Cloud container security
Unlike traditional firewalls, container security offers a dynamic and automated approach. Behavioral learning is part of this approach and ensures continuously updated security containers.
Containers: a cloud native solution
Containers are the latest way to quickly and easily roll out new applications within the organization. This cloud native solution enables continuous upscaling or downscaling, which requires a different approach to IT-security.
A container ensures that a complete runtime environment is bundled in one package – the application including all context and required configuration files. By offering the application platform as a container, differences in operating systems and underlying infrastructures are filtered out.
Container orchestration such as Kubernetes helps in the automatic creation, recognition and runtime security of containers. The unique dynamic working of containers means that container security has its own challenges.
Container orchestration: Kubernetes
Container orchestration – such as Kubernetes – is an open-source system for automating the deployment, scope and management of applications using containers. It groups containers by segmenting applications logically in order to simplify management.
Benefits of container orchestration can be achieved in:
- Scalability without impacting your DevOps team, just like the Google containers (millions each week).
- Flexibility to keep pace with the growth of your organization and to make sure applications work consistently, regardless of their complexity.
- Freedom to make use of – and to move workloads between – on-site, hybrid or public cloud solutions.
Why container security?
Security in run-time based on behavioral learning and container intelligence is quick and efficient, but at the same time also vulnerable.
The possible vulnerabilities of container orchestration, to which attention must certainly be given, are:
- Do any exploits sneak into the DevOps cycle of container apps?
- Is all the traffic between containers visible (east-west as well as north-south)? ‘Never trust, always verify’ is one of the principles of the Zero Trust Security Strategy.
- Can you effectively isolate and segment between containers?
- Can existing IT security facilities handle container-specific threats?
What are the differences between a Next-Generation Firewall and a Container Firewall?
Because containers communicate among themselves, north-south protection is not enough. The east-west protection of container firewalls is therefore an absolute necessity.
The diagram opposite shows the additional points at which container security differs from next-gen firewall security.
Want to read more about the differences between next-gen firewall security and container security?
Zero Trust container security by ON2IT
The high degree of automation within containers makes the Zero Trust Security Strategy here, too, the way to go. The basic Zero Trust Security principles are also highly applicable within containers.
Because container security requires security measures other than (next-gen) firewalls, ON2IT has opted for a collaboration with NeuVector. NeuVector offers container security in the form of an automated 4-step plan:
- Deploy – NeuVector provides immediate network and container visualization, in addition to automated deployment and updates
- Audit & Compliance – To be demonstrably compliant, NeuVector offers Kubernetes CIS benchmark and runtime vulnerability scanning
- Protect – Your containers will be protected thanks to automated threat detection, network-based application security, endpoint process and syscall monitoring
- Respond – If a threat is detected, NeuVector sends you an alert, blocks the threat automatically and places it in quarantine.
Do you need help in setting up your container security?
ON2IT supports you in setting up your container security and helps to solve problems such as:
How do you uncover irregular behavior in east-west traffic between containers?
How do you see whether each pod displays only ‘regular’ behavior?
Which attack techniques can potentially be used?
Can you see and inspect network connections just like your other implementations? On the 7th layer, for example?
Are you able to monitor what is going on in a pod or container? And can you determine whether there has been a possible exploit?
ON2IT cloud security specialists are ready to set up your container security
Container security downloads
Would you like to know more about container security and Kubernetes? Just download one of the eBooks.
This guide helps security teams understand the area subject to attack for Kubernetes implementations and how vulnerabilities can be exploited by attackers.
This guide helps DevOps and security teams understand and take on the security requirements for the Build-Ship-Run stages of container deployment.