Containers – are they really a serious threat to your IT security? That, at least, is what a lot of IT security people are trying to tell us. But if you apply the right tools in the right way, we believe it’s the exact opposite. Because of their nature, containers can be kept under tighter control than any other type of computer application. So let’s first have a brief look at containers and then discuss how to deploy them securely.
Containers provide one of the various methods of computer virtualization where hardware, operating systems and applications can run independently of each other. In cloud computing, containers are handy because you can run them anywhere provided the underlying operating system supports running containers – usually via a Docker daemon or other alternatives.
Predictable behaviour
Containers are very predictable, behaving in exactly the same way every time you run them. Whatever you change, whether it’s the hardware, drivers, operating system versions, patch levels, connections to other resources or anything else, this won’t block or alter what’s happening inside the containers when you want to run them again or in another environment.
That’s great news for software developers too. They can develop a containerized application on their laptop and if it works there, it will work anywhere. The same goes for cloud computing. If the container works on-premises, it will work in the cloud and you can move or scale it there. And if it works on cloud A, the standard portability feature of a container means that you can move it to cloud B, with the assurance that it will work there and give you exactly the same output
Quarantine
This container immutability – the fact that they do not change over time – is one of the main reasons it’s relatively easy to control containers. For example, suppose you have a container with an application that is fully tested against your security checklist and approved by you. Any change to the contents of this container will invalidate the immutability principle of containers. This can be picked up by your security software, which then sends you an alert or automatically stops and quarantines the container. You don’t need to know what might have infected it or if there is a serious vulnerability. The mere fact that the container’s contents have changed is sufficient to block it instantly. You can take the investigation from there.
It’s important to provide tight security for your containers, especially the ones you’ve obtained online. Because anything can run hidden inside a container – think of invisible Bitcoin mining on your resources – and cyber criminals could use containers as doorways to your entire environment. Uncovering any vulnerabilities present in your environments is a first step in the security chain. For automating more steps in this security chain, we recommend Aqua’s container security platform, although we work with any valuable alternative tool.
You need a security platform
A good container security platform detects vulnerabilities in several layers, such as the hardware, virtual servers, container orchestrator and inside the container too. It also monitors the immutability, as we mentioned, and compliance. So the platform checks everything against internal compliance rules (for example permitted origin) and against the CIS Controls. It then presents specific solutions for anything that violates these compliance rules.
Which brings us to another advantage of a container security platform: scanning application-level dependencies for vulnerabilities. A good container security platform will check both the licence compliance of all dependencies and detect potentialvulnerabilities in these dependencies. These checks can be integrated into your existing CI/CD pipelines, so developers don’t have to wait for the application to be deployed in your production environment before finding any vulnerabilities. Essentially, it offers them a faster feedback loop.
Better code, faster
That’s why we recommend highlighting potential vulnerabilities while developing code and enforcing compliance control when testing the code. This helps to bring stable code to the production environment and avoids having to fix code at the last minute, right before a go-live. Although developers do their best to produce quality code, they cannot be aware of all the vulnerabilities. This approach helps because the software will show them specifically what is wrong and how it needs to be fixed. And it might actually improve the relationship between IT security and development teams.
A final benefit of using a container security platform is the level of visibility it gives you into the network communication of your containers. Aqua can visualize all container network connectivity and offers the option of reporting or even blocking unwanted chatter to the outside world or even within your container platform.
Visibility into your security
Ultimately, containers enable a security platform such as Aqua to give stakeholders visibility into the security level of your applications and their underlying infrastructure. Security teams can define what is acceptable and not, and platform and development teams can get specific guidelines on how to remediate any non-compliant elements. Don’t you just love containers?
