DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

[DZone Research] Observability + Performance: We want to hear your experience and insights. Join us for our annual survey (enter to win $$).

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • A Practical Guide for Container Security
  • Container Security: Don't Let Your Guard Down
  • Keep Your Application Secrets Secret
  • Auto Remediation of GuardDuty Findings for a Compromised ECS Cluster in AWSVPC Network Mode

Trending

  • Common Problems in Redux With React Native
  • Driving Digital Transformation Through the Cloud
  • Spring Authentication With MetaMask
  • Product Backlog Management: Tips, Tricks, and Ruinous Anti-Patterns
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. What Is ECR and How Can You Make Your Containers More Secure?

What Is ECR and How Can You Make Your Containers More Secure?

A three-layer security is your best bet today.

Tom Smith user avatar by
Tom Smith
CORE ·
Jan. 12, 16 · News
Like (5)
Save
Tweet
Share
5.14K Views

Join the DZone community and get the full member experience.

Join For Free

I had the opportunity to talk to Michael Withrow, Chief Architect & Director of Solution Architecture, at Twistlock. Michael recently joined Twistlock after spending eight years, and working on more than 150 deployments of Azure, at Microsoft.

As more companies begin to move their infrastructure to the cloud, they are looking for simpler alternatives.   Platform as a service (PaaS) provides customers with fully managed services so they don’t have to spin up a new host for there applications rather they can just subscribe to a service in which lifecycle management, disaster recovery, etc. are built in. Moving from information as a service (IaaS) to PaaS will take time, as it will require security and services to grow to meet enterprise needs. As PaaS gets stronger, you will see enterprises moving to it more quickly. Michael expects the evolution to accelerate over the next five years.

The DevOps story is changing as well.  With the emergence of Docker, three-tier application architecture is becoming legacy and container creation is becoming the new norm.  There are still some challenges as this service is still growing.  Developers must stand up a Docker host where they can deploy their images, and this means they need to account for infrastructure, networking, and security.

AWS just announced it newest managed service EC2 Container Registry Service which is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. With this service you can configure policies to manage permissions and control access to your images using AWS Identity and Access Management (IAM) users and roles without having to manage credentials directly on your EC2 instances.

Enterprise computing version 2 (EC2) container registry is providing stronger security by enabling users to layer in security. The EC2 registry streamlines the process and provides a more integrated service environment. Having access permissions are inherently less vulnerable than the Docker hub and allow you to audit against IAM.

From a security perspective containers change the attack vector and customers need to protect themselves.  However, there is good news.  The declarative nature of containers makes it easier with the right tooling to provide enhanced security that customers could not achieve in a three-tier architecture. 

Twistlock is one of those tools.

When the developer creates an image and places it in their personal ECR, Twistlock can scan that image for vulnerabilities and when integrated into the CI process can notify the developer there are things to be addressed before moving to the next stage of development.  Once it is certified for production Twistlock’s runtime defense will provide lifecycle management long into production.

Twistlock focuses on three layers:

  1. Vulnerability management

  2. Access control

  3. Run-time defense

ECR is providing Access Control, but couple this with Twistlock and you can also add in Vulnerability Management and Run-time defense.

Run-time defense takes advantage of the declarative state of containers.  A developer creates an image, Twistlock will scan the Docker file of that image.  Now it knows exactly what that container should be doing and allows you to build policy to deny it from doing anything it shouldn’t be.

A container that was sent to production and launched a month ago may be vulnerable to hacks that were not known a month ago. Run-time defense sensors allow hacks to be blocked.

If the hacker knows the root access of the container, they can get into the container and attempt to install malware; however, network sensors know what malware is on the blacklist and prevents the browsing of the malware site.

If a new, unknown, malware is downloaded to storage, then knowing the hash of the container contents will prevent the malware being downloaded to storage.

If malware makes it to storage and tries to spawn a process, the run-time defense identifies rogue processes and blocks the process from spawning.

By building intelligent knowledge of what the container is supposed to do, you can block anything it is not supposed to do. 

Run-time defense can help to protect your containers through their entire lifecycle.

Docker (software) security

Opinions expressed by DZone contributors are their own.

Related

  • A Practical Guide for Container Security
  • Container Security: Don't Let Your Guard Down
  • Keep Your Application Secrets Secret
  • Auto Remediation of GuardDuty Findings for a Compromised ECS Cluster in AWSVPC Network Mode

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: