5 Areas of Security for Successful Container Implementation
The following article is an excerpt from our most recent whitepaper - 5 Areas to Secure Containers in the Cloud
Introduction
Container implementation has revolutionized enterprise architecture, in a way unheard of in the past two decades. CIOs now have access to a dazzling array of technologies which can be used to drive digital transformation – but with container options come new challenges related to security. How can CIOs maintain development velocity without making their organization vulnerable to attack?
The shift to the cloud has allowed companies to expand rapidly and container technology is providing a solid framework for innovation. New ways of ensuring security must be found to enable enterprises to continue development of modern digital applications.
To that end, Red Hat, IBM, AWS, Microsoft, and Google have created full suites of container-enabled products. Simultaneously, versions of popular projects like Docker and Kubernetes are being presented by commercial vendors and open source communities to provide a framework for PaaS cloud solutions.
DevOps is delivering new ways to package and deploy applications, and tools like Ansible, Terraform, Jenkins and Git are being implemented to great agile workspaces and build sophisticated CI/CD development pipelines.
The issue, then, is the burgeoning need for blueprints that can guide reference architecture and compliance during the development and deployment of platform as a service (PaaS) solutions. PaaS is growing much more quickly than its predecessor, infrastructure as a service (IaaS), and digital velocity is rising exponentially. One of the top concerns of over 90% of IT security professionals is what to do about container security, and six out of ten IT pros say they’ve encountered container security incidents in the past 12 months.
A comprehensive approach is needed to tackle the issue of container security from five separate angles at once. When equipped with the right set of planning and configuration tools, IT professionals can have peace of mind knowing their environments are secure.
Identity and Access Management (IAM)
Lax identity and access management controls are the cause of most modern high profile data security breaches. Most IT organizations can’t successfully implement the complex protocols demanded by granular IAM. Fortunately, CIOs can help mitigate risks and integrate with cost effective cloud service to effectively protect passwords and permissions from exploitation by malicious attackers or grudge-holding employees.
Securing Outside Container Content
Portability (and the associated ability to create and share microservices) is one aspect that makes containers so attractive. Software sharing and running software content via containers drives developer productivity, enabling them to deliver multiple new features to users in swift succession. However, the unrestricted access granted by public repositories such as DockerHub and GitHub poses a serious issue. With tools like Google Trusted Registry, Red Hat Quay, and Docker Enterprise Edition, private container registration is an option, and higher security is enabled.
Building Secure Container Content
Raw developer code is another area for concern. Existing containers and software libraries developers use to compile code can be scanned against common vulnerability databases, but actual, original application code must also be protected, especially if it will be packaged and deployed widely. Docker-based container images are immutable, making them impossible to edit by attackers. Combine that with code security scanning and real-time scanning tools integrated into a robust CI/CD pipeline, and you can rest assured all code is checked in advance of packaging and deployment.
Securing Container Runtimes
Once external and internal content is secure, the question of runtime arises. Full adoption of microservices in a high velocity development environment means the potential number of containers and versions available will be massive – increasing the risk that unauthorized container versions may find their way into the production environment. Modern hybrid and public cloud tools offer container runtime authorization tools that can ensure that only the authorized containers are allowed to execute within the runtime environment.
Securing The Orchestration Environment
A secure orchestration environment ensures that code runs at the right level of privilege. If actual applications run with too liberal of permissions, the resulting security impairment can allow attackers to compromise a system and gain immediate, disastrous access to and power over internal resources. Kubernetes Role Based Access (RBAC) controls execute Pods of containers, and can allow administrators to set permissions at the pod level and integrate additional authentication tools like LDAP, OAuth and X.509 certificates. This puts the CIO squarely in control of the orchestration environment.
Conclusion
CIOs who appropriately layer container security on top of their existing corporate security infrastructure create a subset of information security, that can also protect the container network and enable network and host vulnerability scanning.
Securing container infrastructure in the enterprise may sound difficult, but in the end robust container protection can be readily accomplished when security is a priority from the beginning. CIOs must practice awareness and control - tightly restricting access, ruthlessly hunting down vulnerabilities, and taking advantage of third-party software to create a comprehensive container security strategy.
To read our full white paper, visit http://www.stonedoorgroup.com/download-white-paper-container-security
About the Author
Mike McDonough is Principal Cloud Architect for Stone Door Group, a cloud and DevOps consulting company and team lead for the Cloud Container Security Optimization Accelerator℠ solution. This offering provides CIOs with a comprehensive security blueprint for deploying containers and orchestration in the digital enterprise. To learn more, drop us an email at letsdothis@stonedoorgroup.com
To read our full white paper, visit http://www.stonedoorgroup.com/download-white-paper-container-security