Containers: Building in the ‘Sec’ in DevOps

Containers are evolving to be a core element of the IT fabric, powering digital transformation. They offer a new level of abstraction to efficiently develop applications that can be moved across distributed environments. They can be easily paired with cloud and open source tools, enabling organizations to iterate at a higher level for more rapid and flexible software development.

However, containerized applications are most often developed and deployed insecurely as developers race to build, requiring a radical rethink of how security gets embedded into the process. Security needs to be agile and automated so it doesn’t impede the development process. And, security needs to be integrated at the time the image is being built and then through the container life cycle. This concept of embedding security early in the development cycle is commonly referred to as “shifting security to the left.”

DevOps Dozen 2023

Container security introduces new types of threats and security teams typically encounter the following:

  1. Unvalidated external software: container images are often downloaded from untrusted sources or have not been curated by the community or the vendor.
  2. Unstandardized configurations: A mix of configurations with their own security bugs and risks exposes IT environments to higher risks of breaches and potential loss of sensitive information.
  3. Insecure east-west communications: By default, communications between containers on a host are not restricted, increasing the attack surface.
  4. Ephemeral nature of containers: Containers are intended to constantly spawn and disappear in keeping with the elastic demand of customer environments requiring security to be more dynamic than ever.

Today, most security teams are challenged by security approaches that splinter visibility into multiple single-purpose views for security of an individual infrastructure type, rather than a single-pane view that brings together visibility of security posture across both their traditional infrastructure and containerized environments.  This would enable teams to more efficiently pinpoint and address threats.

Given the dynamic nature and massive sprawl of containers, existing security frameworks need to integrate into common orchestration tools for automated deployment of security agents, and tracking and monitoring of containers at scale. The priorities I recommend security teams advocate across their organization include:

  1. Discovering and tracking at scale: Security teams need detailed inventories to identify containers based on attributes such as vulnerabilities, labels and tags. Complete topographic information helps security teams isolate containers impacted by a specific exposure or get an overarching view of the impact of threat even when deployed at scale.
  2. Continuous vulnerability management and compliance management: Security teams need to integrate vulnerability scanning into their continuous integration (CI) and continuous delivery (CD) tool to ensure container images, registries and the underlying host operations systems are healthy before deploying and then through the life cycle of the containers to check for new vulnerabilities or image drift.
  3. Runtime security and defense: It is critical to protect containers during runtime given an exceptionally dynamic environment with hundreds or thousands of containers spawning or disappearing from minute to minute. An automated intrusion detection system (IDS) built for containers can detect intrusions at scale. As a further layer of security, an IDS can be paired with an intrusion prevention system (IPS). This can be a simple policy-based model on known vulnerability and compliance rules applied up to an advanced level on east-west traffic and that allows for organizations to map their protection tiers according to their maturity model.
  4. Operational monitoring and incident management: With automated rollouts of new images versus patching, security teams need to be fully integrated into the CD process and need to able to monitor at scale. Tools that offer native container support and that can be integrated into orchestration tools help bridge operational silos and enable monitoring at scale.

Security has been an afterthought and bolted on for most processes over the last 20 years. However, container technology provides a great opportunity for turning that on its head with rapidly and repeatable application deployment and deployment cycles that shifts security controls upstream and mainstream into the development cycle.