Containing Container Security Threats

As cloud adoption and digital transformation increase, more sensitive data from applications is being stored in containers. This is why effective container security controls to securely manage application connectivity are an absolute must.

What is Container Security?

Now more than ever, or are adopting container technology. Instead of powering up servers and instances in the cloud, they are using containers to run business applications. Securing these is equally as important as securing other digital assets that the business is dependent on. There are two main pillars to think about:

  • The code: You want to be able to scan the containers and make sure that they are running legitimate code without any vulnerabilities.
  • The network: You need to control access to and from the container (what it can connect to), both inside the same cluster, other clusters, and different parts of the network.

How critical is container security to managing application connectivity risks?

To understand the role of container security within the overall view of network security, there are three points to consider.

First, if you’re only concerned about securing the containers themselves, then you’re looking at nanosegmentation, which involves very granular controls inside the applications. 

Second, if you’re thinking about a slightly wider scope then you may be more concerned with microsegmentation, where you are segmenting between clusters or between servers in a single environment. Here you will want to enforce security controls that determine the allowable communication between specific endpoints at specific levels.

Finally, if the communication needs to go further, from a container inside one cluster within one cloud environment to an asset that’s outside of the data center, then that might need to go through broader segmentation controls such as zoning technologies, security groups or a firewall at the border.

So, there are all these layers where you can place network security policies. When you’re looking at a particular connectivity request (say for a new version of an application) from the point of view of a given container, you should ask yourself: What is the container connected to? What is it communicating with? Where are those other sides of the connectivity placed?

Based on that determination, you will then know which security controls you need to configure to allow that connectivity through the network.

How does containerization correlate with app-centric security policy management?

There are a number of different aspects to the relationship between container security and application security. If an application uses containers to power up workloads, then container security is very much an integral part of application security.

When you’re adding new functionality to an application, powering up additional containers or asking containers to perform new tasks whereby they need to connect to additional assets, then the connectivity of those containers needs to be secured. And security controls need to be regulated or changed based on what the application needs them to do.

Another factor in this relationship is the structure of the application. All the containers that run and support the application are often located in one cluster or a microsegment of the network. So, much of the communication takes place inside that cluster, between one container or another, all in the same cluster. However, some of it can go to another cluster or somewhere that’s not even containerized. This is actually a good thing from an application point of view as the container structure can be used to understand the application structure as well.

Everything you need to know about container orchestration

Container orchestration is part of a bigger orchestration play which is, in general, related to the concept of infrastructure-as-code. You want to be able to power up an environment with all the assets it requires and have it function simultaneously so you can duplicate it.

There are various orchestration technologies that can be used to deploy security policies for containers, which is an excellent way to maintain container-based applications in a consistent and repeatable manner. Then if you need to double it or multiply it by 100, you can get cookie-cutter copies of the same thing.

How will container security solutions play out in the future?

Organizations today have the technology to enforce security controls at the container level, but these controls are very granular and it’s time-consuming to set policies and enforce them, particularly with issues like staff or skills shortages.

Looking ahead, companies are likely to take a hierarchical view where container-based security is controlled at the application level by app owners or developers, and at the broader levels to ensure that the measures deployed throughout the network have the same degree of sophistication. Procedures and tooling are all evolving, so we don’t have a definitive answer as to how this will all end up. What are organizations going to be doing? Where will they place their controls? Who has the power to make the changes?

When newer technologies are deployed, customer adoption will be crucial to understanding what makes the most sense. This will be interesting as there will be multiple scenarios to help companies master their security blueprint as we move forward.

Avishai Wool

Professor Avishai Wool co-founded AlgoSec in 2004 and has served as its CTO since its inception. Prior to co-founding AlgoSec, he co-founded Lumeta Corporation in 2000 as a spin out of Bell Labs, and was its Chief Scientist until 2002. At Lumeta, Professor Wool was responsible for transforming the firewall analyzer technology he helped develop at Bell Labs into a commercial product. Earlier, Professor Wool was a technical staff member at Bell Labs' Secure Systems Research Department, where he led a team of researchers who created the first research prototypes for the firewall analyzer. He has published more than 110 research papers and holds 13 US Patents, and has served on the program committee of the leading IEEE and ACM conferences on computer and network security. Professor Wool has a B.Sc. (CumLaude) in Mathematics and Computer Science, and a M.Sc. and Ph.D. in Computer Science.

Avishai Wool has 1 posts and counting. See all posts by Avishai Wool