Container usage for production deployments in enterprises is still constrained by concerns regarding security, monitoring, data management and networking.
So begins the Gartner report, listing those concerns as the number one key challenge limiting container adoption. The cost of bolting on security later in the container lifecycle is steep, and making substantial changes to your infrastructure to move from dev/test into prod means you won’t realize one of the key advantages of containerization - namely, speed. In its Best Practices for Running Containers and Kubernetes in Production report (download your complimentary copy here), Gartner advises against making this mistake.
According to Gartner, by 2022, more than 75% of organizations will be running containerized apps in production environments - three times today’s rate - further underscoring the need to embed security within the DevOps workflows.
Read on for a summary of the key security and governance recommendation from the Gartner report. Along with Gartner’s recommendations, we add learnings from our customers to help you make smarter decisions on your container and Kubernetes adoption journey.
Security, governance and process isolation
Organizations can no longer afford to treat container security as an afterthought. Security must be part of the entire container life cycle, including the build/development and deployment phases. What does that concept mean in practice?
Implement image scanning and vulnerability management
Integrate image scanning as part of your vulnerability management strategy that’s deeply tied into your continuous integration/continuous delivery (CI/CD) pipeline. Image scanning should not focus on just the vulnerability alone. Instead, you should combine CVE information (high, medium, low severity) with information from the deploy phase, such as your network exposure within that deployment or whether an affected container is running in privileged mode, to help your dev team prioritize which deployments need immediate remediation.
Ensure compliance with CIS Benchmarks for Docker, Kubernetes, and other specs
The Center for Internet Security (CIS) has estabilished configuration baselines for Docker runtime and Kubernetes to harden your environments against potential attacks. The latest benchmarks for Kubernetes and Docker can be found here and here respectively.
In addition, the National Institute of Standards and Technology (NIST SP 800-190) has published its own security guidance for containers that provides recommendations and best practices for security risks and countermeasures around:
- Images - vulnerabilities and exploits, configuration defects, etc.
- Image registries - insecure connection to registries, stale images in registries, etc.
- Kubernetes - access control, networking, workload separation, etc.
- Containers - misconfigurations, vulnerabilities and exploits, rogue or anomalous behavior
Implement container and Kubernetes configuration management
Although Gartner advises you to adhere to CIS Benchmarks as a key to securing your container and Kubernetes environments, one particular container configuration the analysts call out is the importance of avoiding running containers that are configured to run in privileged mode. Privileged containers are particularly at risk of being exploited if they also contain other vulnerabilities. That’s because the –privilege flag gives all capabilities to the container, while lifting limitations enforced by the device cgroup controller. In other words, the container is able to do almost everything that the host is able to do.
Enforce mandatory access controls and separation of duties
Ensure that you’re using Kubernetes RBAC to control who can access the Kubernetes API and what permissions they have. RBAC is usually enabled by default in Kubernetes 1.6 and beyond, but if you have upgraded since then and haven’t changed your configuration, you’ll want to double-check your settings. Because of the way Kubernetes authorization controllers are combined, you must both enable RBAC and disable legacy Attribute-Based Access Control (ABAC).
In addition, use namespaces to establish security boundaries. Creating separate namespaces is an important first level of isolation between components. It’s much easier to apply security controls such as Network Policies when different types of workloads are deployed in separate namespaces.
Use a third-party security solution that uses allow lists, behavioral modeling, and anomaly detection to prevent malicious activity
Any threat detection security product should come with out-of-the-box policies that allow or disallow specific traffic types. These capabilities should detect threats while minimizing noise and alert fatigue. You should monitor process execution, network connections and flows, privilege escalation, and files launched to identify threats in real time.
How StackRox helps you follow Gartner’s best practices
We’d love to show you how the StackRox Kubernetes Security Platform can help you achieve these best practices and bridge your DevOps and Security teams in securing containers and Kubernetes in production in your organization. StackRox addresses critical container and Kubernetes security uses cases including:
- Visibility - provides comprehensive visibility into images, registries, containers, deployments, and runtime behavior
- Vulnerability management - goes beyond CVE scoring and image scanning to enforce full lifecycle vulnerability management, from build and deploy, to runtime
- Compliance - helps ensure adherence to CIS benchmarks for Kubernetes and Docker as well as NIST, PCI, and HIPAA
- Network segmentation - leverages native controls in Kubernetes to isolate assets, block deployments, or kill pods
- Risk profiling - provides a stack-ranked list of all deployments with risk factors that identifies riskiest deployments in need of immediate remediation
- Configuration management - applies configuration best practices to harden your Kubernetes and container environments from the very start
- Threat detection - employs rules, allow lists, and baselining to accurately detect and prevent suspicious/malicious activities
- Incident response - enables policy enforcement and incident response in real-time, from alerting to killing pods to thwarting attacks during runtime