The below article is a great piece and it accurately describes the problems that I see with IT security and container adoption.
Let's look at what the post states about container adoption. This may actually differ between the US and the rest of the world, but there is a general pattern and it looks like it will not stop, but accelerate. 33% of developers stated that they already use containers, 25% said they want to use them in the next 12 months.
All major companies like Google (ok, they invented big parts of what is now known as Kubernetes), VMware, Microsoft and many others invested huge amounts of money and effort into this technology and bet on it as the future way to deliver applications.
Why is this? What are the advantages containers give to people deploying and developing applications?
- Scale - it is easy to scale your application once you adopt a container or cloud-native pattern. Replicas are easy to spin up, many services would work scalable out of the box, kubernetes takes away many of the pains you have when you grow applications to be scalable
- Agility - spinning up new artefacts or full applications seems to never have been easier than it is now. Just run a container with your favorite OS and webserver, spin up a middleware server that automatically builds your application from git contents, voila.
- Cost reduction - this may not seem obvious, but carefully planned container infrastructure, be it on-premise or in public clouds - are easier to use efficiently in terms of capacity and much easier to scale in terms of getting more capacity. Also resource usage can automatically be balanced, largely due to the smart nature of kubernetes and how it handles resources.
With the rise of containers, and the run to deploy containers in your infrastructure we make the same mistake that we did make with other technologies. Security does not keep up with the speed of new and emerging technologies, it did not in the past and it seems this pattern never changes.
The article below makes a statement to establish some best practices to deal with those challenges and i would like to comment on some of them.
Key best practices from the article include:
- Automation - this is a key element, not only in container world, but it becomes more and more clear to people that automating security is a must. The rise of DevSecOps is a good sign for that, but it is clear that to not loose track of security you need to make sure it is a automatic part of the process and not be forgotten during stressful deployments or emergencies. This applies even more to the container scenario, not only because of the previously stated reasons, but also because this world is, by nature, much more automated than our traditional IT ever was (e.g. CI/CD pipelines, automatic deployments, A/B testing in deployments, canary deployments, etc).
- Templating - this always makes sense and it also did make sense in non-container world, it's just easier in a world that is made up of (YAML) templates anyway. Be sure to include security, segmentation, network policy in the template and you will have a much easier life if this is inherent part of your workflow. Also, templates are something that can be reused and shared and work as a enabler for other parts of the business.
- Training - my personal take on this is, that this is the most important part of securing containers. Not only because you need to understand the container space in order to secure it (compare, you need visibility to segment, you need to see what is going on in order to protect), but also because kubernetes and the whole container space is a fascinating and fun world for everyone deeply involved in technology and security. There's new challenges, different problems, but your experience from previous environments is helpful here and you will easily get to the core of how it will work in container land. It's different, but at the same time it's very similar too.
What I would add to the mix and a couple of things that i learned while walking into container land that will help you get up to speed much faster and hopefully embrace this new technology and be a security partner for your colleagues from development, devops and the rest of the container part of the organization.
- Embrace containers - do you often find yourself in a situation where you want to spin up a operating system just to test something like a new security tool, a new version of kali or whatever you need to do to make your life easier? Try to do it with containers, i can recommend running Docker for Desktop to quickly spin up new stuff or work with a CentOS 6 version of tool xyz.
- Run kubernetes - do you feel like those container cowboys speak a different language than you? They talk YAML to you? Get familiar with the terms being used and understand them, this will get you closer to the container teams, be a serious sparring partner and make you much more of a team member
- Build a career path - knowing containers will be very beneficial if you are into evolving your IT security career. The bad part is that headhunters will likely call you more often if you state this in your LinkedIn profile.
As with traditional security, be sure that you get all the visibility you can into the container traffic and apply the same segmentation and security practices that you did in your on-premise environments.
However, it is important that security pros are brought into the adoption process to ensure that they have a strategy in place to secure the use of these containers.