Container security meets Kubernetes: What IT pros need to know
- by 7wData
Docker brought containers into the enterprise; static scanning makes sure they are secure when the images are created. Who watches them when they run?
Docker made it possible to have an exact copy of the core elements of the operating system and the application code in a single, manageable file. BusyBox, the simplest production-ready Docker image, is only 2.1MB. That is small enough to check into version control and small enough to copy around on the network. It's small enough that every build can be security scanned.
That point-in-time scanning sounds impressive, but it isn't enough.
Production containers are computers running in a network that is a cluster, likely Kubernetes. Once they are running, any administrator can secure shell to them and change the configuration or permissions. For that matter, Kubernetes lets every system talk to every other system by default. Auditors tend to care more about the security of the production systems, not some images in version control. That means hardening for HIPPA, PCI, SarBox, and other standards, along with producing the reports the auditors want to see.
As Homer Simpson once said, "Can't someone else do it?"
Instead of running a part of the build on a build server, StackRox is a cloud-native security product. It runs inside Kubernetes, with enough privileges to inspect each node in the cluster. It can inspect the nodes for compliance, but also how Kubernetes is configured. Once the policies are in place, an administrator shouldn't be able to log into a container and change it. StackRox can actually monitor the interaction between containers, creating a YAML file with policy changes, to limit pod-to-pod communications to what they should be. As Michelle McLean, head of community for StackRox, puts it, "Pull rich context from Kubernetes, then push policies into Kubernetes."
McLean sees this as a tool to bring Security into DevOps. She explains "We bridge security and DevOps. DevOps is trying to learn how to run and configure Kubernetes. Security understands compliance and auditing, but does not understand the infrastructure enough to get that information." Beyond that, they don't even speak the language to ask the questions.
With web and microservices exposed to the open internet, a cloud native, runtime auditor can tell if someone is running a port scan attack, by examining the running processes on the container. Likewise, the tool can tell what processes are running as root.
[Social9_Share class=”s9-widget-wrapper”]
Upcoming Events
Shift Difficult Problems Left with Graph Analysis on Streaming Data
29 April 2024
12 PM ET – 1 PM ET
Read MoreYou Might Be Interested In
Mapping the industry cloud landscape
11 Aug, 2019SaaS applications often address broad business functions such as accounting and finance, analytics and business intelligence, collaboration, customer relationship management …
Huawei, Oracle Infuse AI in the Cloud
23 Mar, 2019Huawei and Oracle today announced separate plans for infusing artificial intelligence (AI) into their cloud-based platforms and applications. The advancements …
Will 5G accelerate edge computing as a service?
20 Dec, 2019Mobile edge computing has been talked about for a couple of years now as the way to bring cloud computing …
Recent Jobs
Do You Want to Share Your Story?
Bring your insights on Data, Visualization, Innovation or Business Agility to our community. Let them learn from your experience.