice president of cybersecurity strategy for Sunnyvale, Calif.-based Proofpoint. Specifically, Kalember said the complex deployment process for containers makes some of the risk a little harder to understand.
"They're just less well-understood than traditional servers," Kalember said.
Kubernetes is fairly complicated to deploy and introduces a whole lot of new concepts, Kalember said. In addition, Kalember said security often ends up being an afterthought when new things are being introduced into the software development lifecycle since the company is just trying to make it work.
Containers in theory remove much of the attack surface that an individual server has, Kalember said, forcing bad actors to find vulnerabilities in a slightly different way.
Lean On Container Providers And Partners
Container technology like Kubernetes makes it much easier to orchestrate, scale, operate and deploy micro-services since the dev team can innovate in parallel with the threat team and in-line activity, according to Sanjay Beri, CEO of Los Altos, Calif.-based Netskope. In contrast, Beri said a traditional operations cycle takes upwards of a week, with deployments only possible every so often.
Docker has attempted to offer container security in its enterprise version, Beri said, while Kubernetes has typically promoted third parties to do it. It remains to be seen how much security is ultimately embedded into the container environment, Beri said, as well as the extent to which an ecosystem of container partners can be built.
For instance, Beri said Netskope has begun examining, assessing and correcting configurations for instances, logs, or VMs in Amazon A3. It still unclear whether the same thing can be done in containers, according to Beri.
Embed Security Into Each Piece Of Application
There are specific opportunities for containers to play in areas such as business logic and non-commodity technology where there isn't a Platform as a Service (PaaS) option, according to Daniel Spurling, director, cloud and transformation for Seattle-based Slalom Consulting, No. 37 on the 2018 CRN Solution Provider 500.
Organizations have to take ownership of the protection associated with cloud portability and secure the container platforms themselves, Spurling said. By embracing containers, Spurling said businesses lose out of the opportunity that had to remove ownership of that risk by handing out the data service, message bus service, or some type of caching service.
But by moving from more legacy or heritage code basis to the containerization of software, Spurling said organizations can embed security much more deeply into each piece of the application rather than just having a secure front door. Having security at each point of the application reduces the potential for land and expand-type attacks, Spurling said.