I came across this great article by Steve Buchanan from Microsoft today and it addresses the challenges that come with the adoption of containers in enterprise IT. It also shows that Microsoft has successfully shifted from a Operating System vendor to a very successful cloud platform that opens up and embraces new technology (with great economic impact for Microsoft as you might have noticed).
The blog states that the adoption of Kubernetes is now at 48 percent up from 27 percent and recommends to adopt your workflow to address the multiple new attack vectors that the container orchestration platform itself, images and the corresponding workflow bring.
Steve brings up many good points on how to secure your container workflow and on best practices to follow:
- image security
- usage of secrets
- usage of verified images
- usage of a trusted and authenticated registry
- signing of images
- building upstream images when your base images have security fixes
As IT Security practitioners the amount of new things to worry about is scary and will require us to learn new language, new skills, get familiar with a new workflow and get insights into the processes the teams use that deploy on those platforms.
The missing bit in the article is the access control to containerized applications and workloads on the network level.
This is something that often is forgotten and my prediction is, that with containers and the rise of kubernetes we will (once again) see wide open databases exposed to the internet or poorly segmented off the rest of infrastructure. The same challenges that apply to your legacy environment (poor segmentation and access control, huge blast radius) also apply to container platforms. Poor application visibility will keep people from limiting connectivity and the fear of a non-working application or losing availability will stop people from implementing network access controls in their ingress or egress policies.
At the same time, the modernization of infrastructure and applications is driving the rapid growth of containers and container orchestration platforms as a part of DevOps. The most popular orchestration platform for running containers is Kubernetes. Results from the RightScale 2019 State of the Cloud Report show that “Container use is up, and Kubernetes use is skyrocketing. The use of Docker containers continues to grow, with adoption increasing to 57 percent from 49 percent in 2018. Kubernetes achieving even faster growth, increasing from 27 percent to 48 percent adoption.”