Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
How to Make Container Security Threats More Containable

By AlgoSec CTO and Co-Founder, Prof. Avishai Wool

As cloud adoption and digital transformation increases, more sensitive data from applications is being stored in data containers. This is why effective container security controls to securely manage application connectivity is an absolute must. AlgoSec CTO and Co-Founder, Prof. Avishai Wool provides some useful container best practices to help you do just that.

What is Container Security?

Organizations, now more than ever, are adopting container technology. Instead of powering up servers and instances in the cloud, they are using containers to run business applications. Securing these is equally as important as securing other digital assets that the business is dependent on. There are two main pillars to think about:

  • The code:you want to be able to scan the containers and make sure that they are running legitimate code without any vulnerabilities.
  • The network:you need to control access to and from the container (what it can connect to), both inside the same cluster, other clusters, and different parts of the network.

How critical is container security to managing application connectivity risks?

To understand the role of container security within the overall view of network security, there are three points to consider.

First, if you're only concerned about securing the containers themselves, then you're looking at nano-segmentation, which involves very granular controls inside the applications.

Second, if you're thinking about a slightly wider scope then you may be more concerned with microsegmentation, where you are segmenting between clusters or between servers in a single environment. Here you will want to enforce security controls that determine the allowable communication between specific endpoints at specific levels.

Finally, if the communication needs to go further, from a container inside one cluster within one cloud environment to an asset that's outside of the data center, then that might need to go through broader segmentation controls such as zoning technologies, security groups or a firewall at the border.

So, there are all these layers where you can place network security policies. When you're looking at a particular connectivity request (say for a new version of an application) from the point of view of a given container you should ask yourself: what is the container connected to? What is it communicating with? Where are those other sides of the connectivity placed?

Based on that determination, you will then know which security controls you need to configure to allow that connectivity through the network.

How does containerization correlate with application centric security policy management?

There are a number of different aspects to the relationship between container security and application security. If an application uses containers to power up workloads, then container security is very much an integral part of application security.

When you're adding new functionality to an application, powering up additional containers, asking containers to perform new tasks whereby they need to connect to additional assets, then the connectivity of those containers needs to be secured. And security controls need to be regulated or changed based on what the application needs them to do.

Another factor in this relationship is the structure of the application. All the containers that run and support the application are often located in one cluster or a micro-segment of the network. So, much of the communication takes place inside that cluster, between one container or another, all in the same cluster. However, some of it can go to another cluster or somewhere that's not even containerized. This is actually a good thing from an application point of view as the container structure can be used to understand the application structure as well.

Not sure about container orchestration? Here's what to know 

Container orchestration is part of a bigger orchestration play which is, in general, related to the concept of infrastructure as code. You want to be able to power up an environment with all the assets it requires, and have it function simultaneously so you can duplicate it.

There are various orchestration technologies that can be used to deploy the security policies for containers, which is an excellent way to maintain container-based applications in a consistent and repeatable manner. Then if you need to double it or multiply it by 100, you can get cookie-cutter copies of the same thing.

How will container security solutions play out in the future?

Organizations today have the technology to enforce security controls at the container level, but these controls are very granular and it's time-consuming to set policies and enforce them, particularly with issues like staff or skills shortages.

Looking ahead, companies are likely to take a hierarchical view where container-based security is controlled at the application level by app owners or developers, and at the broader levels to ensure that the measures deployed throughout the network have the same degree of sophistication. Procedures and tooling are all evolving, so we don't have a definitive answer as to how this will all end up. What are organizations going to be doing? Where will they place their controls? Who has the power to make the changes?

When newer technologies are deployed, customer adoption will be crucial to understanding what makes the most sense. This will be interesting as there will be multiple scenarios to help companies master their security blueprint as we move forward.

##

ABOUT THE AUTHOR

Avishai Wool, CTO and Co-Founder

Avishai Wool 

Prof. Avishai Wool co-founded AlgoSec in 2004 and has served as its CTO since its inception. Prior to co-founding AlgoSec, he co-founded Lumeta Corporation in 2000 as a spin out of Bell Labs, and was its Chief Scientist until 2002. At Lumeta, Prof. Wool was responsible for transforming the firewall analyzer technology he helped develop at Bell Labs into a commercial product. Earlier, Prof. Wool was a technical staff member at Bell Labs' Secure Systems Research Department, where he led a team of researchers who created the first research prototypes for the firewall analyzer. He has published more than 110 research papers and holds 13 US Patents, and has served on the program committee of the leading IEEE and ACM conferences on computer and network security. Prof. Wool has a B.Sc. (Cum Laude) in Mathematics and Computer Science, and a M.Sc. and Ph.D. in Computer Science.

Published Friday, September 09, 2022 7:30 AM by David Marshall
Get This Featured White Paper: Ten Topics to Discuss with your Cloud Provider
You may also be interested in this white paper: Securing and Optimizing Military and Government Endpoints
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Datacenter
Global Digital
haf
DTX
DTW-NA
innovatrix
Economist Impact
GISEC
IPS MP
global-digital-cx
vExpert
Calendar
<September 2022>
SuMoTuWeThFrSa
28293031123
45678910
11121314151617
18192021222324
2526272829301
2345678