Please Don't Kill Your Containers

Finally, the ability to view very granular components of an application and understand their behavior makes automated response a gentler and less risky proposition.

The New Security Imperative

With new container-based architectures, we cannot continue to apply security in the same way. Most existing security solutions are completely helpless in the face of new container-based stacks, with new accelerated processes, and with new architectures - but it’s wrong to think of it as purely a technological incompatibility. The shift is fundamental. It’s organizational as well as technological, and it’s a shift from focusing on infrastructure to focusing on the application.

This is also really good news, because containers and the entire cloud-native stack are a huge opportunity to make security a lot better:

• The processes that govern container development and delivery break down the barrier between developers and operations. There’s a lot of power placed in the hands of the developer, who can now ship code into production in a more seamless way. This is an opportunity to “shift left” security and make sure that this code is more secure from the start. Security as an embedded step, not as an afterthought.
• The simplicity of containers makes it easier to understand their intended purpose, as well as their actual function. Unlike monolithic applications, containers perform simple, single-purpose functions. If you can understand those functions (which we do), you can define and whitelist normal behavior.
• The immutable nature of containers makes it easy to detect any attempt to interfere with them in runtime environments. Any change that did not come from the original pipeline is not legitimate, so it’s easy to enforce this immutability.
• Container networking is also fundamentally different, and can occur between containers on the same host or bare-metal stack (rather than across traditional IP network nodes). But all this communication between components of the application used to be invisible in monolithic applications, and now with the right tooling it is both visible and controllable.
• Finally, the ability to view very granular components of an applications and understand their behavior makes automated response a gentler and less risky proposition. There’s no need to take an entire application down. There’s no need to even kill a container. With very fine precision that was never available before, you can block specific activities or network connections, so the potential impact on application uptime is minimal. We have the opportunity to stop attacks as they happen, not after the fact, and do so with less downtime than ever before.

To sum up: Our vision is to provide the next generation of application security for the cloud-native era, with less friction, more granularity and more automation.

Want to learn more? Drop me a note.

eric at aquasec.com

Aqua Security