A major concern in the niche cybersecurity field of DevSecOps is microservices and container security. Just as true in cybersecurity as it is in athletics, building and maintaining great defense lifts an operation out of constant “fire-fighting” mode and up to a place where it can be proactive about growing the business. The thing to remember is that great cybersecurity begins with great security planning. As Benjamin Franklin advised, “A failure to plan is a plan to fail.”
Traditional software development produced large, all-inclusive applications. Today these are referred to as “monolithic” applications and their biggest challenge is that if something goes wrong it may bring the entire application down causing operational disruption until modifications can be achieved. Another challenge is that it is often difficult for new programmers to improve upon or even understand what their predecessors had done in writing the original code.
What are microservices in DevOps?
More recently, developers of code and operators of the systems that run it realized that more could be accomplished by aligning their operations, tools, and practices. This has resulted in the creation of DevOps.
One of the primary goals of DevOps is to achieve continuous improvement through continuous development and deployment (CI/CD). This calls for rapid release of new code improvements followed by immediate feedback gathering by the operators who feedback to the developers who create more new improvements and repeats the cycle as the operators deploy the new code.
The key to DevOps success lies in keeping everything moving quickly. Development, Deployment, Feedback, Repeat. Monolithic programming doesn’t lend itself to rapid improvement. Microservices do.
In this exploding development environment applications are created as an assembly of many microservices each of which performs a specific function. As that function is needed, an instance of the corresponding microservice is released in a container that includes all of the libraries and other resources required for that microservice to function. This modularity and completeness of packaging lends itself perfectly to the distributed processing nature of cloud computing.
Security of Microservices and Containers
There are multiple points of vulnerability which must be addressed to assure the security of containers and their microservice payloads.
1. Secure the container host
Select a reliable, well-supported container-focused operating system to host your containers. This will help reduce your overall attack surface by removing services that aren’t required to host your container workloads. Add monitoring tools so you are aware of the health of the hosts. Using a managed container service from a reputable cloud service provider eliminates the need for you to manage this. They secure the host on your behalf and you simply run your containers.
2. Secure the networking environment
Traffic moving to and from the internet should leverage an Intrusion Prevention System (IPS) and web filtering in order to stop attacks and filter malicious content. An IPS should also be deployed to monitor traffic between containers.
3. Secure your management stack
To comply with NIST container security guidelines, ensure that your container registry is properly secured and monitored. Lock down your Kubernetes installation and take advantage of features like Pod and network policies to enforce your security and development standards.
Build on a secure foundation - Make sure to review and watch for communications from the project teams regarding any dependencies used in applications. When they patch their software, you’ll need to integrate those changes in order to reduce the risk to your application.
Use a container image scanner to verify that your containers don’t contain any malware (top 48 malware attacks) or other known vulnerabilities, exposed secrets, as well as sweep for custom indicators of compromise (IoCs). This allows you to mitigate any risk before developing further or deploying to production.
4. Secure your build pipeline
A thorough and consistent access control scheme is a must. Ensuring that only authorized users can access code repositories, integrate branches, and trigger builds that get pushed to production is a critical step to safeguarding the integrity of your pipeline.
5. Secure your application
Code should follow best practices in order to increase quality. Most security container vulnerabilities are a result of simple mistakes or poor design choices. Focusing on code quality always pays security dividends. Use runtime self-protection controls to surface and identify security vulnerabilities and issues in specific lines of code. This helps close the gap during root cause analysis and leads to better overall security outcomes.
6. Securing Your People
There are two classifications of personnel you must consider and plan for; those that are assigned to manage and provide cybersecurity to the organization and those who are not.
The primary challenge in terms of cybersecurity personnel is the sheer shortage of qualified candidates or the ability to implement cybersecurity training. Four out of five hiring managers report concerns about finding people with the required skills. Many are turning to a strategy of training their existing staff.
Once hired, the next challenge is keeping security personnel challenged! If they’re successful their job soon becomes a maintenance routine keeping what they’ve built running. This gets old quickly so management needs to continuously be finding new projects and roles to keep each employee stimulated and engaged.
Users, as we’ve observed already, are the most vulnerable component of any network. Unlike digital devices their responses will be varied, and unpredictable. They may miss things or make mistakes. As such, the only solution available is constant re-iteration of training on the best practices and processes involved in protecting the organization’s valuable data assets.
Innovative developers are applying AI to human exposures such as phishing messages, prescreening them to improve the odds of catching phish.
7. Involve Experts
By now the complexity of planning effective cybersecurity is very clear to you. Each layer of the ISO-OSI model is a science unto itself and determining best security policies for each requires some expertise in that science. One of the best container security tools is going to be the experts that implement the container security platform and/or container security vendors. Your friends at New Horizons can recommend excellent experts at every level, but perhaps more important is to recommend that you approach the development of your cybersecurity plans, processes, policies, and procedures very seriously.
In this case, a failure to plan may become a plan to close your doors. Securing containers is just one piece of a comprehensive cybersecurity plan. Schedule a free cybersecurity consultation with a New Horizons cybersecurity expert now to review your plan.
