What Is ECR and How Can You Make Your Containers More Secure?

I had the opportunity to talk to Michael Withrow, Chief Architect & Director of Solution Architecture, at Twistlock. Michael recently joined Twistlock after spending eight years, and working on more than 150 deployments of Azure, at Microsoft.

As more companies begin to move their infrastructure to the cloud, they are looking for simpler alternatives.   Platform as a service (PaaS) provides customers with fully managed services so they don’t have to spin up a new host for there applications rather they can just subscribe to a service in which lifecycle management, disaster recovery, etc. are built in. Moving from information as a service (IaaS) to PaaS will take time, as it will require security and services to grow to meet enterprise needs. As PaaS gets stronger, you will see enterprises moving to it more quickly. Michael expects the evolution to accelerate over the next five years.

The DevOps story is changing as well.  With the emergence of Docker, three-tier application architecture is becoming legacy and container creation is becoming the new norm.  There are still some challenges as this service is still growing.  Developers must stand up a Docker host where they can deploy their images, and this means they need to account for infrastructure, networking, and security.

AWS just announced it newest managed service EC2 Container Registry Service which is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. With this service you can configure policies to manage permissions and control access to your images using AWS Identity and Access Management (IAM) users and roles without having to manage credentials directly on your EC2 instances.

Enterprise computing version 2 (EC2) container registry is providing stronger security by enabling users to layer in security. The EC2 registry streamlines the process and provides a more integrated service environment. Having access permissions are inherently less vulnerable than the Docker hub and allow you to audit against IAM.

From a security perspective containers change the attack vector and customers need to protect themselves.  However, there is good news.  The declarative nature of containers makes it easier with the right tooling to provide enhanced security that customers could not achieve in a three-tier architecture. 

Twistlock is one of those tools.

When the developer creates an image and places it in their personal ECR, Twistlock can scan that image for vulnerabilities and when integrated into the CI process can notify the developer there are things to be addressed before moving to the next stage of development.  Once it is certified for production Twistlock’s runtime defense will provide lifecycle management long into production.

Twistlock focuses on three layers:

1. Vulnerability management

2. Access control

3. Run-time defense

ECR is providing Access Control, but couple this with Twistlock and you can also add in Vulnerability Management and Run-time defense.

Run-time defense takes advantage of the declarative state of containers.  A developer creates an image, Twistlock will scan the Docker file of that image.  Now it knows exactly what that container should be doing and allows you to build policy to deny it from doing anything it shouldn’t be.

A container that was sent to production and launched a month ago may be vulnerable to hacks that were not known a month ago. Run-time defense sensors allow hacks to be blocked.

If the hacker knows the root access of the container, they can get into the container and attempt to install malware; however, network sensors know what malware is on the blacklist and prevents the browsing of the malware site.

If a new, unknown, malware is downloaded to storage, then knowing the hash of the container contents will prevent the malware being downloaded to storage.

If malware makes it to storage and tries to spawn a process, the run-time defense identifies rogue processes and blocks the process from spawning.

By building intelligent knowledge of what the container is supposed to do, you can block anything it is not supposed to do. 

Run-time defense can help to protect your containers through their entire lifecycle.