* Identify the Lego pieces. Developing containers is fun and easy. While you do have more responsibilities, you can easily reuse layers of operating systems and services that are ready made for you, which require you to only tweak some of their configuration. For security baselining, this makes life much easier. If you recognize that 90% of the container is actually a known backend application, doing a relatively simple scan of the changes in the 10% that is left, you can easily see what these lego pieces are up to.
* Establish baseline behavior. You’ve likely heard about machine learning a lot recently, but the truth is, it’s a complicated business and hard to get right. Luckily, containers can actually help. With machine learning, you typically need to have a baseline from which you learn from, and containers are the perfect candidate. They are minimalistic in nature and involve a more limited set of actions then a virtual machine. Security solutions should baseline the application and make use of that.
* Immutability. Immutability means killing an unpatched container, and then pushing a new patched container into production instead of updating it ‘in the field’. While this might sound like a minor detail, this actually allows the endpoint security, for the first time, to treat any polymorphic change in the behavior of the containers as an indication of threat or an indication of a configuration drift.
* Automate runtime threat detection. Doing each of the preceding steps is no trivial matter, and one can not expect to do each one manually, so you must make sure that any process that qualifies to make it into production gets automatically secured. To emphasize the point, it is virtually impossible to ask an IT person to work with each owner of a micro-service and make sure the container is secure. You must adopt a system to automatically “wrap” the container at runtime with security.
* Don’t interfere with application logic. Unlike traditional endpoint detection, you can’t just install an endpoint detection mechanism on each container. Best practice is to have your solution look into running containers from the “outside”. The reason for that is, in order to play by the rules, you are not allowed to modify the containers that developers handed to production. If you change an image, you’re breaking the ability of developers to directly analyze problems with it and must quickly provide resolutions to any issues.
Organizations who implement container-based workflows or run containers in production must consider security from the very beginning or risk suffering security vulnerabilities. Luckily, better security tools exist today, and by leveraging the tips listed above, any business can make their container stacks secure.
Twistlock is the leading provider of security solutions for virtual containers.
Sign up for CIO Asia eNewsletters.