I came across this great article by Steve Buchanan from Microsoft today and it addresses the challenges that come with the adoption of containers in enterprise IT. It also shows that Microsoft has successfully shifted from a Operating System vendor to a very successful cloud platform that opens up and embraces new technology (with great economic impact for Microsoft as you might have noticed).

The blog states that the adoption of Kubernetes is now at 48 percent up from 27 percent and recommends to adopt your workflow to address the multiple new attack vectors that the container orchestration platform itself, images and the corresponding workflow bring.

Steve brings up many good points on how to secure your container workflow and on best practices to follow:

  • image security
  • usage of secrets
  • usage of verified images
  • usage of a trusted and authenticated registry
  • signing of images
  • building upstream images when your base images have security fixes

As IT Security practitioners the amount of new things to worry about is scary and will require us to learn new language, new skills, get familiar with a new workflow and get insights into the processes the teams use that deploy on those platforms.

The missing bit in the article is the access control to containerized applications and workloads on the network level.

This is something that often is forgotten and my prediction is, that with containers and the rise of kubernetes we will (once again) see wide open databases exposed to the internet or poorly segmented off the rest of infrastructure. The same challenges that apply to your legacy environment (poor segmentation and access control, huge blast radius) also apply to container platforms. Poor application visibility will keep people from limiting connectivity and the fear of a non-working application or losing availability will stop people from implementing network access controls in their ingress or egress policies.