Five Tips for Container Security from Liz Rice

Image for post
Image for post

This blog post was originally published here on CloudOps’ blog.

The definition of cloud native has changed in the past few years. While it used to only refer to technology stacks that use the CNCF’s ecosystem of projects, it now refers to applications that are scalable, automatable, and that easily develop and deploy software. Containers will probably be the most effective means of making an application cloud native, but they themselves are no longer intrinsic to the definition. Becoming cloud native will not by default make your application any more or less secure, but it will provide you with opportunities to secure your pipeline at scale.

CloudOps recently hosted a meetup on container security that featured Liz Rice, renowned technology evangelist at Aqua Security and co-chair of KubeCon. Following her presentation, here are five ways that you can help secure your containers if they are a part of your cloud native strategy.

Know your Goals — Understand what you hope to accomplish from containers before you adopt them. Do you want to become more agile? Do you want to spend less time deploying software? Defining what you want will allow you to use each opportunity and align your overall strategy in line with that goal. It will allow you to find niche solutions that suit your unique requirements.

Expose your Forgotten Data — Data can easily be forgotten about at the micro level and vulnerabilities may hide in obscure and unknown places. Dated versions of Kubernetes that were installed with poor security can be forgotten. API access can be left open and vulnerable. Impatient development teams can create Shadow IT by circumventing legacy IT systems and not ensuring deployments are in line with organizational practices. Code that is not known by IT teams cannot be monitored or secured.

Automation is Key — Integrating security processes into CI/CD pipelines depends on automation. This is especially true for containerized applications. Patching vulnerabilities manually becomes impossible with so many instances in such volatile environments. Automation makes it easier to check vulnerabilities every day instead of every month and will not leave you exposed when your security expert goes on vacation.

Start small — Avoid developing a vision that’s too big to jump into and results in nothing being done. Come up with a basic foundation and tackle components one at a time. Create minimum configuration or access control frameworks that you can then expand from. Vulnerability scanning automation can be a good start. Kubebench and Kubehunter can be used to obtain visibility over an application. Microscanner is a great free version of the AquaSec scanner.

Shift Left — Software life cycles generally have development on the left and production on the right with security relegated to production. Shifting left involves bringing security controls and solutions back down the pipeline closer to the developer. This makes security much more efficient. If a developer downloads a vulnerability or uses the wrong set of packages, the mistake will be found before it goes through testing. Problems will be found more quickly and easily. Shifting left can involve reorganizing your team, making security, development, and operations teams interact more closely and more in line with DevOps practices. People will either be your strongest asset or your greatest weakness.

Liz Rice’s presentations on container security discussed how cloud native processes specific to container security can result in more secure technology stacks. When done right, containers create islands of security that distribute risk and don’t rely on single-points-of-failure. The cloud can actually make it easier to limit the blast radius of data breaches. By understanding your goals, exposing your data, automating, starting small, and shifting left, you can seize the opportunities provided by cloud native architectures to secure your containers.

Following Liz Rice, CloudOps’ CNCF ambassador, Ayrat Khayretdinov, provided an overview of the CNCF landscape and an update of Kubernetes 1.12.

Kubernetes. Kubernetes 1.12 was released recently with some pretty cool updates. Volume snapshot functionality and support for multiple runtimes via RuntimeClass were added as new features. Other features graduated. These included kubelet TLS bootstrap, kubelet certificate rotation, network policy egress IPblog, VPA and HPA with arbitrary/custom metrics, encryption at rest via KMS, and volume topology aware dynamic provisioning.

Other CNCF Projects. Rook, an orchestrator for distributed storage systems, was moved from the Sandbox phase to the Incubation phase. Cortex, a horizontally scalable, multi-tenant, long-term storage solution, was moved into the Sandbox. Buildpacks, an opinionated solution for building apps from source code, was elected as a new CNCF project and moved to the Sandbox. Most recently, Falco has been welcomed to the CNCF Sandbox. We look forward to more CNCF projects developing and evolving.

CloudOps was pleased to welcome Liz Rice to Montreal and hear her insight at the pop-up meetup. We hope to see you at more meetups to chat about all things cloud native. Our regular Kubernetes and Cloud Native meetups happen quarterly in Montreal, Toronto, Ottawa, Quebec City, and Kitchener-Waterloo. Let us know if we’ll see you at the upcoming KubeCon and CloudNativeCon in Seattle from December 10–13. We’ll be sponsoring and attending.

This blog post was originally published here.

Sign up for CloudOps’ monthly newsletter to stay up to date with the latest DevOps and cloud native developments.

Written by

Leader in #cloud solutions, focused on open source, cloud platforms, networking, and DevOps. Experts in Kubernetes, OpenStack, CloudStack, and more.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store