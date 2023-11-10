As enterprise software containers become more important for running applications smoothly on the cloud, keeping them secure has become a growing problem.

And as more workloads grow on these containers, using container cluster management software Kubernetes, they need better tools, more specific knowledge of their potential exploits, and more automation techniques that can still handle their complexities and nuances. Inventions are being made for.

Containers have been around for more than a decade, and businesses have readily adopted them because they provide flexibility and are easy to create and discard for specific tasks. They combine the best features of cloud-based virtual machines with lightweight and reusable code that is quick to develop and deploy.

A recent survey from SpectroCloud found that 83% of those interviewed had two to more than 10 container collections spread across managed services like Amazon Web Services’ Elastic Kubernetes service or a variety of tools like Red Hat OpenShift or were hosted on others. Platform. And 14% of those surveyed have more than 100 clusters, which simply means there is room for growth for the remaining 86%.

“In the last year we’ve really seen enterprises really start to migrate their workloads to cloud native architectures because they have better performance,” Martin Mao, chief executive of container security vendor Chronosphere, told SiliconANGLE Media’s Video Studio Cube. Application observability.” , said during the KubeCon + CloudNativeCon conference this week.

A new Kubernetes security report from Wizz Inc. released Wednesday analyzed more than 200,000 cloud accounts and found that attackers are becoming adept at moving back and forth between container clusters and cloud accounts. They found that attacks are so attuned to container creation that it takes less than three hours for a typical malicious exploit to find them – and in some cases only minutes.

Some clusters isolate their network traffic, and lack other security controls. “However, as Kubernetes adoption grows, so do the security risks,” the authors wrote in their report. They cite privilege escalation and lateral network movement within a Kubernetes cluster as two major security risks. They have been well-known in the networking world for decades and have a variety of tools to detect, defend against, and deploy for proper security. This is a sign that container security is still in its infancy.

The many dimensions of maintaining container security

But this popularity also comes with a dark side, meaning that securing containers and their clusters is a much more difficult problem than setting up security for other resources with greater durability, such as web or database servers. This is due to several dimensions that security containers require:

Many applications use dozens or hundreds of containers and a mix of open- and closed-source projects. This puts pressure on developers to understand how to orchestrate containers and ensure appropriate security controls are built in, and how they must deploy runtime application security to continually scan their code. Orchestration and runtime security have both been available for years for generalized cloud applications, but they require additional features to secure container use.

Securing build and development environments and code pipelines will stretch already fragile software supply chains. Given the building block nature of containers, this means that developers need to be able to enforce image source integrity controls and track supply chains such as software used to track bill of materials. Although this doesn’t seem too difficult, Emily Fox, software engineering lead for emerging technologies for security at Red Hat, told Cube this week that “a lot of organizations don’t necessarily understand how they should be using these bills of materials. And Software supply chain security is really driving a lot of the zero-trust conversation that’s coming to the forefront now, because it’s not necessarily just about signing and verification, it’s actually understanding what happened in the build. And you can make decisions about whether you have that information.”

Another problem is that it is now time for development and security teams to work together to meet both their needs. “Developers have a lot on their plate now, and they’re thinking about building apps first, and not all the operational and security concerns,” Joe Fernandes, vice president and general manager of hybrid platforms at Red Hat, told Cube. This was echoed by Melinda Marks and Paul Nashawaty of Enterprise Strategy Group, who wrote in a June 2023 blog post on Search Security: “Security professionals need to understand the development process to ensure greater productivity and scale. Security can be modernized to support the efforts. ,

However, there is some hope: Last year Kirsten Newcomer, director of cloud and DevSecOps at Red Hat, told SiliconANGLE that “the Kubernetes paradigm requires the involvement of both teams. Indeed, in some ways, it requires the involvement of developers in things like network policy.” compels participation [software-defined network] layer.”

Fixing container security won’t be easy

If all this seems overwhelming, a good starting point is Sysdig Inc. , which has long been a leader in container security. It has a series of excellent tutorials – using its software as an example, of course – that take developers through some common security use cases, such as auditing runtime code for strange behavior. ,Conducting forensic analysis and investigating vulnerabilities. The company also offers its open-source tool Falco and the commercial tools Monitor and Secure, which are for image scanning and vulnerability monitoring.

Next, enterprise security managers should carefully examine what security services are available from the major cloud platform providers. One issue is that these tools are more general purpose and were not originally designed for containers. But all providers are busy adding container features to services like Microsoft Defender for the Cloud, Google Kubernetes Engine, Google Cloud Security Command Center, and Amazon Inspector, Fargate, and GuardDuty.

Speaking of Amazon, it recently posted a very detailed explanation on how to use its various container security service offerings. This is certainly necessary, as its different tools have very different security models and use cases, making them even more difficult to implement without spending too much time reviewing the documentation.

Then there are various container specific products, such as Aless, which does dynamic credential secret management. It provides timely access to containers to facilitate machine-to-machine communication. Given the ephemeral nature of containers, this approach will become increasingly important for securing and managing their credentials.

Another tool to look at are open-source projects dedicated to open telemetry. This week’s KubeCon conference had 15 sessions dedicated to its use, showing its importance.

The two biggest areas of innovation relate to observability and orchestration, and opportunities to automate both to handle large numbers of containers as they enter and leave the computing environment. For the former, Silium has become the de facto building block for cloud-native network infrastructure. This software is central to efforts to bring supply chain security visibility and enforcement closer to the Linux kernel that sits at the heart of most containers.

Tetragon, a Cilium project for runtime network observability, recently came out with its v1.0 release, showing how this particular security segment is maturing.

In the orchestration area, Cast AI Group Inc. Last year it came up with its own tool to reduce the cost and automate the provisioning of Kubernetes. There are other tools that do this from major cloud providers as well.

Some longtime cloud security providers have expanded into container security, such as AlertLogic, which has added container security to its managed detection and response product line.

One area to watch is the continued pace of mergers and acquisitions in this market sector. For example, Red Hat bought StackRox and renamed it Advanced Cluster Security for Kubernetes, Cisco Systems Inc. bought Portshift and rebranded it as Panoptica’s Attack Path Engine, VMware Inc. bought Octarin and its Features folded its own Carbon Black, and was acquired by Rapid7 Inc. Alcide.IO Ltd. Additionally, F5 Networks Inc. Acquired Threatstack, Weaveworks Inc. acquired Magalix Corp and Tenable acquired Flawcheck and added it to its container image scanner that leverages its Nessus security expertise.

Most of those companies still offer the original open-source versions in addition to integration into their proprietary security lines. This means corporate developers can try something before they buy.

One bright spot in this landscape are providers that are beginning to integrate their disparate tool sets and collaborate to cover more of the container waterfront. One example: this week’s announced partnership where a cloud runtime threat identified by SentinelOne Inc. is related to vulnerabilities found by Snik Ltd. in container images. This makes sense, because every enterprise needs both general cloud security as well as container-specific security.

Finally, Viz’s latest report recommends what it calls playing zone defense. “Instead of reactively adding security controls for every potential attack vector, security managers should proactively cover the weakest points and use comprehensive security options as a backup shield.” Still, it may be easier to dunk the ball beyond the foul line than to secure those possessions.

