Your team is running containers, but are they secure?
Organizations are modernizing IT infrastructure, restructuring teams, and accelerating application delivery with containers and Kubernetes. As with any technology, organizations are at various places within their journey. However, according to Gartner, more than 75% of global organizations will be running containerized apps in production by 2022.
Chances are your team is using containers for some applications. It’s hard to find a company built on software that hasn’t deployed a low-risk application to the cloud using a DevOps approach and containers. Others are further along and have moved their business-critical apps to the cloud.
No matter where you are, operating containers is different. They are immutable, which makes legacy patching approaches invalid. They are ephemeral, which makes incident response and forensics a nightmare. Visibility is a challenge that requires a different approach to threat detection. The volume of services to manage is greater with microservices.
How do you know your team put effective security and compliance controls in place? Are you actively engaging to understand their strategy or assuming legacy controls will suffice?
According to 2019 DORA and Google Cloud research (download required), most teams, even high-performing elite DevOps teams, delay integrating automated security testing. Less than one-third of teams integrated security testing into their DevOps tool chain.
As the CEO of a company that offers security, compliance, and monitoring products for containers and Kubernetes, I believe this is a huge mistake because procrastinating on security controls can lead to unpleasant surprises.
Benjamin Franklin stated, “By failing to prepare, you are preparing to fail.”
You need to address security.
There are countless reasons to address security. Avoiding security breaches and exposure of confidential data is the main one.
The impact on your brand, loss of customer confidence, and internal costs of repairing damage are generally far greater than the impact of fines from violating privacy regulations. According to IBM (download required), the average U.S. data breach costs more than $8 million.
There tend to be three categories of security adopters:
- Early adopters: These security teams lead the charge, and they define policy guidelines for Kubernetes and container deployments.
- Customer-driven: For some B2B companies, security and compliance become priorities after customers evaluate their security controls and withhold revenue.
- Compliance-focused: For other B2B companies, passing compliance audits drives urgency.
There’s a false sense that containerized apps are inherently secure.
Kubernetes was created for developers with a philosophy of frictionless code deployment. Making life easy for developers can result in complexity for platform and DevOps teams. For example, Kubernetes is “open by default,” meaning security guardrails need to be explicitly defined.
Every environment leaves openings for attackers. New vulnerabilities continue to be identified in Kubernetes and underscore the need for flagging and alerting about anomalous events.
My company found that 58% of images run as root. If they’re compromised, they can allow an attacker to potentially gain broad access to the environment.
Developers frequently assemble code rather than write from scratch, but it’s difficult to know if images from other sources have vulnerabilities. Teams can scan OS images, which may have the greatest impact. However, my company found that over half of non-OS images contain “high” to “critical” vulnerabilities. Make sure your security team has set specific policies around managing vulnerabilities and high-risk configurations that are relevant for containers.
Another challenge is the short life span. According to my company’s research, more than half of containers live for less than five minutes. What happens when the container is gone, along with its data? Existing tools may not capture the trail of container activity required for effective investigations. You should capture data more frequently in container environments.
Container security requires a new approach.
Your cloud team knows security controls are important, so why delay? One common reason is fear that introducing security and compliance will slow them down. Your platform team is pressured to stand up a Kubernetes and container infrastructure to meet development team requests. Development teams are pressured to meet release schedules. They know they will eventually address security issues but may prefer to delay as long as possible.
Understand why introducing security and compliance is challenging:
• Security teams often lag behind cloud teams in understanding best practices and tools for security and compliance in these environments. Your cloud team may not want to fight organizational inertia or take the time to educate other teams.
• Traditional security processes are manual and don’t integrate into an automated DevOps process. They also don’t have the level of visibility into containers required for effective security. But teams may be asked to “try to use” them.
• Cloud teams may need time to get up to speed on security in a container and Kubernetes world. Many are still learning in this rapidly evolving space.
For some companies, the move to modern software development approaches is not mission critical. They feel they can delay container security until they move workloads that contain confidential data. This is the wrong mindset, however. Organizations that are counting on moving business-critical applications to containers should consider security and compliance policies, tools, and processes long before they plan to move them to production.
Security and compliance measures don’t have to slow development.
Clear direction from the executive team will reduce turf battles and minimize resistance. Once you’ve achieved alignment on embedding and automating security and compliance as part of the DevOps workflow, the implementation can be straightforward.
You can integrate image scanning into registries and your CI/CD tool chain so scans automatically execute. You can also enforce security policies and get alerts on potential threats without adding manual steps. You can trigger capture files for incident response and forensic investigations based on rules. You can feed alerts and event data directly into commonly used tools.
These strategies allow teams to efficiently manage security and compliance without disrupting their existing workflows. If you implement them correctly, security and compliance controls can help you manage risk in your container environment without slowing delivery.
Most businesses run on software, and speed of feature delivery is a key competitive lever. The cloud, containers, and DevOps are rapidly becoming mainstream. Your team should be skilled at developing, deploying, and securing applications using this new approach, or you could be left behind.