The importance of properly secured infrastructure seems to rise on a daily basis. Whether due to new business demands or the sophistication level of the potential menace, yet it seems cloud security may be the hot word of the year.
And global influencers tend to confirm this.
“Cloud security is a top enterprise IT priority as organizations modernize their critical business systems both in-place and in the cloud,” says Sunil Potti, VP of Google Cloud security.
There is no cloud security expert who would argue with the above stated; it is for a fact that the fast pacing movement of the industry demands an adequate response. One of the questions imposing is, which direction do the biggest threats come from?
The security risk for containers rises with the usage
According to the Cloud Security Alliance, one of the places to look are the containers. Well, the increasing usage of them, to be precise. According to the CSA research, the boost in the usage of containers and orchestration tools such as Kubernetes poses a new threat to the safety of the application deployment process.
“We have seen increased usage of containers in the last few years, and I don’t think 2020 will be any different. But I share concerns about container security,” says Mustafa Toroman, Azure Solutions Architect, Azure MVP and CyberSecurity aficionado.
“It’s often the case with popular technology that security features aren’t developed as fast as the rest of the platform. We’ve seen the same thing with many IT trends. For example, look at DevOps. Many organizations accepted DevOps as a way to do business, but security is often overlooked, and only some organizations are introducing security as part of their process. The exact same thing is with containers. Managing containers is hard and we have multiple orchestrators available. But the focus of each orchestrator was scalability and simplicity, security was not in focus until now.”
Put the safety in focus with container security best practices
Managing containers is complex, as Mustafa warned. As far as safety goes, the container security best practice checklist starts with the very beginning of the Docker creation.
1. Secure the container ecosystem while building it
Detecting a potential threat early in build pipeline will go a long way. This means designing the workflow in a manner that puts safety as a priority. Think about access control and whether everyone who has access to the kernel actually needs it. Think about running containers with a minimal set of permissions that is enough for the required tasks to be executed.
Also, don’t forget about the app itself. Opt for RASP-oriented container tools which will protect the app and API in real-time by detecting potential issues in the code. When it comes to choosing these tools according to your needs and workload, you can always reach out to our DevOps engineers for a non-binding consultation.
2. Bolster the host OS
While sticking to the early stage of the container architecture, bear in mind that the right choices with OS design and segmentation help you rank higher in the security ladder. What do we mean? Well, a minimalistic, container-specific host operating system is created only for running containers. As opposed to the general-purpose one, container-specific OS is more resilient to threats as it helps reduce the potential attack surface.
For additional in-depth protection, group the containers with the same purpose on the single host OS. This practice showed that it is easier to detect the threat and stop it from spreading to other groups.
3. Scan the container content
One of the most common container security challenges is the lowered visibility. As you are constantly adding images, often pulling from public resources, a potential threat may pass undetected. Another challenge is the fact that most development professionals – including experienced ones – lack a thorough understanding of the image content, which prevents them from spotting potentially incompliant or threatening ones. A right set of tools for auditing provides the ability to see inside the image layers and ensure that only compliant images are running.
Still, feeling uncomfortable about your app and container security? Drop us an email for a free consultation with SuperAdmins experts.