Now that containers are showing up with increased frequency in production environments, the challenges associated with securing those containers are becoming more apparent to developers and IT security teams alike. The latest 2.6 release of the Aqua Container Security Platform (CSP) from Aqua Security makes generally available runtime security software for containers running on both Windows and Linux.
Rani Osnat, vice president of marketing for Aqua Security, says while most containers today are running on Linux, use of containers on Windows and the Azure cloud are gaining momentum. As that occurs, organizations need a more robust approach to managing container security across multiple platforms, says Osnat.
A new survey of 512 IT professionals conducted by Aqua Security finds that half are now running containers in a production environment. Osnat says the survey shows that DevOps teams today are most responsible for securing those containers, but it’s expected that DevSecOps teams will begin to assume more responsibility, says Osnat.
The survey finds 53 percent of the respondents ranked vulnerabilities in images and code as a top security focus area. But when respondents who have containers in production environments were asked the same question, Osnat says managing secrets became the top issue. Managing secrets is a major challenge because often the same credentials are used to manage access to multiple containers. That creates a scenario where it becomes possible for individuals to gain unintended access to some containers. Managing all those secrets becomes even more challenging when containers are deployed across multiple platforms, adds Osnat.
To simplify that process, the latest version of Aqua CSP adds a centralized console through which administrators can assign different image assurance policies and controls to entire container-based pipelines. Aqua CSP 2.6 supports the Security Content Automation Protocol (SCAP) to enable custom security and compliance checks on images and administrators can now selectively turn on fine-grained auditing for specific processes.
Finally, Aqua has added enhanced machine learning controls that employ algorithms to automatically profile Linux and Windows application activity and generate runtime security policies.
Most IT organizations today are still deploying containers on top of hypervisors in part because of concerns over isolation. But as use of containers continues to expand, many of those same organizations will discover they not only have more visibility into what’s occurring from a security perspective in a container environment, but the whole process associated with updating applications to eliminate vulnerabilities will be much easier. The next major challenge will be putting in place the DevSecOps processes required to manage thousands of containers that are continuously being swapped out to both add new functionality and remediate security issues.
Naturally, that transition is not going to occur overnight. In fact, incorporating security professionals into the DevOps processes represents a major cultural challenge at a time when most organizations are trying to ship more code than ever. Of course, it might prove be easier to teach developers the nuances of IT security than it is to get IT security professionals to work hand in glove with developers.