Containers and Cloud, a Horse and Carriage

By on Dec 11, 2019

Containers and Cloud, a Horse and Carriage

The ability to bring new value to the marketplace fast is vital for enterprises to capture market opportunities. This has led developers to move to containers to accelerate application deployment. Containers enable enterprises to develop and bring applications to production faster. However this faster development can lead to security concerns.

Gartner mentions by 2025 nearly all (99%) of cloud security failures will be the customers fault (vs. the cloud provider), with the primary cause being  misconfigurations. As developers develop at a faster pace these configuration issues are bound to multiply and cause issues in an organization.

Cloud Security Posture Management (CSPM) helps audit the configuration in these environments to identity any security issues. The audit is done both before the applications are deployed in the infrastructure and as well as periodically to identify any drift in configuration that may be risky. It then helps enterprises address these issues.

CSPM for Containers
To provide effective audit on container configuration we need to look at the container ecosystem holistically. The ecosystem consists of users like cloud administrators, developers and the following entities, storage containers use:
Image registries (ECR/ GCR)
File storage (S3/ Cloud storage)
Host (Node) and run time (Docker/ containerd)
Business logic (EKS/ GKE) and supporting Containers (sidecars & dameon sets)
Gateways to clusters (Istio Gateway, Loadbalancer)
Control plane
Orchestration (k8s)
Traffic management (Istio)

A comprehensive CSPM strategy for containers needs to look at the complete stack of containers. It needs to look at the hosts the containers run on, the orchestration system distributing the containers as well as the storage systems the containers have access too.

MVISION Cloud for Container Security (MCC) 

With the integration of container security with the MVISION Cloud portfolio, an enterprise can now get an integrated dashboard visibility into the complete container stack.  This enables use cases like:

  •  Ability to do config scanning for ECS/ EKS/ GKE and other container environments (both k8s and run time)
  • Ability to ShiftLeft config scans not just in production environments but all the way to build
  • Ability to scan hosts these containers run on and be able to identify nodes/ VMs which have weak configuration or permissive security groups
  • Ability to identify storage buckets the containers have access to and be able to check permissions on the storage buckets
  • Ability to run DLP scan on buckets the containers have access to which are open to the internet. This helps identify any sensitive data may have been put at risk

In summary, integration of the NanoSec product with the MVSION Cloud portfolio, has led to a comprehensive unified cloud security platform. The integrated product will not only provide CSPM but the ability to do scanning of container images for vulnerabilities, broader integration in CICD pipelines as well as deep run time security.

Join us for a Webinar to learn more about MVISION Cloud for Container Security on December 12th

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs