Organizations are increasingly embracing containers and serverless platforms in the cloud. Gartner predicts by 2024, 75% of large enterprises in mature economies will use containers in production, up from less than 35% currently. Containerized environments help businesses to deploy and scale applications much faster. But these benefits come at the cost of new risks.
However, Gartner’s findings reveal that organizations are deploying containers and serverless workloads without implementing adequate security measures during development or runtime.
Native security capabilities in containers and orchestration platforms like Docker and Kubernetes are limited. Traditional security solutions like rule-based products and antivirus-centric tools were not designed for dynamic security profiles of virtual machines, containers, orchestration platforms, and serverless workloads. As organizations expand their cloud-native footprint, it is essential to implement appropriate security controls to protect containers and cloud workloads.
Containers expose organizations to new security gaps
Containerized environments help to accelerate deployment velocity. However, the dynamic nature of containers and orchestration platforms exposes new vulnerabilities and security gaps. For example, an attacker could exploit misconfigurations in Kubernetes, such as over-provisioning of privileged access, and subsequently, control the entire fleet of containers. Container security involves some other challenges.
The dynamic nature of containers and orchestration platforms exposes new vulnerabilities and security gaps.
- Cloud workloads are ephemeral
Cloud workloads and containers are highly dynamic as these are spun up and torn down based on capacity demands. Traditional perimeter and network security controls are less effective when the workloads come and go as there’re no well-defined perimeter or network addresses. Incident handling also becomes a challenge as logs, and other forensic data disappear after resetting containers in response to a security incident.
Traditional perimeter and network security controls are less effective when the workloads come and go as there’re no well-defined perimeter or network addresses.
- Containers lack adequate isolation
Unlike a hypervisor-based architecture of virtual machines, there isn’t enough isolation with containers. They share the same host operating system (OS). As such, an attack compromising one container or the host OS can quickly proliferate across other containers sharing the same OS.
- Pod-to-pod communications are vulnerable
Cloud workload clusters contain multiple deployable instances or pods which share network and storage resources. Deploying containers across multiple physical machines and cloud domains increases inter-pod lateral (east-west) traffic. There is no native security in Kubernetes to protect inter-pod communications, which in itself is a vulnerability. After infecting one pod, an attacker can laterally spread to other pods in the cluster.
In a containerized infrastructure, the vulnerability in container runtime like Docker and container images from public repositories and gaps in Kubernetes security expands the attack surface. Organized threat actors use Kubernetes tools like Weave Scope to backdoor vulnerable Docker instances. In a Docker Hub incident, a malicious Docker image was pulled 5 million times before being detected and removed.
In a containerized infrastructure, the vulnerability in container runtime like Docker and container images from public repositories and gaps in Kubernetes security expands the attack surface.
Traditional security tools fall short
Organized attacks targeting containers are increasing in both frequency and sophistication. Scanning tools line Masscan kernel can detect vulnerable containers within hours. Native security capabilities in containers are inadequate in the face of these advanced threats.
Traditional rules and signature-based controls can’t keep up with the constantly morphing, ephemeral workloads in highly fluid containerized environments. For example, to change one firewall rule, the IT team has to wait for a change window to open up, and by the time that happens, the workload instances might no longer be present. Traditional network and endpoint controls are also ineffective as they lack the container context required to address container-specific issues. Traditional scanning tools, for example, may not recognize container-specific vulnerabilities nor detect misconfigurations.
Securing containerized environments with CWPP
Gartner defines Cloud Workload Protection Platforms (CWPP) as “workload-centric security protection solutions.” They cater to the unique and evolving protection requirements of server workload protection in modern data center and container-based application architectures. Today, cloud-native applications span on-premises, physical and virtual machines (VMs), containerized environments, and multiple public cloud Infrastructure as a service (IaaS).
Figure 1 illustrates cloud workloads that are increasingly granular with a shorter lifespan. Ideally, CWPP solutions consider the dynamic lifespan and increasing granularity of cloud workloads. CWPP should provide consistent visibility and control of serverless workloads, containers, physical servers, and VMs regardless of their location and size.
Figure 1: Lifespan across cloud workloads abstraction
CWPP should provide consistent visibility and control of serverless workloads, containers, physical servers, and VMs regardless of their location and size.
According to Gartner’s market guide, the CWPP solution universe addresses multiple aspects of securing cloud workloads: network segmentation, application control, behavioral monitoring, system integrity protection, host-based intrusion prevention, and optional anti-malware protection. While some vendors offer full-stack CWPP capabilities, others may offer a subset of capabilities.
Key Considerations for CWPP solution
The market guide provides guidance into the capabilities of CWPP solutions to consider for your business use case.
Support different workload types
Cloud workloads present a diverse mix. Most servers, both physical and virtual, are Linux-based. To protect cloud workloads and containers, CWPP must support Linux-based servers and vendor-specific Linux like AWS Linux. The solutions must understand the container context and work with Docker and Kubernetes APIs. Securing newer workload architectures like microservices and container-as-a-service is also essential. Managed Kubernetes services (Amazon Elastic Container Service for Kubernetes EKS), Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE), etc., and managed orchestration-as-a-service like AWS Fargate and Azure Container Instances are becoming popular. Protecting the unique security requirements of these environments should also be considered.
Use machine learning and analytics
Many advanced CWPP vendors use machine learning algorithms to scale in the dynamic cloud workload environments quickly. Machine learning helps create a baseline of normal behavior for the cloud workloads. After that, continuous runtime monitoring data is fed into the advanced ML algorithms to detect anomalies and flag potential threats early in the cycle, facilitating threat prevention.
Machine learning is also a better choice over signatures in static analysis of code to detect malware before executing the code.
Improve visibility and ease of management
CWPP solutions offering a centralized and holistic view of the runtime environment simplifies triage and forensics. Some platforms allow group workloads for easier visualization that helps drill down into complex workloads for root-cause analysis. When the CWPP management console can interface with APIs from cloud service providers like AWS, Azure, Google, and others, it allows you to leverage the programmatic features of the underlying cloud platform.
Integrate with DevOps tools
As more organizations adopt cloud-native DevOps, it is helpful if your CWPP supports security measures for workloads before they are deployed. This can be achieved when your CWPP solution can interface with native CI/CD tools like Ansible, Chef, Jenkins, Puppet, etc., and DevOps tools like AWS CodePipeline, Azure DevOps, etc. that your cloud provider offers.
Offer flexible licensing
It is cost-effective if your CWPP vendor offers licensing based on every workload-OS protected. Since workloads are spun up and tore down on-demand, flexible licensing provides a dynamic way to track the cost of protection.
As more organizations adopt containerization, traditional security solutions fall short of protecting the dynamic cloud workload environments. The result is an uptick in successful breaches targeting cloud-native IaaS and container environments. The marketplace of CWPP solutions has emerged mainly to address the evolving needs of protecting your cloud infrastructure in public, hybrid, and multi-cloud environments. But not all solutions are created equal. It is essential to evaluate CWPP’s capabilities to secure your business use case.