Run-time security is the most important aspect, as applications and systems will be under constant probing and attempted attacks for the lifetime of applications, often years. Even if containers are constantly started, stopped and updated, the hosts they run on are vulnerable to new exploits and zero-day attacks.
It’s critical to prepare the production environment for security first by locking down hosts and using orchestration tools to manage secrets and set access controls. In complex enterprise pipelines it’s critical to segment access by project team as well as team roles.
Once in production, containers can be constantly scaling up, down, and across as well as being updated. This makes it incredibly difficult to get visibility into the network and process behavior of containers. In fact, with the move to a microservices architecture, monolithic applications are being deployed as tens or hundreds of microservices, increasing the potential chaos. This results in the explosion of ‘east-west’ or internal traffic between containers.
For run-time security, a new type of security product called a ‘container firewall’ such as the one from NeuVector is required. A container firewall combines traditional Layer 7 network filtering with cloud-native intelligence to inspect and protect container traffic. Container firewalls are integrated with container orchestration tools such as Kubernetes, Docker Swarm, Rancher and RedHat OpenShift so that protection is maintained as containers scale up, down, or across hosts.
In addition to threat and violation detection, container firewalls are also able to monitor the hosts they sit on as well as container processes for suspicious activity. For example, the Apache Struts exploit recently used in the Equifax breach or a Dirty Cow exploit could allow an attacker to gain control of a host or container and break out of it.