Author: Paul Holland, Principal Research Analyst, ISF
01 Jul 2020

Adopting containers promises great organisational efficiency advantages, but the fast-evolving technology can be problematic for security teams. What do CISOs need to know to safeguard containers? By Paul Holland, Principal Research Analyst, ISF

The cloud is becoming a vital part of many organisations’ IT roadmap and transformation programme. The current global situation of remote working has helped to drive this move to the cloud for many.

One common method for setting up applications in the cloud environment is to use containers, which are a form of virtualisation but without the traditional hypervisor or the need for a guest operating system (OS) such as Windows Server. The build process and the requirements for the application are much lighter, allowing the application to run much faster since there is no guest OS to consume memory and processor time.

As each container tends to host just the one application, organisations will be responsible for many more containers as compared to virtual machines (VMs). The adoption of cloud services and containers allows for a fast pace of change and automation. But security practices need to be tailored to take all of this into account, especially since the use of containers makes it harder to run traditional security tools such as antivirus as there is nowhere to host it.

This is not to suggest a need for a dramatic shift in how security best practices are implemented – rather a refinement and change in focus on when, where and how to apply them. With agile development and DevOps, many developers are now more involved in the support of the applications they build and thus becoming a jack of all trades – this includes understanding and embedding security into their builds.

Training in secure coding methods (such as the OWASP Top 10) is the most important aspect here – eliminating vulnerabilities early so that containers are secure by design. Another key measure is to adopt a ‘shift left’ policy for development, whereby the responsibility for security is embedded earlier in the development process – in other words, to the left.

The theory of the shift left policy is that the developers rather than security analysts now check for vulnerabilities. This is supposed to empower the developer to find and fix issues at an early stage of the software development lifecycle and thereafter on a continual basis, as opposed to when the work is complete and a penetration test is performed at the last moment. Theoretically, this should make fixing things cheaper, faster and with less of a burden on the operational teams and infrastructure.

Application level security has therefore become vital priority for chief information security officers (CISOs). It should include implementation of technical solutions such as web application firewalls (WAF), which would ideally link into a Security Operations Centre (SOC) to help monitor for anomalies.

Code reviews should also be conducted, whether that be an internal peer review, external expert review or software review. Such reviews can spot vulnerabilities before code is made live within applications.

In the context of agile development and DevOps, speed is often a measure of success, but secure development of applications should also form part of the criteria for determining whether a sprint is successful. CISOs need to realise that developers should be granted time to develop securely and not judge their performance solely by the time to build.

Securing containers is not a one stop shop but a multi-faceted undertaking. Combining the above into a cohesive plan and creating a secure development lifecycle that is enhanced with technical monitoring will provide the CISO with assurance that containers can be used securely and effectively in an organisation’s IT environment.