Dive Brief:
- More businesses are using automated continuous integration and continuous delivery (CI/CD) practices and containers to facilitate software delivery, but the complex interplay of code and infrastructure is placing new demands on container security. Controls along the pipeline and DevSecOps architects can help secure these container systems from cyberthreats, according to Gartner.
- Growing maturity in the container domain has led to the proliferation of more security products. Many products and vendors are difficult for clients to choose between, offering similar controls, though more competition and lower prices have made it easier to take the plunge, according to the report. Some security controls cannot be bought and installed and must instead be programed in.
- A risk-based security approach helps businesses keep container architectures secure, according to Gartner, though companies still have to take care of foundational and basic security controls first.
Container security controls hierarchy
| Category (descending in importance) | Security controls |
|---|---|
| Foundational controls | Hardening, CIS and Kubernetes benchmarks, L3 network segmentation (such as IP access lists), secrets management, SELinux profiles |
| Basic controls | Software policies, image signing, authorization between services, API gateways, software composition analysis |
| Risk-based controls | Database and file-centric audit and protection, web application firewall, vulnerability management, behavior-based controls, L7 network segmentation |
SOURCE: Gartner
Dive Insight:
Containers are becoming an invaluable part of enterprise computing architectures, allowing businesses to virtualize operating systems and deliver code in portable packages. But any overarching systems that pulls from distinct environments, products and databases creates touchpoints that can be exploited for unwanted access.
More businesses need a "shift left" mentality to move security to the start of the development and build process and test for vulnerabilities earlier, according to Liz Rice, technology evangelist for Aqua Security. If there is a problem with one of the dependencies, a developer can be notified earlier instead of waiting until the end of development to fix it.
Rice reiterated the need for DevSecOps practices in securing container environments. This will require many organizations to adjust their culture and bring developers, security and operations together.
The most successful ways attackers breach production deployments is by exploiting known vulnerabilities in software packages, Rice said. Developers rely on many dependencies as they write code, and sometimes one of these pieces can be exploited.
What gets even more complicated in container environments is that a business could be running many more software instances. Distributed system and automation can take some of the control out of their hands, but proper security systems can help automate vulnerability detection.
In cloud environments, the modern approach is to break software into microservices, which offer an advantage in security because they provide an easily constructible profile of normal behavior for the specific service function. If the container begins performing outside of the normal profile of behavior, it can be easily flagged as a potential exploit.
Extending this screening across every container can help break security into composable parts, Rice said.
When many organizations were starting on containers two years ago, they had a lot of decisions to make and questions to answer before security could be addressed, Rice said. But with more business using managed versions such as Kubernetes, security needs to become a more upfront priority.
Kubernetes is more secure across the board today than it was back then, with measures such as role-based access controls improving access controls, according to Rice. There has also been more industry consolidation around best practices.
But no system is flawless. The first major Kubernetes flaw is was recently discovered, though a response and patches to the privilege escalation flaw were quickly doled out.
