What are the challenges of Container Security?

Containers live in an ecosystem—containers are not deployed standalone within an enterprise. Container workloads are deployed as part of an architecture that may include: Public (AWS, GCP, Azure) clouds, Private clouds (VMware) and Hybrid clouds integrated with traditional workloads comprised of servers and VMs, while working with serverless components on the compute side. These enterprises may also be using IaaS and PaaS services such as S3 buckets or RDS. Container workloads therefore need to be secured as part of an enterprise ecosystem.

Containers are ephemeral: Container lifecycles are often measured in seconds, but there is also a high degree of variability that makes generalizations difficult. Security teams need to account for the security and integrity of containers that may only be online for a few seconds, and others that may be online for weeks.

Containers are built and deployed in CI/CD DevOps Pipelines. Container workloads tend to be developer led. The challenge for security is to empower developers to produce applications that are BornSecure. 

What is MVISION Cloud for Container Security?

What are the three pillars of MVISION Cloud for Container Security?

Cloud Security Posture Management (CSPM)

Cloud Security Posture Management (CSPM)

CSPM for Containers
MVISION Cloud can provide CIS benchmark scans and other best practice evaluations for container run times, orchestration systems (such as Kubernetes), IaaS infrastructures running container workloads, storage configurations, network configurations, IAM settings/roles, etc. This helps:

  • Ensure that the environment’s configuration is not a source of risk (CSPM)
  • Ensure that the configuration of the environment does not drift over time, exposing unintentional risk

Vulnerability Scanning for Containers

Containers significantly leverage third-party components. All components of container builds must be evaluated for any known or exploitable weaknesses.

Vulnerability scanning evaluates the components embedded in containers at build time and periodically scanned to ensure that known risks are exposed and mitigated to reduce the risk of malicious actors landing in a container workload.

Vulnerability Scanning for Containers

NanoSegmentation

NanoSegmentation and Zero-Trust Network Protection

Discover the inter-container communications based on known good configurations to secure behavior of complex and dynamic workloads:

  • Discover and monitor the behavior of network communications between container processes in a way that can deal with the ephemeral nature of containers, and not rely on external factors such as an IP address.
  • Detect abnormal communications and notify or block based on user preference.
  • Detect changes in communication patterns between versions of containers as the application evolves over time.
  • Leverage known good configurations as a way to secure workloads, as opposed to keeping up with known bad.

What platforms are supported by MVISION Cloud for Containers?

MVISION Cloud for Containers supports AWS (ECS, EKS, Fargate ECS, Fargate EKS), GCP (GKE), Azure (AKS) cloud infrastructure and orchestration systems including Kubernetes.

  • What is ECS: Enterprise Container Platform S/W Suite for Amazon using proprietary orchestration that predates broad adoption of k8s
  • What is EKS: Enterprise Container Platform S/W Suite for Amazon based on k8s
  • What is AKS: Enterprise Container Platform S/W Suite for Azure based on k8s
  • What is Kubernetes (k8s): Kubernetes is an open-source container-orchestration system. It provides a platform for automating deployment, scaling, and operations of application containers across clusters of hosts
  • View full list of Glossary Terms for Container Security

MVISION solution mapped to a container lifecycle

Security should not slow down developers or the adoption of cloud friendly architectures such as containers. MVISION Cloud provides a seamlessly integrated security platform that integrates with the tools that developers choose to use to maintain their applications. Container security can provide in-depth defense by ensuring properly configured infrastructure and orchestration engines, evaluating the risk of exploit for code embedded in containers, and a flexible software defined method to certify known good network behavior that can deal with the fast-changing environment of container workloads across their lifecycle.

Shift Left: DevOps to DevSecOps

Containers are a very developer-centric type of workload. Given that developers get much more direct control over architecture and services in use, security teams need an asynchronous way to establish policy, evaluate deployments against best practices, and monitor the inevitable drift that occurs in any environment. With containers and microservice architectures, the number of variables and the pace of change has increased substantially from the formerly tightly controlled hardware or VM-based deployments. Container lifecycles are often measured in seconds, but there is also a high degree of variability that makes generalizations potentially dangerous. Security teams need to account for the security and integrity of containers that may only be online for a few seconds, and others that may be online for weeks continuously. MVISION Cloud for Containers offers BornSecure Containers that include:

  • Cloud Security Posture Management to scan cloud environment continuously to detect risk from drift integrated into the DevOps pipeline (Shift Left) to ensure that the risk is resolved before it’s deployed.
  • Vulnerability assessment of the components within the containers themselves to ensure that enterprises are not deploying code with known exploits integrated into the DevOps pipeline (Shift Left). MVISION Cloud for Containers also includes periodic rescanning of container artifacts to detect when new vulnerabilities affect containers that have already been built and may be running in production.

