As container environments grow in complexity, container security requires a different security approach. Container security must consider everything from the applications running in containers to the infrastructure on which those containers run.
The security of the base image is critical to ensure that any derived images are trustworthy. Building security into a container pipeline involves starting with trusted images, managing access with a private registry, integrating security tests to automate deployments and continuously securing the infrastructure.
Containers are different from virtual machines (VMs) and require different security policies. Container orchestrators should be configured to define security policies for containers and only enable communication that is absolutely necessary.
It might seem more important to monitor ingress and egress traffic (north-south) than traffic flowing between containers (east-west), or even between applications within the same container. However, all these traffic flows are important. Malicious traffic inside container clusters indicates some component of the architecture has been breached and has far-reaching implications.
Securing Containers With ZTNA
Zero-trust network access (ZTNA) is considered a basic building block of a zero-trust architecture. In the context of containers, ZTNA is a way to control and enforce secure access within and between container networks.
Containers manage networks in a variety of ways. For example, Docker uses network address translation (NAT) to manage network address information for containers and hide the complexity of the network. However, this means a container’s IP address is different from the host IP address.
There are several common options for implementing container networking:
- Container subnets can be isolated from the main network, allowing for easier migration between platforms.
- Bridging means that all containers operate on the same network with a consistent set of IP addresses. This creates improved visibility of the underlying network, with hosts and containers connecting to the same network side by side.
- Overlay networks allow containers to communicate efficiently and easily with other containers, creating a more decentralized network. In this case, an entire unit containing multiple containers (such as a pod in Kubernetes) can move between physical hosts as needed.
Container networks are customizable, but their complexity makes it difficult to create policies for firewalls and other security tools. Consider a database running in a container on a firewalled host. If an attacker manages to gain access to another host that communicates with that database, the database will implicitly trust that host, allowing the attacker to move laterally and compromise the database. The firewall has no way to verify that a host, user or application really can be trusted.
Organizations can use a zero-trust security model to ensure secure communication between containers and microservices. In a containerized environment, the zero-trust model has several key principles:
- There is no implicit, mutual trust between containers. Instead, mandatory authentication is required to prevent cyberattackers from laterally moving from an infected container to another. Attackers should not be able to discover or easily connect to other containers in a cluster or network.
- Code and infrastructure are hosted with local server certificates. Logs provide a record to help troubleshoot when a network security incident occurs.
- Identity and access management (IAM) and other security policies identify users and service accounts and implement time-based, context-based and role-based controls to prevent intrusion by internal and external attackers.
With ZTNA, users attempting to connect to an organization’s applications can connect only if they need that access to perform an action. This significantly reduces network security threats, including unauthorized access, account takeover and lateral movement.
Implementing ZTNA in a containerized environment can enable any component—including hosts, containers and container orchestrators—to continuously verify connections from other entities. ZTNA does not require major network redesign: It can be deployed either as a standalone solution built into an existing network infrastructure or as part of a broader security framework that replaces VPN with software-defined wide area network (SD-WAN) or SASE (see below).
Securing Containers With SASE
Secure access service edge (SASE) is a new cloud-based network security model introduced by Gartner. It combines networking and security solutions into a unified cloud platform which requires little or no hardware or equipment. SASE platforms include ZTNA, SD-WAN, cloud access security brokers (CASB) and firewall-as-a-service (FWaaS).
This unified platform simplifies secure access to critical resources and networks, both on-premises and in the cloud. It enables IT security teams to easily connect to and secure all networks and users in an agile and scalable manner.
SASE helps secure interactions within containerized applications and between container clusters and other resources, reducing the burden on DevSecOps teams. DevOps and DevSecOps teams can use ZTNA to further secure environments by continuously verifying all interactions between applications, containers and hosts. With SASE, attackers cannot compromise a container or microservice and quickly escalate privileges to compromise the cluster.
The SASE model also helps protect sensitive data and support compliance requirements. It does this by obfuscating traffic, restricting access per the zero-trust approach and securing all entry points with next-generation firewall (NGFW) technology. It also continuously checks all internal application traffic for threats.
SASE allows teams to integrate advanced security technologies into the container network stack, allowing all security services to share a single integration context. This bridges gaps in traditional security architectures, which were frequently exploited by threat actors.
With SASE, security controls built into the network fabric instantly block many attack vectors and support incident response efforts. SASE also increases visibility into security incidents and anomalies occurring in hybrid environments.
Integrating SASE security solutions into security information and event management (SIEM) systems gives incident responders greater visibility into the anomalous traffic and automated security actions performed by SASE systems.
In this article, I explained the basics of container security and showed how two cutting-edge technologies, inspired by the zero-trust security movement, are taking it to the next level:
- ZTNA allows organizations to enforce secure communication between containers and microservices with flexible, centralized security policies that are not dependent on the container environment itself.
- SASE allows organizations to embed security measures into the network fabric itself, ensuring that wherever containers run, they are inherently secure when they connect to the network.
I hope this will be useful as you transition your container environments to a zero-trust security model.