This article originally appeared on VMblog — Link
Technology start-ups today are primarily born in the cloud with a culture of iteration and speed. The DevOps culture allows companies — whether a start-up or not — to push new features, applications, versions, etc. every few hours or even minutes.
Cloud-based applications that are not bound to a single runtime environment have clear advantages for organizations looking to develop and innovate at speed. Container adoption offers portability, efficiency, and high utilization that make it an obvious choice for many developers.
“Every company across the globe is becoming a software company and in order to stay successful, competitive, and secure, companies need to re-think their current cybersecurity strategy for cloud workloads, containers, and serverless environments.”
Though the build pipeline, agility and flexibility are key, they are not typically synonymous with security. On the contrary, security may be seen as a roadblock — the heavy, legacy add-on that halts DevOps style innovation.
Cloud-native DevOps teams may view security as a pesky necessity forced upon them, or an easy-to-ignore afterthought. But it doesn’t have to be that way.
Security can serve a great purpose for containers, potentially even making them more effective and of higher performance. Addressing security upfront can eliminate problems in the future, helping your build sustain and scale reliably as projects and applications evolve.
Teams need to find ways to seamlessly add security to DevOps pipelines without creating friction for developers, allowing everyone to work toward their primary goal of helping to solve customer problems in creative ways.
Why does security matter in containers?
Let’s look at an analogy for security in the cloud to give this some perspective.
While you may not want four tires on their own, they are a required part of owning a car. Even though a car may technically work without them, it’s not going to drive well or last long without tires.
Container security can be thought of similarly. Security may not be something you seek out on its own, but it is a necessary component of an effective container environment to keep it running smoothly and reduce possible security risks in your microservices.
Despite the simplicity of the container itself, the underlying infrastructure can grow to be quite complex. A number of security or compliance-related issues can be born when a container is starting up, and if not addressed, the prevalence of the problem compounds as the infrastructure grows in size and complexity.
This can also be true in terms of the data and information that lives in containers. Whether a business is cloud-native or migrating to the cloud, all types of critical business data are processed in containers. These critical assets would have a significant business impact if leaked or exposed from container applications. Additionally, this data may fall under various compliance and regulatory standards that mandate security minimums are maintained.
“The containers/microservices offer numerous benefits for your business, as long you have the right policies, “right use“, and security tools to protect it from possible mistakes, vulnerabilities and attacks in this very agile environment that are containers.”
What does it mean to secure containers?
Given that containers simply package existing dependencies in a portable format, why would there be any different or additional cybersecurity needs?
While the common perception may seem contrary, cybersecurity is actually very simple. The goal of cybersecurity is to ensure that whatever you build works as intended…and only as intended.
That last bit requires that the definition of a project that is “finished” must include testing that ensures the code can’t be forced into producing an unexpected output. This includes making sure the infrastructure on a container that is deployed is stable and behaves as expected, without unmitigated vulnerabilities.
With this in mind, the process of securing containers becomes continuous. It becomes an integrated part of the development pipeline — not a never-ending, painstaking process.
It should be integrated — like other tests and quality controls — into your development process, automated to remove the number of manual touchpoints, and extended into the maintenance and operation of the underlying infrastructure.
Container security concerns broadly relate to:
- The security of the container host
- Container network traffic
- The security of your application within the container
- Malicious behavior within your microservices
- The integrity of the build pipeline
- Securing your container management stack
- The foundation layers of your application
- Possible vulnerabilities in the platform and dependencies used by microservices
To feasibly manage all of this without impacting dev teams, security operations teams need to reduce the security overhead, quickly detect and remediate issues, and bring visibility across multiple cloud environments without adding too much friction to the current pipelines.
How to secure containers
For simplicity, let’s consider an “outside-in” approach to securing containers.
1. Secure the container host
- Select a container-focused operating system to host your containers. This helps reduce the overall attack surface by removing any services that aren’t required to host your container workloads.
- Add monitoring tools to keep an eye on the health of the hosts.
- Use a strong set of security controls, like an intrusion protection system (IPS), to monitor and protect the shared resources on the host. An IPS will check each network packet for malicious or malformed content to prevent a potential attack or a Denial-of-Service (DoS) due to all the containers running on that host or node.
- Include a Runtime Protection security layer on physical or virtual machines to protect the operating system and/or container engines used in hosts. This can help protect against malware and vulnerabilities, as well as ease the audit process using features like file integrity monitoring, log inspection, and application control.
For example, these are a few vulnerabilities associated with Kubernetes. These are mostly associated with recurrent issues in Kubernetes API’s that could go unnoticed.
2. Secure the networking environment
- Monitor traffic moving north-south, to and from the internet, with controls like an IPS or RASP (Runtime Application Self-Protection) to stop attacks and filter malicious content.
- Deploy an IPS to monitor east-west, inner-container, traffic. After attackers gain a foothold in a network, they look to move laterally to expand their reach. Monitoring internal traffic is a critical aspect of a defense in-depth strategy.
3. Secure your management stack
- Ensure that your container registry is properly secured and monitored. Automated scanning can ensure each container meets security baselines and can check for known vulnerabilities, malware, and any exposed secrets before it goes to the registry.
- Lockdown your Kubernetes installation and take advantage of features like Pod and network policies to enforce your security and development standards.
4. Build on a secure foundation
- Make sure to review and watch for updates from the project teams regarding any dependencies used in your applications. When they patch their software, you’ll need to integrate patches as well to reduce the risk to your application.
- Use a container image scanner to check for malware, known vulnerabilities, exposed secrets, as well as sweep for custom indicators of compromise (IoCs). This allows you to mitigate any risk before developing further or deploying to production.
- Integrate the container image scanning with the registries to review all the container images that are being used by your organization.
5. Secure your build pipeline
- Prevent malware using strong endpoint controls on developer workstations and to protect against other attacks common with cybercriminals.
- Ensure only authorized users can access code repositories, integrate branches, and trigger builds that are pushed to production using a thorough and consistent access control scheme. This is a critical step to safeguarding the integrity of your pipeline.
- Remember that the servers running these tools also need to be secured. Seek out a tool with strong security controls and minimal overhead to help meet your security goals.
6. Secure your application
- Focus on code quality by making sure all code follows best practices. Most security vulnerabilities are a result of simple mistakes or poor design choices. Simple adjustments upfront will pay security dividends.
- Use RASP controls to help connect the dots between security vulnerabilities and issues in specific lines of code. This helps close the gap during root cause analysis and leads to better overall security outcomes.
- Check for possible vulnerabilities in the platform and in dependencies used by your applications.
Organizations need to be able to deliver security agility to DevOps through guided principles and frameworks that drive continuous security and compliance for their cloud infrastructure choices. The stability of a container environment depends on it.
Significant benefits can be realized from adopting container technology, but as with any new technology adoption, a strong security plan is a must. Using an “outside-in” strategy helps create a step-by-step plan to automate the security of your containers and the build pipeline that creates them.
Applying these recommendations from the beginning will prove highly beneficial in the future of your applications.
I did a session at CloudSec 2020 on November 25th based on this article. If you would like to see the recorded session here is the LINK