Containers are rapidly becoming one of the most important elements of modern software development, and as they grow in popularity, the need for container security grows in parallel. With their ability to rapidly develop, package, and apply code to build applications, containers are enabling a fast, agile approach to digital business. While they are the functional domain of software developers, their impact is felt by everyone who engages with these applications, both inside and outside of an organization. They are enabling an evolutionary shift away from development practices that have focused on on-premises environments, and that means they also have new security requirements and considerations.
Why is container security so important? Consider the changes that containers bring to modern IT environments — they offer a dynamic way to build, deploy, and iterate in a way that on-premises application development methodologies cannot keep pace with. That alone requires a specific type of security approach. But also consider that many of the world’s best-known brands have proven susceptible to container security breaches. Their advantages are well known, but their inherent risk factors must be addressed.
Clearly, establishing and managing effective container security is critical to maintaining the integrity of the container application process, and the experience of application users. The following use cases are relevant to almost all organizations that engage in container development, and they demonstrate both the need to implement effective container security, along with considerations for doing it effectively.
Tool Sprawl Consolidation
Security teams face an embarrassment of riches when it comes to choice of tools to combat container vulnerabilities. There are all manner of vendors with point products and niche solutions, and they all promise panaceas that will eliminate container-related threats. At issue, however, is that each tool creates configuration and management complexity, and because of the added work and distributed nature of these solutions, they actually increase the attack surface and threat exposure. Not exactly what a security team wants when it comes to making their containers more secure.
Most container security solutions address specific parts of the application development stack, including workloads, compute layer security, intrusion detection, encryption, data loss prevention, and even content governance. But they are not comprehensive in their approach, nor are most designed for the specific needs of containers.
Rather than applying a piece-meal approach, progressive security teams are opting for container security platforms that consolidate the security tool set and automate and simplify management of security operations. Applying a comprehensive, platform approach to container security enables security teams to monitor their container environments and analyze workload and account activity in real-time. This is a major change from point solutions because it allows organizations to deploy and scale without compromising security.
When using containers, security teams need to be able to trust that their infrastructure is secure as it scales. They need assurance that they can deploy services that are not compromising compliance or introducing new risk. This can only happen with new tools designed specifically for highly dynamic container environments, tools that provide continuous, real-time monitoring, analysis, and alerting. Ultimately, this creates a unified, and more secure, understanding of container activity, a reduction in notification noise, and because organizations can rely on a single platform, it also reduces IT costs.
Buildtime Threat Defense
With containers, the build stage is where application code is paired with runtime libraries so it can effectively, and rapidly, be deployed. This is where DevOps teams appreciate the “build once, deploy everywhere” sensibility that gives them flexibility to move quickly using code they can repurpose.
Clearly, a lot of critical activity is happening at the build time stage, and once an application is built, it gets deployed and then it’s “out there.” Thus, identifying security issues during the build time phase is essential to maintaining a healthy, secure environment for container activity. Doing so means that DevOps teams don’t need to backtrack or reverse engineer their work to discover where flaws in their code or development process might have resulted in threat potential.
It’s at this stage in the development lifecycle that changes to systems and resources can have an impact on outcomes, and if not identified early enough, they will likely operate, undetected, while they continue to do harm.
As such, it’s best to use solutions that identify vulnerabilities in your host OS, container images, and the containers themselves using real-time analytical data collected across your infrastructure. Misconfigurations in container provisioning could result in a larger, more vulnerable surface area or allow untrusted access to trusted resources. Resources like the CIS Benchmark provide prescriptive security guidance for most operating systems and many applications including Docker and Kubernetes. Incorporate benchmarks like these together with threat intelligence feeds as data source inputs for your vulnerability scanning.
The potential for threats in a rules-based system are also hard to identify during build time because the rules that a container was built with are apt to change over time. Consider a use case like access control — a container may be built to provide access to certain types of users, but over time, the definition of those users, or the groups those users belong to will likely change. This could lead to access being inadvertently overly-permissioned, but DevOps teams are not required to account for that, and this is what ultimately leads to risk.
The only proven way to address continuous change is through automated anomaly detection, in which you will always be notified of events in your environment that are operating in an abnormal fashion. This type of detection uses machine learning to identify activity based on behaviors, not rules. In other words, rather than applying “if/then” statements, which can easily be bypassed through impersonation or other legitimate-looking activity, an effective container security platform will alert when, based on aggregated activity data, behaviors are identified that are beyond the scope of normalcy.
