We recently asked IT and security professionals working at organizations that have adopted containers to rate the importance of several container security capabilities and use cases for their environments. We found that respondents put a premium on addressing those security use cases that allow them to shift security left and apply best practices earlier in the container life cycle, with vulnerability management and configuration management taking two of the top three spots. (Download the full report here.)
The use cases under discussion span DevOps and security activities, underscoring the need for both broad and deep functionality in container and Kubernetes security platforms. This breadth also highlights the fact that securing Kubernetes and containers requires involvement across developers, DevOps teams, and Security teams.
The following seven container and Kubernetes security use cases top the list of priorities for most organizations – follow the best practices gleaned from your peers and shared here to get your organization on the right track.
1) Vulnerability management
Most organizations start with vulnerability management – the challenge is to quickly move beyond the limited value provided by image scanning. Organizations must also identify vulnerabilities in Kubernetes, and they need a way to quickly pinpoint newly discovered vulnerabilities in already running deployments. Start with vulnerability management, but demand more than image scanning for this use case.
As the second most often-cited security use case, visibility into your container and Kubernetes environments is at the root of being able to properly secure that environment. Only when your security tooling is fully embedded into Kubernetes can you understand your cloud-native infrastructure, including images, containers, pods, namespaces, clusters, and network policies. You need insights into how each is configured and whether they’re compliant with industry standards and your internal security policies.
3) Configuration management
Misconfigurations pose the greatest security risk to containers and Kubernetes. In today’s DevOps-driven environment, configuration management must be as automated and streamlined as possible for it to not slow down application deployment. You need configuration management to be comprehensive, covering containers, Kubernetes, and all their configurable components, including:
- Network policies
- Privilege levels
- Resource limits/requests
- Read-only root file systems
- Annotations, labels
- Sensitive host mount and access
- Image configuration, including provenance
DevOps moves fast and relies on automation for continuous improvement, so organizations need a compliance solution built to complement – not inhibit – the pace of business. You need to not only adhere to industry compliance requirements but also show evidence of that compliance. You should be able to show which clusters, nodes, or namespaces are compliant with all the individual controls relevant in container and Kubernetes environments from frameworks including CIS benchmarks for Docker and Kubernetes, PCI, HIPAA, and NIST SP 800-190. And it should be dead simple to run on-demand compliance checks and export evidence of compliance that meets auditors’ needs.
5) Runtime threat detection
According to our report, runtime is the life cycle phase that customers are most worried about. The security goal in this phase is to detect and respond to malicious activity in an automated and scalable way while minimizing false positives and alert fatigue. Kubernetes offers rich declarative data around images and deployments that delivers valuable context when assessing runtime behavior. Leverage this context to more accurately differentiate between simple anomalies and true threats, and use Kubernetes-native enforcement capabilities to mitigate runtime threats in the most automated and scalable manner.
6) Network segmentation
Containers pose a unique networking challenge because containers communicate with each other across nodes and clusters (east-west traffic) and outside endpoints (north-south traffic). Kubernetes provides built-in capabilities that enable network segmentation. Leverage those native controls to ensure consistent, portable, and scalable network segmentation regardless of your CNI plugin or Kubernetes distribution. Using the segmentation inherent in Kubernetes ensures that security and DevOps see and act on a single source of truth and consistent information to restrict access and reduce the blast radius.
7) Risk profiling and prioritization
In sprawling Kubernetes environments, manually triaging security incidents and policy violations is time consuming and prone to exacerbating alert fatigue. A better approach is to use the declarative contextual data in your Kubernetes environment to assess risk across all your deployments. Instead of looking at vulnerabilities and CVSS scores alone, understand true risk in your environment and prioritize which security issues should be fixed first. As an example, a deployment containing a vulnerability with a severity score of 7 or greater should be moved up in remediation priority if that deployment contains privileged containers and is open to the Internet but down if it’s in a test environment and supporting a non-critical app.