Shulou(Shulou.com)06/01 Report--

This article is reproduced from "Safety cattle". The original author is: nana

Containers can abstract applications from the underlying infrastructure, enabling developers to package applications into smaller modules that can run on different servers, making it easier to deploy, maintain and upgrade applications.

However, the security methods of containerized applications are slightly different from those of traditional application environments, because the security vulnerabilities of containerized applications are more difficult to find, and the system images they rely on are often unverified. and standardization in the container field is still in the process of development. More importantly, the opening and abandonment of containers are convenient and quick, and are a little fleeting from a security point of view.

"even if container technology is a new concept for the company that deploys them, the idea behind it should be familiar," says Kirsten Newcomer, senior chief product manager at Red Hat.

Companies should consider the security of the application stack before deploying the container and throughout the life cycle of the application container. "although the container inherits many of the security features of Linux, there are still some specific issues to consider in this application model."

Here are eight aspects that companies need to check when deploying containers:

1. Secret management

Just as you need to securely manage secrets such as passwords, API keys and tokens in other application environments, corresponding secret management controls are needed in container environments.

Many containerized applications need to access sensitive information, such as usernames and passwords, so your container platform has to support sensitive information security features, such as encrypting various secrets by default, automatically retrieving and injecting secrets when the container starts, and preventing containers from accessing the secrets of other containers.

two。 Mirror image source

You have to trust the basic image that hosts your container application. This means that you need to know where these images come from, the source code used to build them, how and where they are built, the software they run, and whether there are any security issues with them.

Container images are the foundation of applications in a production environment. The most important thing a company needs to do is to make sure that its underlying container image is validated, trusted, and supported.

Be sure to pay attention to any security vulnerabilities in the image code before determining that the image is trusted. Container images are often downloaded from untrusted sources, or are not included by enterprise planning, and the integrity of the image needs to be managed and checked.

3. Container workflow visibility

Containers and container orchestration tools make it difficult for security teams to track application traffic and may cause applications to be accidentally exposed to risk.

Therefore, the toolset used by the enterprise should be able to drive visibility into processes within and between containers. This visibility is key to ensuring that the enterprise understands the container process workflow.

Container orchestration platforms such as Docker, Kubernetes, and OpenShift should also have container workflow visibility, which can bring benefits in process dependency mapping, policy creation, and enforcement.

4. Standardized configuration and deployment

Container configuration with security vulnerabilities may expose the IT environment to a higher risk of data disclosure and loss of sensitive information. Enterprises that want to deploy containers need to standardize the configuration and deployment process.

In this regard, enterprises should introduce a compliance or code (compliance-as-code) approach to check whether Docker host deployments comply with the standards provided by the Internet Security Center (CIS).

In addition, enterprise agile development operations (DevOps) should also integrate tools and API for use by developers and DevOps teams. Enterprises should start protecting container collection metadata and container deployment-specific logs to learn about new provisioning environments such as Kubernetes.

5. Discovery and monitoring

If you want to protect the container environment, you need to be able to discover and track container usage within the enterprise. Enterprises must have security controls to detect potential problems such as resource bottlenecks and vulnerabilities.

Effective vulnerability management, compliance operations and container native intrusion detection / prevention are also needed by enterprises.

6. Container-specific host operating system

If you want to reduce the attack interface of your own container environment, don't use a general-purpose operating system, NIST said. The container-specific operating system, excluding irrelevant functions and services, is a simplified version of the operating system specially designed to be used in the container, leaving attackers with the least opportunities to invade.

7. Container risk priority

The key to effective safety is to prioritize the risk of key containers. Items of data from vulnerability scanning, secret management, provisioning settings, service configuration, user rights, and registry metadata can provide a great deal of information and context related to threats to the container environment. This data should be used to calibrate the biggest threat exposures in the enterprise environment so that developers can pay attention when creating container applications.

8. Container grouping

Containers with different threat conditions are run on the same host operating system kernel, which is increasing the risk faced by all applications. NIST recommends grouping by the same purpose, same level of sensitivity, and similar threat status. Separating containers in this way enables in-depth defense and prevents attackers from successfully hacking into a group of containers to expand their success.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.