Containers and Kubernetes are table stakes for multi-cloud app development, and they’re also among the least protected of any areas of software supply chains. Kubernetes commands 92% of the container orchestration platform market, despite DevOps teams seeing it as a less secure container platform to use. It’s become the de facto standard for container platforms due to its portability, open-source architecture, ease of use and scalability.
The Cloud Native Computing Foundations’ recent Kubernetes report found that 28% of organizations have more than 90% of workloads running in insecure Kubernetes configurations. The majority of workloads, more than 71%, are running with root access, increasing the probability of system compromises and sensitive data being exposed. Many DevOps organizations overlook setting readOnlyRootFilesystem to true, which leaves their containers vulnerable to attack and unauthorized executables being written.
Containers are the fastest growing – and weakest link – in software supply chains
Gartner predicts that by 2029, more than 95% of enterprises will be running containerized applications in production, a major jump from less than 50% last year. In five years, 35% of all enterprise applications will run in containers, and more than 80% of commercial off-the-shelf (COTS) vendors will offer their software in container format, up from less than 30% last year. Containers and their orchestration platforms are dominating DevOps and DevSecOps across enterprises creating cloud apps, and it’s going to accelerate.
Containers are among the weakest links in software supply chains, however. From misconfigured cloud, container, and network configurations to confusion over who owns container security over the lifecycle of a project, organizations are struggling to get container security under control. Attackers are capitalizing on the disconnects by exploiting growing vulnerabilities in container images, runtimes, API interfaces and container registries. Unsecured containers with light identity security, if any at all, are a goldmine for insider attackers, too.
When container images aren’t secure, attackers can quickly move beyond the initial threat surface and breach entire networks and infrastructures. Most attacks aren’t identified for an average of 277 days and can go longer depending on how effective an organization’s monitoring is or not.
Ten ways securing containers can save supply chains
From image vulnerabilities to insecure container runtime configurations and vulnerabilities in runtime software, containers often fail due to weak or inconsistent configuration. There is no single solution on the market that solves all these challenges; it takes change management in DevOps, DevSecOps and software engineering to help improve container security.
A good place to start is with NIST’s Application Container Security Guide (NIST SP 800-190). It provides an in-depth assessment of the potential risks related to containers and provides practical recommendations for reducing their risks. According to NIST, “The use of containers shifts much of the responsibility for security to developers, so organizations should ensure their developers have all the information, skills, and tools they need to make sound decisions.” NIST recommends that security teams be enabled to define and execute quality throughout the development cycle.
- Get container-specific security tools in place first. Define an affordable, workable roadmap of security tools purpose-built to protect containers if one is not already in place. Security teams start with tools that are designed to manage vulnerabilities, enforce access controls, and ensure compliance. Examples include tools like Red Hat’s Clair for vulnerability scanning, Anchore for Kubernetes image scanning and analysis and OpenSCAP for compliance checks.
- Enforce strict access controls. For any organization pursuing a zero-trust framework, enforcing the least privileged access to every container is essential for reducing the risk of a breach. That especially applies to admin access rights and privileges. CrowdStrike’s Falcon Cloud Security, Ivanti’s Identity Director and Portnox’s cloud-native NAC solution are some of the vendors that offer solutions in this area.
- Regularly update container images. As is the case with any enterprise system or DevOps component, keeping security updates current is critical. Watchtower, which specializes in automating Docker image updates; Podman, which manages OCI-compliant containers; and Google Cloud’s Artifact Registry, which allows adding new images, provides tools to help platform teams ensure their images are updated and secure. Many DevOps and DevSecOps teams are automating security updates to make sure they never miss one. To be sure images are secure, it’s a good idea to get in the habit of performing audits periodically.
- Automate security in CI/CD pipelines. Start integrating automated security checks into CI/CD pipelines if they’re not already there to identify vulnerabilities early. It’s a good idea to use container-specific tools for static code analysis and runtime scanning. Always check to make sure images are from trusted registries. Alert Logic, known for real-time threat detection and incident response; Anchore, for its container image vulnerability management; and Aqua Security, recognized for comprehensive container security, are three vendors who are noteworthy in this area.
- Conduct thorough vulnerability scanning. Any workflow aimed at securing containers needs to include periodic vulnerability scans of container images and registries. The goal of these scans is to identify security risks and prevent the deployment of vulnerable containers. Key vendors providing vulnerability scans include Aqua Security, Qualys, recognized for compliance and vulnerability management, and Sysdig Secure, noted for its Container Runtime Defense and Cloud Native Application Protection Platform capabilities.
- Manage secrets effectively. Getting secrets management right is a core area of keeping containers safe. Breaches have happened because text secrets made their way into container images. It’s essential to use container image signatures for enhanced security, ensuring images are verified and trusted. It’s also advisable to use provenance verification tools to help secure the software supply chain, maintaining the integrity and authenticity of software components.
- Isolate sensitive workloads. For organizations pursuing zero-trust frameworks, the concept of segmentation is part of their natural reflex. IoT needs to be the same when securing containers. Isolate containers based on how sensitive and confidential the data is. Vault container content with layers of identity access management (IAM) and privileged access management (PAM). Go all in on securing workloads through segmentation that can adapt and flex to how quickly changing container and Kubernetes workflows can be.
- Use immutable infrastructure. The concept of an immutable infrastructure is the idea that once servers are deployed, they are never modified. If updates or fixes are needed, new servers are created and provisioned from a common image with the new additions or changes, replacing the old ones. AWS Fargate, Docker and Google Kubernetes Engine are leaders in providing container and Kubernetes-based immutable infrastructure.
- Implement network policies and segmentation. Gaining greater visibility into how network traffic is flowing through a network provides invaluable data that is needed for getting segmentation right. It’s also invaluable for defining security constraints and provides telemetry data that leading vendors are looking to use to train their large language models (LLMs). Leading vendors include AlgoSec, Cisco and Check Point Software Technologies. Each of these companies provides apps and tools for maintaining compliance, enforcing policies and managing security operations.
- Implement advanced container network security. Identifying where network integration points could fail or be compromised by attackers is why taking the additional steps to secure containers is needed. Getting beyond the container itself and protecting their access points across networks is key. Cisco, CrowdStrike, Ivanti, Palo Alto Networks and VMware/Broadcom all provide advanced container network security as part of their platforms. Getting advanced container network security right will take an integrated approach, and chances are a single vendor won’t be able to scale for the more complex network configurations enterprises have.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.