Containers are growing in importance across more public-sector and commercial enterprises as they embark on cloud-native development projects. Security news about containers has been mixed so far, with developers and vendors looking for ways to improve container security.
Here are three strategies for securing your containerized applications.
1. Prepare Your Containers for Production
One strategy to start with is to set up a framework for preparing your containers for production. Container Journal points to container images as one of the four most vulnerable areas for container security in 2019, testifying to the vital nature of preproduction work on your containers. According to NeuVector, common sense steps for preparing containers include
- Hardening the container operating system by trimming all unnecessary modules and files plus keeping up with the latest security patches;
- Securing the container platform by using vendor best practices such as the Docker best practice guide;
- Preventing unauthorized access to your containers by using SE Linux or App Armor;
- Customizing and specifying your container security profiles;
- Scanning all your container registries for vulnerabilities regularly; and
- Digitally signing all your container images.
If containers are new to your operations team, then it’s time to document standard operating procedures detailing the preproduction steps teams must take to release containers into production. You should also appoint an owner of this preproduction phase and be prepared to cross-train other team members in the preproduction steps.
These and other preproduction practices relate better to a DevOps or DevSecOps environment, where you can set up gates to ensure that your teams prepare your containers for production that meet your enterprise security requirements.
2. Review Container Security During Your Entire Life Cycle
A move to agile techniques such as DevOps or DevSecOps makes it easy for your development teams to review container security at each phase of your software development life cycle. Just as my previous tip shows the critical work that needs to be done to prepare your containers for production, it’s essential to include container security reviews at each stage of your DevOps/DevSecOps life cycle. Granted, you should explore test automation whenever possible and where it makes sense in your continuous integration/continuous development workflow, but container security still requires human attention.
3. Apply Tools and Technology to Secure All the Container Layers
Containers add new levels of complexity to cloud application security. It’s not something you’re going to want your cloud and security teams securing without using a vendor tool to lock down your containers. These orchestration and security tools are a hot market right now, with open source and commercial vendors duking it out for market superiority.
One example of a tool used for container security is Kubernetes, an open source solution for automating the deployment, scaling, and management of containerized applications. A vibrant technology community is growing around this solution, with companies such as Google, VMware, and Nutanix using it as the foundation of their container orchestration and management solutions. Other companies such as Twistlock and Trend Micro are focusing their container security at the DevSecOps life cycle.
Container security tools are a hotly competitive and evolving market right now, so you owe it to yourself and your security posture to do your due diligence and conduct pilots and proofs of concept while on your road to deciding on a container security solution for your organization.
Container Security and Your Enterprise
As these tips show, it’s important not to let yourself get caught up in the market hype about containers and the advantages they offer your application delivery teams. Keep a strong security focus starting at preproduction and moving forward. You’ll get an edge on container security if you apply technology, tools, frameworks, and—above all—preparation to your containers in and out of production.