This type of solution improves the buildtime part of the development lifecycle by providing responsive development approaches that allow DevOps teams to move quickly without having to build separate security protocols or processes in parallel.
Runtime Threat Defense
DevOps teams need buildtime insight that helps them identify vulnerabilities across the entire scope of their cloud and containerized environments. This includes identifying security and compliance issues with serverless resources, applications, networks, file systems, APIs, processes, and other elements that could increase the threat vector of their infrastructure. With an emphasis on events happening at runtime, DevOps becomes an active participant in identifying issues before they spread within their cloud or container environment.
Security solutions have historically relied on signatures, or rule-based approaches, but rules are manually managed within the container environment and are not equipped to recognize new attack profiles. To reduce false-positive rates, the rules are often written for very well-defined threat scenarios, limiting their effectiveness in production environments.
Modern container security solutions use a different approach to anomaly detection. Without any impact to the user experience, these container security approaches collect high fidelity process, network, file, and user data to form a base model of normal infrastructure behavior. Analytics and machine learning can be applied to detect anomalies that indicate threats in real-time, and because anomalies are based on behavioral intelligence rather than rules-related issues, there is far less alert noise that might serve to distract the continuous delivery cycle.
Effective runtime threat defense enables DevOps teams to move fast and unimpeded while they push code, which gives them more time to focus on development rather than fixing issues after an application has been deployed.
Mergers & Acquisitions
Business teams looking to increase enterprise value will often develop a strategy based on mergers and acquisitions (M&A). It can be an effective path to business growth, but security risk is a major factor in M&A because new risks are exposed as companies share data through their applications. With the impact of data privacy regulations and mandatory breach disclosure laws, exposure to container application security issues has the potential to significantly impact post-merger valuations. Before committing a potential acquisition, business teams must factor in the cost of cyber risk as part of their deal strategy. This includes identifying how they can consolidate and integrate security technology across their combined assets in a post-merger environment.
The solutions that business teams will want to employ will be those that simplify the security experience, but are comprehensive and capable of identifying and alerting to actual security issues. This demands continuous monitoring, the ability to identify new resources as they come online, and an interface that pulls together reporting from across the environment into a single view.
With an effective security solution in place, the M&A process can move quickly through the various required logistical steps and can set the stage for rapid consolidation. Having the right security foundation also ensures that future integrations and connectivity among applications will adhere to a single, comprehensive system even as it shifts and grows.
Using a multi-cloud approach gives enterprises the ability to build and deploy workloads across multiple cloud platforms. This not only introduces more flexibility into their environment, but also gives users cost leverage and the advantage of avoiding vendor lock-in.
The challenge for security teams is that the complexity of a multi-cloud approach is that it can broaden the attack surface and the risk of threats across the organization’s environment. Operating these different clouds in a cohesive way is a challenge, especially when it comes to compliance. Ensuring comprehensive coverage demands an approach that is optimized for the unique needs of compliance so that organizations can ensure adherence to necessary guidelines and frameworks.
Compliance in container and multi-cloud environments must be precise and operate in real-time. A solution must perform continuous configuration audits and present insights through a unified management interface. This ensures that coverage occurs throughout all resources and applications that containers are touching, and it enables rapid remediation, both of which are critical to operating workloads and container development in a secure manner.
No manner of security can be effective if it isn’t embedded into every aspect of an organization’s operational lifecycle. As we have seen, organizations need to consider implementing a simple foundation by reducing unnecessary tools and resources, and then ensure they are identifying and alerting on security issues during the various development and deployment phases of the container lifecycle. As organizations grow through mergers and acquisitions, and as they add layers of complexity through the use of multiple cloud services, the security core must be established, but also be flexible enough to grow and scale with the needs of both security and business teams.
Lacework provides cloud and container security from build time to runtime, which reduces the potential threat surface, while enabling DevOps and security teams to achieve their goal without sacrificing speed. Our platform visualizes your containerized applications in real-time, providing a clear understanding of communications, launches and other cloud runtime behaviors.
We invite you to learn more with a platform demo to see how Lacework can support your container security needs.
Image by Cameron Venti on Unsplash.