What are the challenges of Container Security?
Containers live in an ecosystem—containers are not deployed standalone within an enterprise. Container workloads are deployed as part of an architecture that may include: Public (AWS, GCP, Azure) clouds, Private clouds (VMware) and Hybrid clouds integrated with traditional workloads comprised of servers and VMs, while working with serverless components on the compute side. These enterprises may also be using IaaS and PaaS services such as S3 buckets or RDS. Container workloads therefore need to be secured as part of an enterprise ecosystem.
Containers are ephemeral: Container lifecycles are often measured in seconds, but there is also a high degree of variability that makes generalizations difficult. Security teams need to account for the security and integrity of containers that may only be online for a few seconds, and others that may be online for weeks.
Containers are built and deployed in CI/CD DevOps Pipelines. Container workloads tend to be developer led. The challenge for security is to empower developers to produce applications that are BornSecure.
What is MVISION Cloud for Container Security?
NanoSegmentation and Zero-Trust Network Protection
Discover the inter-container communications based on known good configurations to secure behavior of complex and dynamic workloads:
- Discover and monitor the behavior of network communications between container processes in a way that can deal with the ephemeral nature of containers, and not rely on external factors such as an IP address.
- Detect abnormal communications and notify or block based on user preference.
- Detect changes in communication patterns between versions of containers as the application evolves over time.
- Leverage known good configurations as a way to secure workloads, as opposed to keeping up with known bad.
What platforms are supported by MVISION Cloud for Containers?
MVISION Cloud for Containers supports AWS (ECS, EKS, Fargate ECS, Fargate EKS), GCP (GKE), Azure (AKS) cloud infrastructure and orchestration systems including Kubernetes.
- What is ECS: Enterprise Container Platform S/W Suite for Amazon using proprietary orchestration that predates broad adoption of k8s
- What is EKS: Enterprise Container Platform S/W Suite for Amazon based on k8s
- What is AKS: Enterprise Container Platform S/W Suite for Azure based on k8s
- What is Kubernetes (k8s): Kubernetes is an open-source container-orchestration system. It provides a platform for automating deployment, scaling, and operations of application containers across clusters of hosts
- View full list of Glossary Terms for Container Security
MVISION solution mapped to a container lifecycle
Security should not slow down developers or the adoption of cloud friendly architectures such as containers. MVISION Cloud provides a seamlessly integrated security platform that integrates with the tools that developers choose to use to maintain their applications. Container security can provide in-depth defense by ensuring properly configured infrastructure and orchestration engines, evaluating the risk of exploit for code embedded in containers, and a flexible software defined method to certify known good network behavior that can deal with the fast-changing environment of container workloads across their lifecycle.
Shift Left: DevOps to DevSecOps
Containers are a very developer-centric type of workload. Given that developers get much more direct control over architecture and services in use, security teams need an asynchronous way to establish policy, evaluate deployments against best practices, and monitor the inevitable drift that occurs in any environment. With containers and microservice architectures, the number of variables and the pace of change has increased substantially from the formerly tightly controlled hardware or VM-based deployments. Container lifecycles are often measured in seconds, but there is also a high degree of variability that makes generalizations potentially dangerous. Security teams need to account for the security and integrity of containers that may only be online for a few seconds, and others that may be online for weeks continuously. MVISION Cloud for Containers offers BornSecure Containers that include:
- Cloud Security Posture Management to scan cloud environment continuously to detect risk from drift integrated into the DevOps pipeline (Shift Left) to ensure that the risk is resolved before it’s deployed.
- Vulnerability assessment of the components within the containers themselves to ensure that enterprises are not deploying code with known exploits integrated into the DevOps pipeline (Shift Left). MVISION Cloud for Containers also includes periodic rescanning of container artifacts to detect when new vulnerabilities affect containers that have already been built and may be running in production.
Traditional DevOps processes: Traditionally, security is not taken into account or verified until after the applications are deployed to production environments.
Today, cloud-native applications require BornSecure Containers: Security is embedded in DevOps pipeline providing developers with security feedback as applications are built or as code is checked in.