Configuration, automation, best practices, and TLS are just four of more than a dozen suggestions.
Join the DZone community and get the full member experience.Join For Free
To understand the current and future state of containers, we gathered insights from 33 IT executives who are actively using containers. We asked, "How are you securing containers for orchestration, deployment, and ongoing operation?"
Here's what they told us:
- We recommend using a holistic solution. Automate secure SDLC practices as well as CI/CD. This forces vulnerability scanning of container images. Think about how to monitor and profile for best practices. Use security benchmarks to facilitate profiling and reduce exposure. Pay more attention to mistakes as a result of the speed of doing business today.
- Our tools are a little further down the pipeline. It's a challenge to let developers create whatever container on a laptop and ship to production. How do you know how the container was built and if a patch rebuild/redeploy is needed? You need to automate packaging and construction of containers themselves and define it as code so you are able to remake from scrap if necessary. Ensure only entrusted Docker containers are deployed into production. We only allow the deployment of Docker containers from our internal registry.
- This is a gap for many organizations. We are certainly intrigued by companies such as SysDig and Aqua Security, and there is a clear benefit to using these tools. You need to protect environments across development, build, and runtime to ensure compliance with whichever framework applies to your business. It goes beyond simply selecting a good tool. We recommend the “Shift-Left Security” approach and we are starting to see that more in the marketplace. Teams need to avoid leaving security out of the discussion. Security experts should be brought in from the design phases all the way to production—rather than designing and building something, failing an audit before going live, and setting yourself back six weeks for remediation.
- 1) We do vulnerability management and scanning built into CI/CD pipeline. We fail at build time. 2) When deploying, apply best practices and build best practices out of the box. 3) Follow configuration management and network policy. Wind down privileges, resources, and uses. Network layer 3 and layer 7 for access and control management. 4) Use runtime post-breach detection like forensics, investigation, and automated feedback loops. There is value around additional context, continuous hardening from build and deploy into runtime with all of logic policy and configuration live in the client’s infrastructure. Security tools become an extension of your infrastructure.
- Depending on the environment, container images need to be signed. Secure data at rest and data in motion, role-based access and running as non-root are common security guidelines.
- Best practices for securing containers span multiple areas. For network communication between containers, TLS is highly recommended. Ensure containers only communicate using TLS. Certificates and privet keys should be passed to containers using secrets. Store secrets in a safe place for the long term. A common tool for this is Vault. Kubernetes Network Policies help with security. This provides a way for the user to describe secure boundaries between a group of containers. Containers run the way you construct a Docker image that has software from many sources in a single image. It may contain hundreds of libraries from other sources. You may find a security vulnerability in one of the libraries. It's important to ensure images are up to date and do not contain known vulnerabilities. Tools help DevOps detect the presence of images that are out of date or have vulnerabilities (e.g., Twistlock, Harbor open source project). Store images in a secure and trusted way. Scan content for vulnerabilities.
- Container images are created using the Linux package security update mechanism to ensure images include the latest security patches. Further, the container image is published to the Red Hat Container Catalog which requires these security measures to be applied as part of the publishing process. In addition, domain and database administrative commands are authenticated using TLS secure certificate authentication and LDAP, as well as domain meta-data, application SQL commands, and user data communications are all protected using the AES-256-CTR encryption cipher.
- TLS client or Candid-based authentication for driving remotely. RBAC is on the roadmap. Unprivileged containers, by default, run in isolated mode (no UID correspondence, no overlap between UIDs), SECCOMP/AppArmor, MAC isolation filtering, cgroups, limits on CPU, bandwidth usage (both network and storage). By leaving zero visibility from the container to the host there is no attack surface at all.
- Out of the box. Containers provide isolation between them and to secure them even further we use a policy-driven lockdown of each node on which the containers are running.
- Security is one of the great opportunities in the container platform. K8s is a powerful yet complex platform. We ensure the user configures K8s' underlying infrastructure correctly and applications are configured correctly. We also centralize multi-cluster management and policy management. We are able to enforce what workload works on what resource tool.
- Containers all run in virtual networks and have multiple security models on top of each service. We use Azure keys, API managers, and serverless functions with a job-based token-driven security model.
- A bunch of people are creating and shipping a dependency tree. We walk through problems to understand the security of containers realizing the need to manage dependencies. Think through the lifecycle, runtime, and the entire container platform thinking about how they are configured how they meet the Phipps mode compliance. There’s a typical set of criteria you need to think about. Don’t forget about the lifecycle of dependencies on the development side.
- I think the challenge with container security, for us and across the board, is to build similar levels of security assurance as businesses have spent the last decade or so doing with virtual machines.
- Currently, we provide visibility into Docker, K8s, AWS EKS, and AWS ECS. We’re constantly working to ensure our customers can deploy and leverage containers in a secure manner. We’re also keeping our eye on the horizon, monitoring myriad new technologies in the space to ensure our customers can adopt them as securely and quickly as possible.
- By their nature, containerized environments and microservices offer a sizeable attack surface, as well as dynamic internal container-to-container communications that can allow attacks to escalate if not detected and thwarted. Therefore, securing these environments means establishing effective container network security and host security, and carefully monitoring container traffic. Developers need to safeguard their environments along multiple vectors – specifically, they should leverage security technology that feature layer 7 inspections to recognize potential issues at the application layer. Data loss prevention is also an increasingly critical container security topic, as production container environments handling personally identifiable information (PII) become more common and must comply with industry and governmental regulations that enforce proper handling of any sensitive data.
Here’s who we spoke to:
- Tim Curless, Solutions Principal, AHEAD
- Gadi Naor, CTO and Co-founder, Alcide
- Carmine Rimi, Product Manager, Canonical
- Sanjay Challa, Director of Product Management, Datical
- OJ Ngo, CTO, DH2i
- Shiv Ramji, V.P. Product, DigitalOcean
- Antony Edwards, COO, Eggplant
- Anders Wallgren, CTO, Electric Cloud
- Armon Dadgar, Founder and CTO, HashiCorp
- Gaurav Yadav, Founding Engineer Product Manager, Hedvig
- Ben Bromhead, Chief Technology Officer, Instaclustr
- Jim Scott, Director, Enterprise Architecture, MapR
- Vesna Soraic, Senior Product Marketing Manager, ITOM, Micro Focus
- Fei Huang, CEO, NeuVector
- Ryan Duguid, Chief Evangelist, Nintex
- Ariff Kassam, VP of Products and Joe Leslie, Senior Product Manager, NuoDB
- Bich Le, Chief Architect, Platform9
- Anand Shah, Software Development Manager, Provenir
- Sheng Liang, Co-founder and CEO, and Shannon Williams, Co-founder, Rancher Labs
- Scott McCarty, Principal Product Manager - Containers, Red Hat
- Dave Blakey, CEO, Snapt
- Keith Kuchler, V.P. Engineering, SolarWinds
- Edmond Cullen, Practice Principal Architect, SPR
- Ali Golshan, CTO, StackRox
- Karthik Ramasamy, Co-Founder, Streamlio
- Loris Degioanni, CTO, Sysdig
- Todd Morneau, Director of Product Management, Threat Stack
- Rob Lalonde, VP and GM of Cloud, Univa
- Vincent Lussenburg, Director of DevOps Strategy; Andreas Prins, Vice President of Product Development; and Vincent Partington, Vice President Cloud Native Technology, XebiaLabs
Opinions expressed by DZone contributors are their own.