Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Good container security requires building a great partnership with IT operations, developers and security. This allows you to review the container environment and address security needs with design, deployment and visibility in mind.
You must also be sure to track metrics and document expectations before pushing out mandates, and engineers must receive the necessary training to ease the transition to the new process. This piece explains how to establish effective governance over containers,
including some top strategies and container security tools to consider.
The increasing push for faster development cycles has changed the way modern development teams focus on the build and release process, moving more toward an iterative and adaptive development methodology. While there can be several positive outcomes in
switching to these methods, some organizations find it challenging to integrate security standards into them, especially since those standards were designed around alternate, outdated methodologies, like the waterfall approach and traditional server
There is a common misconception that DevOps eliminates steps in the process. Instead, it is a way to introduce automation and gain optimizations, while keeping security and proper change control in place. Following this three-step container security best
practice blueprint will help get you there.
First, you need to clearly understand how the environment is deployed and who is managing which components. For example, the main features of Kubernetes (e.g., control plane, data planes and compute resources) can be deployed and managed by the organization,
handled as part of a cloud provider’s service – e.g., Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), Azure Kubernetes Service (AKS) – or a combination of both. To govern effectively, you need to understand
a clear path of responsibility for the various entities involved and deploy an effective measurement to each. Beyond that, best practice architecture incorporates:
Also, settings like runAsNonRoot, readOnlyRootFilesystem and seLinux allow you to minimize runtime permissions to the application. This largely depends on the applications and services you are running and what permissions they need, but if implemented,
they can provide added enforcement on appropriate application roles.
When it comes to configuring pod security, the first item on the list is reducing pod functionality to only what is necessary for the service running on the pod. Once you configure your system types and configurations, make sure they comply with a documented
standard, including taking recommendations from reputable vendors or industry groups. The Center for Internet Security (CIS) is an excellent example of this, and it has documentation directly applicable to Kubernetes.
You should implement a solid foundation of proper change control for your repositories, including both your code and container private repositories. This includes appropriate control of versioning, branching methodology and change ticket tracking. All
this should also be tied together with build, testing and release functions, as well as peer review/approvals. And ideally, all these functions should be linked together under a single view, using tools like Jira, GitHub, Jenkins, CircleCI, etc.,
to support transparency and full audit capabilities. This will help with your compliance activities to show a proper flow throughout your entire process.
There is no substitute for a substantive review from someone knowledgeable about the organization's baseline standard. This would include reviewing to ensure common baseline techniques are implemented, common security pitfalls are avoided, and good practices
around readability and error reporting and handling are applied. There can be some automation around this to check or enforce across the board, but the most effective is a manual review of changes with someone familiar with the organization's standard.
Usually this would come down to a peer or manager reviewing the changes, however, security may have input on new or material changes to the environment.
While deploying images to your various environments, you can employ static checks to ensure the configurations align with your typical security posture. Several open-source and commercial tools are available to select, depending on the container technology
you choose to deploy. Some examples for Kubernetes are kube-bench, KICS, Snyk, Prisma and Aqua. DevOps engineers can integrate these tools into your deployment pipelines to allow developers and release managers to address issues independently.
At this point, everything is set up, configured appropriately and deployed to production. Now comes the obligation to ensure the configuration does not drift from the expected security configuration. Additionally, mechanisms to support issue investigation
must be set up to provide a rapid response and evaluation of problems once they are discovered. Best practices here include:
Additionally, organizations can install monitoring capabilities on the deployed containers. A popular open-source tool for this is Falco, an intrusion prevention tool most notably for a Kubernetes environment.
READ: Challenges of Container Security (And How to Do It Right)
While there is a need to focus on automation of security tasks within the DevOps methodology, this can be achieved by planning and enforcing the release process and proper configuration management. In the end, DevOps can achieve even better alignment
with security goals, because container environments can implement security checks in an automated fashion that does not let code promote to the next stage without remediation tasks happening. To ensure your container environment remains secure:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
November 30, 2023
By IANS Research
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.
November 28, 2023
Use this checklist of best practices, designed to help CISOs and cybersecurity leaders protect their organizations and avoid SEC compliance missteps.
November 21, 2023
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Organization and Compensation Benchmark Report. Gain valuable insights on functional leadership compensation to hire and retain top security talent.