What are you really securing - Containers only or your entire cloud?

What are you really securing - Containers only or your entire cloud?

As microservice based applications continue to grow in significance, many organizations are finding themselves in the middle of grassroots efforts to build out new container based environments that are simple, scalable, and secure. From a security perspective, we as an industry have the unique opportunity to advance our applications and infrastructure by developing new security technologies and practices that are as flexible as the DevOps frameworks that they are running in. 

In fact, as we explore migrating the individual components of our legacy applications to microservices, we are afforded an opportunity to revisit the security practices for not only our new container environments but also the components that are not well suited to microservices. The modern application will inevitably be composed of a mixture of containers, VM, physical, and public cloud workloads. A truly holistic security approach would be flexible enough to secure all of these asset types with the same enforcement capabilities.

Similar to other workload types, containers are simply running instantiations of software packaged into a specific format (referred to as an image). Like all software, images can contain vulnerabilities that would allow an attacker to gain control of the workload for malicious purposes. Today, many of the container security solutions focus on the image by providing vulnerability scanning and digital signature services.

As history has taught us, we have to face the realization that image security only gets you so far. We cannot predict the next zero day exploit and assume that our containerized workloads will not be compromised at some point. Because of this fact, the ability to implement advanced application aware segmentation services within container environments is becoming increasingly important.

Now consider all of the great infrastructure automation that comes with a modern Platform as a Service (PaaS). By allowing our application teams to describe the infrastructure as code, all of that tedious configuration work to stand up an application is completely abstracted away. Our IT operations teams can now just sit back and relax without a care in the world, right? Wait one second, does that mean the network is abstracted away as well? It sure does! And so are all of the network based segmentation controls that we have relied on for so many years. In fact most container networks are completely flat, opening the attack surface of a single compromised container to any other container running in that environment.

While container/PaaS environments provide a massive step forward in agility, these dynamic infrastructures typically push most security teams past the red line of what they can handle. How do you protect a workload that only lasts for a week, a day, or even a few seconds? How do you ensure that containers of different security classifications do not co-exist on the same network segment? 

To address this problem, many open source projects like Calico and Cilium are actively working on container network segmentation solutions. vArmour’s Distributed Security System (DSS) as well as a few SDN vendors are developing solutions as well. While the level of protection varies widely, all of these segmentation solutions have a few benefits in common:

  • Distributed Software Architectures - The security controls must exist on the same host as the workload. Traffic no longer needs to leave the host to be processed. Traditional firewalls and security appliances (be they physical or virtual) are dead when it comes to microservice environments.
  • Automated Security Provisioning - The underlying network security insertion mechanism is implemented at workload runtime.
  • Dynamic Policy - Intent driven policy is derived from workload metadata (labels, images, topology, etc) such that the correct policy is applied to each workload automatically without the need of a firewall change request.

The innovation of these modern security technologies is driving massive operational and scale improvements compared to traditional security solutions such as appliance based or host (agent) based firewall technologies. No longer are we limited to the network traffic engineering challenges and scale confinements of an external security appliance or the supported operating system list of an agent. Distributed security technologies ensure that security is “built into the architecture” instead of just being bolted on.

Sounds great right? Out with the old security tech and in with the new, along with all of the awesome benefits covered previously. But wait - what about your applications that span container, VM, and/or physical workloads? Most container segmentation solutions only apply to container environments. By leveraging a security technology that only focuses on one type of infrastructure you are forced to implement a disjointed security approach to protect the entirety of these multifaceted applications. Multiple security technologies equals complexity. As any seasoned security professional is well aware, “Complexity is the worst enemy of security”. 

Providing consistent network security enforcement across all workload types (Container, VM, and/or Bare-Metal Physical) requires a truly robust solution. The vArmour Distributed Security System (DSS) is the only solution today that provides complete coverage across all workload types. 

vArmour also provides unique application access insights within container environments. With vArmour, you can gain workload insights across your hybrid environment with three pillars of deep inspection for protection:

  1. Application Knowledge: Know what applications are running in the data center
  2. User Information: Who is using the application? Do they have authorization to access and use the application?  
  3. Metadata Insights: What is being accessed in the applications?  Does the login name match user information?  Is the login user authorized to access the objects of the application?

With vArmour’s fabric-based security, the modern properties of microservice security can be realized across your entire IT infrastructure, requiring no additional hardware investment whatsoever. 

See vArmour CTO Marc Woolward’s excellent webinar on Container Security here

Related Posts