Containers are becoming an enterprise standard, with Gartner predicting that by 2023 70% of organizations will be running multiple production applications in containers. This level of enterprise adoption demands that containers benefit from the same protection that legacy application platforms enjoy today.
But containerized applications present different security challenges, and also bring new opportunities to add controls and visibility. The build and deployment ecosystem surrounding container applications allows risks to be identified and mitigated throughout the development and production lifecycle.
How Do Containers Differ From Legacy Platforms?
Like virtual machines, containers offer isolated environments to run multiple software instances on top of a shared host platform. Unlike VM’s, however, multiple containers share the same kernel, making them start faster, and use a fraction of the resources.
Containers are built by adding code, content, and libraries to a base image. This base image might be a simple lightweight operating system (like Alpine Linux) or ready-to-run web-server (like NGINX) which just requires you to add content. The resulting container is built and then stored as a custom immutable image in a container registry. This build process will frequently be managed by CI software (such as Jenkins).
Deploying containers into production will usually be automated via a continuous delivery platform leveraging infrastructure as code, onto a container orchestration platform (like Kubernetes) or managed cloud container service, which will automate the placement, availability, and scaling of containers. These layers of automation enable application designs where containers are ephemeral and many containers will run only for minutes or seconds.
Compared to the static, slow to build but long-lasting world of traditional applications, containers are more dynamic and flexible, but at the price of infrastructure complexity that can challenge traditional security practices.
Containers Have Different Security Needs
The differences in how containers are built and run create challenges for security practices, but bring opportunities for new controls and visibility, and to move security earlier into the lifecycle.
Since containers rely on base images with additional software layers, managing image trust needs to be a priority. Integrated into the tools that build, store, and deploy containers, you need security that can analyse a container and detect vulnerabilities in base images and software libraries.
Having secured the container image, we need to ensure that the deployment will follow compliance best practices - such as not running containers as privileged users. Giving developers tools that can scan Infrastructure as Code (IaC) templates as well as container images for issues helps prevent misconfigurations.
The short lifespan of an individual container changes the way that anomaly detection needs to work. Models need to be built on container images- not ephemeral instances. Finally, container security solutions need to protect containers at the application layer, where individual containers can communicate with one another, leading to leaked data, a foothold for attackers, or noncompliance.
Prisma Cloud protects the complete container lifecycle. DevOps plugins support integrated development environment’s (IDEs), source control tools, build tools and container registries to analyse container images for vulnerabilities and compliance issues, while also scanning IaC templates for misconfigurations. With Prisma Cloud, developers can use their existing tools to build more secure containers and deployments.
By integrating into CI/CD pipelines, Prisma Cloud can fail an insecure build based on vulnerability status or compliance policy, while providing instant feedback to developers and devops and preventing a vulnerable deployment.
Once an application is deployed, Prisma Cloud protects containers, as well as the underlying host and runtime engine, by automatically modeling learned application behavior across network, process, and file system. Any new activity is automatically alerted on or blocked. Provides comprehensive monitoring and defence for containers, analysing both network traffic and container internals against dynamic protection rules and runtime models.
Prisma Cloud secures your containers across the full application lifecycle, and multi- and hybrid cloud environments.