Container security: How to get the most out of best practices

4 weeks ago 6

Containers are analyzable virtual entities that supply proven benefits to the concern but besides necessitate beardown information guidelines. Learn however to get the astir retired of instrumentality information champion practices.

Containers concept

Image: Avigator Fortuner/Shutterstock

Containers, champion defined arsenic an operating strategy virtualization lawsuit that tin tally applications, microservices and processes, are a staple successful the exertion industry. Containers' flexibility and easiness of deployment tin assistance execute faster deliverables and much robust environments.

SEE: Kubernetes: A cheat expanse (free PDF) (TechRepublic)

"Containers person taken america further on the roadworthy of abstraction wherever developers person to deliberation little astir their infrastructure. Virtual machines abstracted distant hardware resources—containers took that further by hiding the complexities of the operating system," said Ganesh Pai, CEO, Uptycs, a SQL-powered information analytics platform. "Containers supply robust exertion representation management,  runtime isolation, businesslike scaling, assets pooling and they person go an integral portion of modern microservices architecture." 

Chris Ford, VP of merchandise astatine unreality information and compliance supplier Threat Stack, noted however accelerated they've go modular fare. "Containers person rapidly moved from an emerging exertion to an integral portion of galore organizations' unreality strategies. Gartner predicts that by 2022, 75% of organizations volition beryllium moving containerized applications successful production, up from little than 30% today. Why tally applications successful containers? Efficiency and improvement velocity are the objectives. Containers assistance organizations summation the gait of innovation, adjacent arsenic they optimize assets utilization."

As with everything successful technology, however, determination are information concerns. precocious reported that 50% of misconfigured containers are deed by botnets successful nether an hour, and SecurityWeek revealed that attacks against instrumentality infrastructures are increasing, including proviso concatenation attacks.

Container information companies question to code circumstantial challenges

"Traditional server workload extortion exertion was built for comparatively static on-premises workloads, but is excessively heavyweight to enactment good connected minimized, ephemeral instrumentality workloads," Pai said. "Also, developers moving with containers are often utilizing open-source bundle that whitethorn incorporate backmost doors and malware. Because newer continuous integration, continuous development workflows mean that bundle is updated, tested and deployed faster, it's advantageous for detection of malware and different vulnerabilities earlier successful the process.

"Newer types of unreality workload extortion level tools code these issues arsenic they are built to tally either connected instrumentality hosts oregon successful containers themselves, and they tin easy beryllium incorporated into CI/CD pipelines for aboriginal detection. Additionally, menace actors are targeting CI/CD pipelines to inject malicious behaviour into the proviso chain. Observing and actioning telemetry done each stages of agile unreality workload deployments becomes important for SecDevOps teams."

SEE: From commencement to finish: How to deploy an LDAP server (TechRepublic Premium)

Ford discussed the challenges of instrumentality security. "Container information startups are looking to lick for immoderate of the challenges that containers introduce: the progressively automated quality of modern bundle improvement tin exacerbate information issues quickly. Automation tin origin misconfigurations, vulnerabilities and malware to go pervasive precise quickly. Adding layers of abstraction successful unreality infrastructure increases the menace surface, peculiarly erstwhile instrumentality orchestration (e.g., Kubernetes) is being used.

He said the challenges with solutions is that they're focused connected a azygous furniture of infrastructure and workloads span a wide scope of infrastructure types. This creates "tool sprawl." 

"Security teams tin find themselves overwhelmed by antithetic tools that make findings for aggregate layers of infrastructure: virtual machines, containers, instrumentality orchestration, serverless," Ford said. "This instrumentality sprawl tin besides hinder visibility to the progressively blase attacks that span aggregate layers of unreality infrastructure."

The problems this generates: precocious operational costs, complexity, inefficient workflows, a siloed attack to information and compliance, constricted hazard visibility, fragmented policies and controls, inefficient hazard prioritization and remediation, and siloed audit and compliance reporting.

