This is a summary of an article written by Fortinet’s Lior Cohen, Senior Director of Products and Solutions for Cloud Security, for The New Stack, entitled, “Accelerating DevOps with Advanced Container Security.”
DevOps teams increasingly leverage containers to accelerate development. However, few security tools are designed for the container environment. As a result, developers are forced to identify security issues and then manually reconfigure security measures, which can slow development processes to a crawl.
What DevOps teams need are security tools such as network firewalls, web application firewalls, and sandboxing built into containers so they can easily insert security without sacrificing either development flexibility or application performance.
The Need for Container-Based Security Tools
A recent Container Adoption Benchmark Survey indicates that 7 out of 10 developers have deployed containers on virtual machines. And over a third of them have deployed them on a public cloud, private cloud, or both. And nearly half plan to replace some or all of their virtual machines with containers.
However, containers continue to present serious security threats due to malware, phishing, and social engineering, or resulting from the misdelivery or misconfiguration of security services. Even worse, catching container vulnerabilities is a challenge. The 2019 State of DevOps Security Report indicates that only 14% of organizations with a SOC have full visibility into their DevOps environment, while 92% have seen at least one vulnerability slip into production in the past 12 months – with the typical organization experiencing three to five vulnerabilities.
Delivering Security to DevOps Teams
Security solutions need to operate in container environments and work seamlessly within the new microservices paradigm. These security solutions also need to be integrated directly into the container application life cycle, allowing organizations to deliver more secure applications at digital business speeds.
Addressing the Four Key Attributes of Container Security
Oddly, most container-based security solutions are not adequately designed for the container environment’s unique environment. To be truly effective, a security solution must be able to address all four of a container’s key attributes:
1. Container aware security — Security solutions need to directly interface with container orchestration systems to leverage namespaces, labels, and other metadata as security policy objects. The container environment itself also needs to be secured with a virtual NGFW, such as the virtual FortiGate solution, that can communicate with the container management layer and learn addresses based on metadata of different containers. That way, when traffic leaves the containerized environment, the NGFW can enforce policy based on the role of the container, even when containers are moved or reconfigured.
2. Container-enabled security — This protects business-critical web applications and APIs from attacks that target known and unknown vulnerabilities. By bundling a WAF, API-based microservices, and machine learning into an application chain, application services can be programmed to make calls to the security container to apply specific security functions. This allows individual application segments to be updated or exchanged without impacting the security of the rest of the application.
3. Container-integrated security — Corrupt or malicious data in a container exposes an organization to risk. Container-integrated security requires continuous cloud security, as well as the ability to orchestrate network security policy for things like Kubernetes and network service meshes such as Istio or Envoy. Traffic flows between services and east-west traffic moving between containers must also be inspected.
4. Container registry security — Public container images can be seeded with malicious code. When they are “pulled” from the registry by application developers and bundled into an application chain, they can infiltrate the application. To mitigate this risk, organizations need to deploy advanced threat protection solutions (ATP), such as sandboxing, to dynamically inspect and identify compromised or infected images.
Fortinet Solutions Support Advanced Container-Based Security
The high demand for ongoing, iterative application development is pushing DevOps teams to adopt container-based infrastructure management methodologies, allowing the development process to become more modular and streamlined. Unfortunately, traditional security solutions are unable to provide the protections for such environments that developers require.
Fortunately, Fortinet enables network firewalls, web applications firewalls, and sandboxing, to be woven into container environments without sacrificing development flexibility or application performance. They are also specifically designed to address all four key attributes of container security. And because they are part of the Security Fabric, these tools can also be extended into every corner of today’s distributed networks to ensure consistent policy orchestration, analysis, and enforcement everywhere your data, workflows, and applications need to travel.
This is a summary of an article written by Fortinet’s Lior Cohen, Senior Director of Products and Solutions for Cloud Security, for The New Stack, entitled, “Accelerating DevOps with Advanced Container Security.”
Learn how Fortinet’s dynamic cloud security solutions provide increased visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.
Read these customer case studies to see how Cuebiq and Steelcase implement Fortinet’s dynamic cloud security solutions for secure connectivity from data center to the cloud.
