Maksim Kabakou - Fotolia
Security Think Tank: Container security: why so different?
Done well, container security can be a model for securing the enterprise, and businesses that focus their teams on solving it can help accelerate positive change in other areas
Containerisation has exploded in recent years because it allows for the optimisation of available resources and the minimisation of costs and overhead associated with accomplishing business objectives.
Done well, it is the model for securing the enterprise. In fact, containerisation and microservices architectures are the closest example of breaking down business value into its atomic units with an architecture to support it.
Developments in securing workloads throughout the lifecycle force continuous creative thinking around risk, threat modelling, and protective mechanisms. This has forced architecture and engineering teams to think about delivering business value in its so-called atomic units and has given security teams an advantage in constructing comprehensive threat models and protection mechanisms that cover all phases of the time-to-value lifecycle.
In fact, observability is the only area where we see a great maturity model outside of containers. Blend the two and it creates comprehensive protection, detection and response mechanisms across the enterprise. Businesses that focus their teams on solving container security leverage will help accelerate positive change everywhere else.
With containers, teams now think intuitively about the relationships between different phases of development and value lifecycle, as well as the relationships between resources within each of the phases. Savvy security teams have taken this opportunity to think creatively about risk (threat modelling), and layering in protection and detection natively.
As a result, approaches to container security and the supporting lifecycles represent some of the most mature thinking and applications of security in the industry.
However, the mechanisms we have developed to secure the business through the container lifecycle are applicable across the board. We must leverage our learnings to create comprehensive identification, protection and detection mechanisms across the broader enterprise.
Practical steps to take:
- Establish clear lines of communication between engineering teams and security teams focused on container security.
- Align security and engineering on the execution of the SDLC and ownership responsibilities.
- Generate a core capabilities list that focuses on identification, protection and detection mechanisms (reference cyber defence matrix).
- Code scanning to identify bugs is no different than code scanning to identify vulnerabilities. Although the outputs are slightly different, the mechanism (scanning) is the same. Maintain this line of thinking as it applies to protective controls and detective controls or observability.
- Develop a review/audit cadence that ensures engineering and security understand the outputs and efficiency of the aforementioned mechanisms and commit to information sharing.
- Leverage the learnings to inspect the process of delivering value through non-container architectures and determine gaps between the two. This is a maturity roadmap to secure the broader enterprise.
Bernard Brantley is CISO at Corelight, a specialist in network detection response and threat hunting