Containers / DevOps / Security / Contributed

Accelerating DevOps with Advanced Container Security

31 Dec 2019 10:00am, by

Lior Cohen
Lior Cohen is Senior Director of Products and Solutions for Cloud Security at Fortinet. He has over 20 years of experience working in the information security, data center network and cloud computing spaces. Lior serves as Fortinet’s lead for cloud security solutions with a focus on securing enterprise public cloud-based deployments and private cloud build-outs. Lior previously held a variety of vendor and customer side positions in the cloud security space, including cloud solutions architect, information security consultant and subject matter expert for SDN, virtualization and cloud networking for leading industry vendors.

DevOps teams are increasingly required to support containers as software developers leverage containers to accelerate development. However, implementing an effective security strategy for container-based environments can often get in the way. When you’re developing applications at market speed, the time it takes to address every possible security issue and then manually reconfigure security measures can slow development processes to a crawl.

According to a recent Container Adoption Benchmark Survey, 71% of respondents indicate that they have deployed containers on virtual machines, 35% have deployed them on a public cloud, and 34% have deployed containers on a private cloud. And due to the rising costs associated with licensing fees, nearly half (44%) of respondents also reported plans to replace some or all of their virtual machines with containers.

However, while the rush to embrace container technology accelerates, serious security threats persist — whether from external attacks such as malware, phishing, and social engineering, or due to internal issues related to the misdelivery or misconfiguration of security services.

Another part of the problem is that catching vulnerabilities is a challenge. According to the recent 2019 State of DevOps Security Report, only 14% of organizations have enabled full visibility into their DevOps environment from their security operations center (SOC). And at the same time, 92% of organizations have seen at least one vulnerability slip into production in the past 12 months, with the typical organization experiencing three to five vulnerabilities in production.

DevOps Teams Need Solutions Designed for Container Environments

That’s why DevOps teams need security solutions and strategies that build upon the advantages of containers and that can work seamlessly within the new microservices paradigm. Any container security strategy needs to include four key elements:

  • Native integration with the cloud platform,
  • A full set of protections designed for the unique requirements of a container environment,
  • Seamless integration with those same security elements deployed elsewhere throughout the distributed network,
  • A unified management and orchestration system to ensure consistent protections while eliminating security gaps between different platforms.

Container security solutions not only need to address the expanding attack surface of today’s distributed networks, but also enable security to be integrated directly into the container application life cycle, allowing organizations to deliver more secure applications at digital business speeds.

Solutions Need to Address the Four Key Attributes of Container Security

Most container security solutions are simply not designed for the unique requirements of the container environment. An effective container security solution must be able to address the following four key attributes:

Container aware security — For true container-aware security, security solutions need to directly interface with container orchestration systems. This allows them to leverage namespaces, labels and other metadata as security policy objects. It also requires securing the container environment itself. This can be achieved with a virtual perimeter Next-Generation Firewall (NGFW) that can communicate with the container management layer and learn addresses based on metadata of different containers. When traffic then leaves the boundaries of a containerized environment, the label-aware NGFW can enforce policy based on the role of the container. This use of labels ensures that policies are consistently enforced even when containers are moved or reconfigured.

Container-enabled security — Container-enabled security needs to protect business-critical web applications and APIs from attacks that target known and unknown vulnerabilities. Bundling a web application firewall and API-based security microservices into an application chain, combined with Machine Learning to mitigate false positives and accelerate the fine-tuning of policies, allows developers to define security controls alongside their application development life cycle and ensure port application security along with other application services throughout the application life cycle.

Individual application services can then be programmed to make calls to the security container to apply specific security functions. This helps maintain the flexibility and portability of container-based application development because individual application segments can be updated or exchanged without impacting the security of the rest of the application, even when ported across environments.

Container-integrated security — Corrupt or malicious data in a base container image, or that is injected into a container through a compromise, can expose an organization to risk. Examples include the recent rise of cryptomining malware designed to operate inside container environments. Container-integrated security requires an integrated and automated solution that supports continuous cloud security, as well as the ability to orchestrate network security policy for things like Kubernetes leveraging various network service meshes such as Istio or Envoy.

To ensure that a container-based application’s traffic flow is properly inspected, traffic flow between services must be made visible and enforceable to security-processing services. These services can be container-based, or even network-based (residing outside of the container infrastructure); however, they must interact with the container orchestration layer. Some of these technologies will be Kubernetes, Mesos, and Swarm at the control layer, or Istio, LinkerD, or Consul at the service mesh layer to secure east-west traffic moving between containers.

Container registry security — Container images are often stored in public repositories known as registries, and there are generally few restrictions on publishing new container images to them. As a result, container images can be intentionally or mistakenly seeded with malicious code that is then “pulled” from the registry by application developers and bundle into an application chain. To mitigate the risks associated with these agile development methodologies, organizations need to deploy advanced threat protection solutions (ATP), such as sandboxing, to dynamically inspect and identify compromised or infected images, including previously unknown threats. To function properly, however, such solutions need to support application programming interfaces (APIs) and integration capabilities.

Addressing Container Security Issues Cannot Happen in Isolation

The high demand for ongoing, iterative application development is pushing DevOps teams to adopt container-based infrastructure management methodologies, allowing the development process to become more modular and streamlined. Unfortunately, traditional security solutions are unable to provide the protections for such environments that developers require.

DevOps teams need to be able to weave security, such as network firewalls, web applications firewalls and sandboxing, into their container environment without sacrificing either development flexibility or application performance. In addition, these tools cannot operate in isolation. Single source visibility and control need to extend into every corner of today’s distributed networks — even into containers — to ensure consistent policy orchestration, analysis, and enforcement. This means that security solutions selected to secure your container environment also need to interoperate with security deployed elsewhere across your network.

Feature image by Andrew Martin from Pixabay.

A newsletter digest of the week’s most important stories & analyses.