What is container? Why it is widely used?
Unlike traditional app architectures, which often divide an app into a few tiers (e.g., web, app, and database) and have a server or VM for each tier, container architectures often have an app divided into many more components, each with a single well-defined function and typically running in its own container(s). Each app component runs in a separate container. In application container technologies, sets of containers that work together to compose an app are referred to as microservices
Modern business adopts “Microservices” application architecture that require container Security.Tweet
With containers, multiple apps share the same OS kernel instance but are segregated from each other. There are two general categories of host OSs used for running containers – General-purpose OSs like Red Hat Enterprise Linux and Container-specific OSs, like CoreOS Container Linux. Every host OS used for running containers has binaries that establish and maintain the environment for each container, also known as the container runtime. Business leaders choose containers use cases, due to any of the below reasons
- Agile development, where apps are frequently updated and deployed
- Environmental consistency and compartmentalization, where developers can have identical yet separate environments for building, testing, and running the app.
- ‘Scale out’ scenarios, where an app may need to have many new instances deployed or decommissioned quickly depending on the load at a given point in time
- Cloud-native apps, where developers can build for a microservices architecture
Container components are depicted below
Get Started with Container Security Assessment
At DockerCon 2021, Docker, Inc. CEO Scott Johnston says that they are addressing major security issues with software supply chains. Cybercriminals are using Docker containers to distribute malware due to its scale of operations. Overall, Docker, Inc. reports that 13 billion image pulls per month from nearly 8 million repositories residing on Docker Hub are being made by more than 13 million developers. During your discussions with clients, you’ll learn that they’re either in any of the below three phases of adopting containers and application modernization.
- Design & Prebuild
Get ready to compose security assessment on their containers comprising 4C’s (Code, Container, Cluster and Cloud Infra). The objective and outcome of the assessment may vary depending on their lifecycle – i.e. customer expect you to provide them recommendations on selecting mandatory security controls, if they’re in design phase; (or) require you to discover potential vulnerabilities, threats, compliance posture, if they’re in deployment and runtime phases.
Organizations will continue to try to strike a balance between developer productivity and security. The challenge organizations face is finding a way to enable developers to implement security controls without slowing down the application development process, as responsibility for security continues to shift left toward developers. Performing Container security assessment provides visibility and help customers address potential issues.
Capabilities and Technologies to Perform Container/ K8 Security Assessments
Digital business require lean team with talented expertise to conduct assessment services. The professional should have sound knowledge on cloud terminologies, deep understanding of IT security regulations and business risk management process. CIS Benchmarks are easy and effective way to consider as standards while measuring the adequacy and effectiveness of container security controls design and implementations. The professional should conduct interviews with the business stakeholders, developers and cloud architects to ensure that they’re aware of required foundational security best practices while building applications on containers.
Well known product vendors also has solutions that can be leveraged for assessing container security postures. This includes
- Aqua Security
- Paloalto Networks Prisma
- VMWare Tanzu
- Azure Defender for Kubernetes
- Azure Defender for Containers
- Kube Bench
The recommendations should guide customers to have defined container security controls roadmap based on their risk appetite. They can begin enforcing foundational security controls in containers such as 1) Node Hardening; 2) K8s Hardening; 3) Seccomp Profiles; 4) SELinux Profiles; 5) Layer 3 Network Segmentation and 6) Secrets Management. They shall adopt additional security controls such as 1) Software policies and governance; 2) Software Composition Analysis; 3) MSA Service Authorization; 4) API Gateway; 5) WAF; 6) Runtime Vulnerability Management; 7) Risk Assessment; 8) Behaviors based Controls; and 9) Layer 7 Network Segmentation.