Micro Focus is now part of OpenText. Learn more >

You are here

You are here

With containers, shift your security approach to the micro-perimeters

Gary Duan Co-founder and CTO, NeuVector

The move to break up traditional monolithic systems and adopt microservices in cloud-native architectures presents a new security mandate. Where once it made sense to deploy a traditional firewall to protect an environment's perimeter from external threats, the rise of container-based microservices necessitates also defending the micro-perimeters within a containerized environment.

That calls for a new security model congruent with how containerized applications are developed, deployed, and run in production, in order to implement effective safeguards across the critical build-ship-run lifecycle.

Container environments are highly dynamic by nature, rapidly spinning in and out of existence to meet resource requirements as efficiently as possible—​a fact that makes containers a moving target for defenders. These environments also tend to include orchestration solutions such as Kubernetes, service meshes, and other key tools, each of which are in constant communication and have their own perimeters that must be secured.

Increasingly complex traffic among these components and in the containers themselves means even more micro-perimeters to safeguard, especially as connections begin to cross hosts, clusters, networks, and even clouds—​each vector with traffic that must be protected.

Here's why you need to change your approach to security in the age of containers.

Defend your micro-perimeters

To really protect container environments, you need to recognize a tight perimeter around each workload and provide close, automated security measures at this granular segment level. (This is what I mean by "micro-perimeters.")

Safeguarding traffic at the container level in this manner calls for a zero-trust security model designed for containerized cloud environments, able to perform threat detection and network segmentation to define micro-perimeters around any application workload.

This model should also leverage deep network visibility to construct security policies suited to both application endpoints and the protocols they use.

Automation is essential to defending micro-perimeters, given the dynamic nature of container environments and the frequency with which new containerized services arise. Each week can bring the release of more than a thousand original or updated container services, so manually altering firewall rules and Linux IPTables at that scale isn't realistic.

Container security solutions featuring scalable automation should also leverage declarative security policy. This allows development teams to whitelist specific connections within their deployments and declare security policies as applications are deployed in production.

It's also important to consider the security implications of legacy applications that will not be fully containerized but will see an extended life through the addition of container-based features. These legacy applications will include ingress and egress connections that must be secured as carefully as the traffic internal to the container network.

Integrate DevOps and security

Separate DevOps and enterprise security teams are often tasked with managing their fully automated pipelines for developing and deploying container services, and with securing that workflow, respectively. However, DevOps developers may not be experts in network security and, in turn, enterprise security teams may not have expertise in DevOps and container orchestration.

This dichotomy can lead to clashes and overly complex integrations—or security measures being bolted on after the fact—significantly reducing their effectiveness.

As a best practice, enterprises should create combined teams of security and DevOps experts who closely collaborate, integrate security into the DevOps pipeline from the beginning, and leverage automation wherever possible.

Such teams will also ensure that containers are secure throughout production, by implementing methods to monitor and safeguard containers, the container network, and orchestration systems in real time.

DevOps and security teams can also benefit by utilizing Kubernetes Custom Resource Definitions (CRDs) to implement security policy as code. Using CRDs, these teams can declare container security policies by writing code in standard YAML files, quickly and conveniently introducing easily automated policies backed by analysis of expected application behaviors.

The limitations of perimeter firewalls

With traditional firewalls, traffic entering an environment is checked against security policies to ensure its legitimacy before being allowed to reach its destination. However, threats to container environments can not only arrive from external connections, but also escalate through lateral movements within internal container traffic.

Given all this, and the inherent challenge of monitoring traffic from dynamic containers that may only exist for a few moments, administrating complex security policies manually is all but impossible.

In fact, most attacks on containers are now internal, with a malware-infected host propagating attacks to other clusters and workloads. Perimeter firewalls also lack visibility into container environments and the application communication patterns necessary to protect them—it's difficult to protect what you can't see.

When it comes to these environments, in many ways the external perimeter is no longer really the true security perimeter.

The future of container security

Infrastructure and applications will only continue to become more virtualized and portable, even as enterprises seek to deploy workloads across hosts and clouds without compromising security.

With security measures in place that are granular enough to protect micro-perimeters immediately surrounding and attached to individual workloads, developers as well as DevOps and security teams will enjoy the flexibility that allows them to work more quickly and successfully.

As containers take on increasingly large tasks, securing them will mean securing perimeters that are smaller than ever.

Keep learning

Read more articles about: SecurityInformation Security