Traditional DevOps processes: Traditionally, security is not taken into account or verified until after the applications are deployed to production environments.

traditional-devops-process

Today, cloud-native applications require BornSecure Containers: Security is embedded in DevOps pipeline providing developers with security feedback as applications are built or as code is checked in.

today-devops-process

Container Security 101 – A glossary of terms

AKS
Enterprise Container Platform S/W Suite for Azure based on k8s.

Anomaly
Something that deviates from what is standard, normal, or expected.

Build
Construction of something that has an observable and tangible result. Build is the process of converting source code files into standalone software artifact(s) that can be run on a computer.

CICD
Combined practices of continuous integration and continuous delivery.

CIS Benchmark
Best practices for the secure configuration of a target system including containers and Kubernetes. The benchmarks are developed by a non-profit called Center for Internet Security (CIS) through a consensus of cybersecurity experts.

Container
Standard unit of software that packages up code and all its dependencies, so the application runs quickly and reliably from one computing environment to another. A container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.

Container Registry
A repository for storing container images. A container image consists of many files, which encapsulate an application. Developers, testers and CI/CD systems need to use a registry to store images created during the application development process. Container images placed in the registry can be used in various phases of the development.

Container Runtime
Software that executes containers and manages container images on a node. e.g. Docker Engine.

DevOps
A set of practices that combines software development (Dev) and information technology operations (Ops) which aims to shorten the systems development life cycle and provide continuous delivery with high software quality.

DevSecOps
DevSecOps is the practice of integrating security practices within the DevOps process.

Docker
A company and the name of the tool they designed to make it easier to create, deploy, and run applications by using containers.

Drift
The accumulation of configuration changes or administrative actions over time that can introduce risk and deviations from the known good configuration.

EKS
Enterprise Container Platform S/W Suite for Amazon based on k8s.

ECS
Enterprise Container Platform S/W Suite for Amazon using proprietary orchestration that predates broad adoption of k8s.

Ephemeral
Property used to define containers. As containers are short-lived, with an average lifetime in hours, they are said to be ephemeral.

Fingerprinting
The ability to track artifacts as well as behavior of the artifacts, letting users see what went into a build and how and where that build is being used.

Forensics
A postmortem analysis to understand and contain the impact of any security breach.

GKE
Enterprise Container Platform S/W Suite for Google based on k8s.

Immutable
Property used to define containers. Individual containers don’t change across the lifecycle, once created.

k8s
Kubernetes is sometimes called k8s (K - eight characters - S).

Kubernetes (k8s)
An open-source container orchestration system. It provides a platform for automating deployment, scaling, and operations of application containers across clusters of hosts.

Microsegmentation
Microsegmentation software uses network virtualization technology to create highly granular security zones in data centers and cloud deployments, which isolate each individual workload and secure it separately.

Nanosegmentation
A flexible and fine-grained =segmentation which is based on observed behavior.

Network Attack Surface
The attack surface is comprised of the totality of an environment that an attacker can attempt to exploit to carry out a successful attack, including all protocols, interfaces, deployed software and services.

Pipeline
A set of automated processes that allow developers and DevOps professionals to reliably and efficiently compile, build and deploy their code to their production compute platforms.

Privileges
The concept of only allowing users to do certain activities. For example, an ordinary user is typically prevented from changing operating system files, while a system administrator is typically permitted to do so.

Repository (repo)
A container image repository is a collection of related container images, usually providing different versions of the same application or service.

Shift Left
The integration of the security configuration and vulnerability checks into the DevOps pipeline. Security is introduced as code is checked or built as opposed to waiting for systems to be live. This brings security left of (before) the production environments, where security is traditionally done.

Virtual Machine (VM)
A virtual environment that functions as a virtual computer system with its own CPU, memory, network interface, and storage, created on a physical hardware system. Software called a hypervisor separates the machine’s resources from the hardware and distributes them appropriately so they can be used by the VM.

Workload
A discrete capability or amount of work you’d like to run on a cloud instance.

Zero-Trust
Never Trust But Verify. Zero trust security means that no one is trusted by default from inside or outside the network and verification is required from everyone trying to gain access to resources on the network.