Close the Gap: Container Security Reduces Risk, Strengthens Ecosystem
Close the Gap: Container Security Reduces Risk, Strengthens Ecosystem
Containers and cloud are quickly evolving, often faster than the security that protects them.
Join the DZone community and get the full member experience.Join For Free
The current security discussion around DevOps encapsulates the duality of concern and optimism that will shape cloud infrastructure and application development for the foreseeable future. The use of containers is now predominant in application development, but container-specific security practices are just now getting the attention they deserve. A recent survey report released by StackRox, The State of Container Security, highlights how adoption trends intersect with strategies and challenges for container technologies, including Kubernetes, and the hybrid cloud infrastructures on which they are being deployed.
Significant gaps between production implementations and security measures are creating business and cyber risk; half of the survey respondents concerned about their container strategy cite security as their biggest worry. Far too many identify a lack of preparation or ability to sufficiently secure cloud-native applications. It’s time to get serious about catching up on the security front.
Real-World Container Deployments
Infrastructure portability is one of the main drivers for adopting containers. So, security has to be portable, too. But of course, it isn’t that simple in the real world. Most organizations (70 percent) are running containers on-premise. About one-third are running only on-prem, and another third are running only in the cloud. Container security needs to work across all environments to achieve and preserve the portability benefits of containers.
Companies are using containers for both greenfield apps and older, monolithic apps, at fairly even rates. In a repeat of early cloud migration trends, many companies are simply moving existing code into containers to capture efficiency improvements. VMs running containers can run at 90 percent utilization instead of the typical 10 percent.
Mind the Gap, Adopt Early, Catch Up
The survey confirmed that a gap exists between how broadly organizations are using containers and how confident they feel about their security, which means they haven’t been sufficiently addressing deployment and security in tandem. Many organizations describe their container security strategy as lacking in maturity; concerns about misconfiguration and securing containers in runtime production top the list.
Containers and Kubernetes create opportunities to improve cybersecurity overall. To get the most out of those inherent security capabilities, organizations must get Security and DevOps teams working together and applying security principles as early in the application develop process as possible. Security teams new to containers have to get up to speed on DevOps tooling and processes. Only working together will DevOps and security teams succeed in enabling the strongest protection for these environments.
Given the ephemeral nature of containers, security measures and incident response techniques have to fit this dynamic environment. More than half of the respondents indicated that their container security strategy was either in the “planning” or “basic” stages. It’s past time to take these threats seriously and increase investments in solutions, architecture, audits, and training.
Companies leading the charge in the adoption of containers see new vendors with purpose-built container security solutions as the most promising source of effective security for this environment – existing vendors adding container-specific features are rated second, with additional security built right into the infrastructure, and a close third choice as to the source of container security solutions.
Companies implementing containers should look for solutions that will flag well-known misconfigurations across the ecosystem, support hybrid and multi-cloud by integrating with existing management and monitoring solutions, and provide adaptive detection for runtime security that limits false positives. It’s also essential that the platform provides security across the full container lifecycle, spanning build, deploy, and runtime. Malware and other forms of attack can be detected only during runtime, which is why microservices and containerized environments can’t rely on prevention-only security strategies.
Thanks to the spotlight on recent high-profile Kubernetes attacks and vulnerabilities at Tesla and Shopify, misconfigurations on Kubernetes clusters are a central concern. Companies need to pay special attention in this area as they develop deeper expertise; Kubernetes is an incredibly powerful platform, but it provides a lot of controls, so companies should look for container security platforms that identify mistakes in the configuration.
Who’s Running This Security Show?
Given the security work needed, the next step is to determine who’s going to do it. Strategic thinking, planning, and collaborating about responsibilities and processes is fundamental to getting container security right, and both Security and DevOps teams should expect to change the way they are used to working. These expectations were reflected in survey answers – the combination of DevOps and DevSecOps dominate the list of teams expected to run container security platforms. Signs of positive synergy are already evident: rapid iteration and interoperability have improved, security is being brought in earlier, and enforcement of security policies is changing. Better yet, half of the survey respondents said containers have changed workflow and increased cooperative efforts between the two teams; another third have moved to embed Security on DevOps teams.
To maximize integration and control, container security platforms should align with DevOps workflow, CI/CD processes, and tools, including build automation systems and secrets management tools. Platforms that provide a deployment-centric vs. container- or image-centric perspective will provide the context and insights critical to understanding the risk landscape. These platforms should also provide contextual risk mitigation information directly to the appropriate DevOps teams. Last but not least, container security platforms should absolutely leverage cloud-native infrastructure to apply security controls, such as using network policy enforcement capabilities built into Kubernetes instead of creating a separate firewall layer.
What’s the Big Idea?
This time of year brings a deluge of warnings and imperatives — there’s no rest for the digitally weary. So why should we pay attention to container security in particular? Most urgently, because we’re going live — containers, microservices, and Kubernetes are hitting the mainstream en masse, even though most organizations admit their security tactics lag a bit. In a larger context, addressing container security is important because of the times in which we find ourselves – given the breaches and attacks that make the news weekly, consumer trust, brand reputation, digital innovation, and more are at stake. Containerization, Kubernetes, and cloud-native infrastructure have opened a path forward that could transform security and usher in a new era in digital business and commerce.
Opinions expressed by DZone contributors are their own.