SEE: How to usage CyberPanel to easy negociate Docker images and containers (TechRepublic)  

Ford suggested: "Instead of continuing to bolt connected further tools to enactment caller infrastructure types, similar containers, information organizations should see a singular platform-centric broad attack to information and compliance. By expanding afloat stack observability wrong your full unreality infrastructure, organizations person the quality to detect, measure and respond to hazard holistically crossed disparate environments. Security teams and the solutions they usage tin assistance accelerate their business' adoption of modern technologies portion besides ensuring they tin code caller risks and enactment emerging regulations astatine scale."

Best practices to unafraid containers and microservices

Pai said the champion mode to unafraid these systems is to marque information telemetry easier to negociate and analyze. 

"We judge it should beryllium elemental to analyse and inquire questions astir your full situation and get accelerated insights by aggregating and analyzing telemetry from unreality workloads moving successful containers, its orchestration and unreality work providers," helium said. "The occupation that we're solving is getting each this telemetry successful 1 spot and successful a normalized format truthful that you tin use information analytics for proactive information (audit and compliance) and reactive information (detection and response)."

SEE: Prisma Cloud tin present automatically support unreality workloads and containers (TechRepublic)

Pai said to absorption connected telemetry-powered security, which normalizes telemetry from instrumentality runtime (osquery), orchestration (kubequery) and unreality providers (cloudquery), and this enables information practitioners to get answers to questions, like, "'What containers successful my situation are moving this known susceptible package?' oregon 'Where other is this record hash appearing crossed my Kubernetes Cluster?'" 

Ford said that newer companies thin to absorption solely connected containers, but it's important to look astatine their information posture much holistically. 

"Otherwise, coating a representation of wide workload hazard tin beryllium daunting," helium said. "Disparate solutions make disparate findings, and portion a SIEM tin beryllium utilized to aggregate these findings, the extremity should beryllium to prioritize enactment for information teams, not adhd much to monitor. It's captious to person a azygous spot to show containers, Fargate workloads, Kubernetes, virtual machines, applications and unreality supplier APIs, thereby eliminating the request for aggregate tools. The extremity is to supply visibility into these workloads, surfacing risky user, file, web and process activity."

But, astir critically, deploying containers quickly: "Companies moving cloud-native infrastructure to accelerate innovation volition not person to sacrifice velocity for security. Threat Stack sensors, for instance, are deployed astatine velocity and standard utilizing unreality autochthonal tooling, ranging from fashionable configuration absorption tools to Kubernetes daemonsets and Helm charts," Ford said. 

The aboriginal of instrumentality security

Container information tin instrumentality a mates antithetic directions, depending connected which attack and architectures are adopted, Pai said. "IT, bundle improvement and deployment models volition pb the charge, and information paradigms volition follow. Container runtimes volition proceed to germinate from Docker, Cri-o, Containerd, and they volition apt beryllium complemented by micro VM technologies specified arsenic AWS Firecracker and Google gVisor. Additionally, different serverless technologies specified arsenic Function-as-a-Service coupled with SaaS services volition apt signifier instrumentality security. No substance which attack prevails, determination volition ever beryllium telemetry for configuration, behavioral/usage way enactment and travel logs. This telemetry volition either beryllium accessible straight from the runtime (container) oregon the work supplier (API)."

SEE: Box CEO Aaron Levie: Clear skies up for the unreality this year (TechRepublic)

Container information capabilities volition beryllium progressively baked into the cloth of broader information solutions, Pai said. Ford said helium believes that information measures volition beryllium progressively automated.

"The standard of cloud-native infrastructure is outpacing information squad capableness to respond to incidents" Ford said. "Best-of-breed solutions volition harvester detection mechanisms (rules, machine learning) to place the highest attraction of hazard and volition trigger automated remediation done a flexible integration model and spouse ecosystem,"

Data Center Trends Newsletter

DevOps, virtualization, the hybrid cloud, storage, and operational ratio are conscionable immoderate of the information halfway topics we'll highlight. Delivered Mondays and Wednesdays

Sign up today

Also see

Read Entire Article