Securing the container life-cycle

Let’s face it — containers and Kubernetes is eating the stack and de-facto standard for microservices architecture. A number of limitations exist in the container life-cycle:

• Risk posture of the images is not completely understood
• Unclear as to where security should fit in the process
• Containers are not visible with current security tools
• Reliance on open source and external components used

Hence it’s imperative to have this journey secured in the best possible manner. Listing some precautions and necessary steps at a high level that needs to be undertaken as you embark this journey.

1. BUILD Phase: Security starts with the bundle

• Make sure that base images are secure
• Scan for vulnerabilities on the finished product
• Maintain configuration standards for the containers
• Share info between Dev, Ops, Sec — DON’T be in silos!

2. SHIP Phase: Add Enforcement of image usage

• Deny unknown images or registries
• Accept images based on risk. Have internal guidelines\standards
• Maintain integrity of images

3. DEPLOY Phase: Limit access to the container engine

• Separate automation from human actions — avoid frequent hand edits!
• Control parameters that elevate privileges
• Appropriate permissions on volumes, network etc…
• Maintain audit trail with accountable user

4. RUN phase: Granular running of containers

• Protect sensitive data
• Network segmentation
• Fine-grained app controls

I recommend you to read-up (and choose your path) further on each of these points below as describing these in detail will make it for a very lengthy reading. Keep flyin’