The popularity of cloud-native applications is raising significant security concerns, according to a report from StackRox.
"The State of Container Security" found that more than one-third of organizations worry that their container security strategy is inadequate. Fifteen percent more feel that their strategies don't take the security threat seriously enough and more than one-third either haven't started or just began creating security planning.
The survey found that the main concerns are misconfigurations and the runtime environment. Fifty-four percent of respondents primarily worry about misconfigurations and accidental exposures, while 44% said that this runtime, as opposed to build and deploy, is the most worrisome.
The litany of worries raises the question of who within the organization should take control. The "winners" are DevOps and DevSecOps, according to StackRox, a container and Kubernetes security vendor. The goals should be to deepen security planning, integrate security and DevOp teams and adopt appropriate security technologies.
The technical changes are not incidental. "From a security perspective, enterprises must account not only for all of the key components of a containerized environment (images, containers, hosts, registries, and orchestrator) wherever they reside (on-prem or in the cloud), but also across each phase of the container lifecycle (i.e., build, deploy/ship, run)," wrote Mark Bouchard, the vice president of research and COO of the CyberEdge Group, in response to emailed questions from FierceTelecom. The CyberEdge Group is a research and marketing consulting firm that was quoted in StackRox's press release.
The problem is that organizations have been slow to recognize—or act upon—the challenges. "Security of containers and Kubernetes lags usage of containers and Kubernetes, by a significant margin," StackRox CEO Kamal Shah wrote, also in response to emailed questions. "While the more than 230 organizations surveyed are all using containers, and 97% of them are using orchestrators, less than 30% of them have crafted a security strategy they rate as more than 'basic.'"
These technical issues will present C-suite executives with decisions and challenges. "As the initial waves of containerized applications transition from the dev/test environment into production, enterprises—if they haven’t already done so—will need to take a more strategic approach to container security," Bouchard wrote. "Continuing to rely on tactical, piecemeal efforts featuring too-great emphasis on vulnerability scanning will only serve to erode many of the gains containers are meant to deliver (easier/quicker app revs, more efficient resource utilization, and superior scalability)."
There is an opportunity to more closely align containers/microservices and security, the report says, as the evolution of cloud-native applications continues. The survey identified four elements of a container security platform. The first three are to address misconfiguration concerns, make runtime security the primary focus and demand portability across environments.
The fourth suggestion is to choose a platform oriented to DevOps and workflow processes. Organizations should make sure that risk mitigation information is provided directly to appropriate DevOps teams, that the platform leverages cloud-native infrastructure for security controls and frame information at the deployment layer as well as at the container level.
The good news is that securing containers and Kubernetes is attainable. "The change is not expensive or terribly time consuming, but it does involve security teams learning new technologies and processes," Shah wrote. "There’s the obvious change, that many 'old' security tools don’t work in a containerized environment—where would you put a traditional firewall, for example? It can’t block container-to-container communications. But the biggest change is that security must 'shift left' in its workflow and apply guardrails and policy guidance much earlier in the application development process."
Both Shah and Bouchardhad clear ideas about what the first steps organizations should be in this process. Bouchard suggested organization take full advantage of security features within the container infrastructure instead of layering on third-party products. He also wrote that organizations should "double down" on security configuration management.
Shah thinks the key is communications. "Organizations need to make sure security and DevOps are sitting in the same room and evaluate the configurations of containers and Kubernetes together," he wrote. "As in every other wave of infrastructure change, the biggest security risks result from misconfigurations, so security needs to understand the language and tooling of DevOps and then have a way to identify risk factors such as misconfigurations in their own environments. Then security can work with DevOps to create the policies needed to protect this application development infrastructure."