Container security: 5 current trends you can't afford to ignore

Published: November 4th, 2019

- Fei Huang

Enterprise confidence in containers continues to accelerate – not just in terms of the number of businesses now running containerized applications, but also in how many of those deployments span the entire application lifecycle. A recent survey by Market Cube finds that 87% of IT professionals are utilizing containers, and 90% of those are using them in production environments. At the same time, the past year has seen the number of IT teams with more than 40% of their applications running in containers double in size.

This marked increase in container adoption is a clear sign of a maturing and proven technology that enterprises and developers now have full confidence in leveraging. The emergence of Kubernetes as the ubiquitous option for container orchestration has further spurred container strategy by simplifying decision making and reducing risk. In this way, the container ecosystem now greatly assuages fears of vendor lock-in, while offering increasingly easier and more robust choices for addressing complementary requirements such as storage and security. Naturally, the strength of the containerization opportunity has also done plenty to promote trends toward cloud migration and container deployments within multi-cloud or hybrid cloud environments.

Yet while widespread container adoption now delivers well-demonstrated benefits for countless enterprises, it has also made containers and orchestration systems much, much more inviting targets for attack. Looking forward at shifts that are influencing (or ought to influence) enterprise container security strategy, I’ve identified the following five trends that I believe need to be at the top the agenda in any enterprise container discussion:

1. Container security is shifting “left” to the beginning of development, and “right” to protect production environments.

Until very recently, it was common to see enterprises begin application development using unsecure containerized environments, and only attach container security capabilities at some point in the middle of that process. However, this practice leaves defenseless applications exposed to zero-day attacks, insider attacks, and plenty of other vulnerabilities. Enterprises are now recognizing the importance of shifting their container security “left” to defend environments even before development begins. At the same time, organizations are more aware of their container security risks at they push their containerized applications into production. Enterprises. as a trend. are also shifting “right” to fully protect those more vulnerable environments – as well as their orchestration platforms – throughout the full application lifecycle.

2. Container-focused attacks are indeed increasing.

The rise in container adoption has caused attackers to see no shortage of value in making their own investments in the space. As a result, container deployments and Kubernetes itself have suffered a string of newly discovered and leveraged vulnerabilities. Make no mistake about it: this is the new normal. Recent high-profile examples include the takeover of Kubernetes deployments within Tesla’s own public cloud in order to launch containers performing cryptomining, the infiltration of the Docker Hub public repository to make it a repository for malicious containers, and the cryptojacking worm that exploited Docker Engine deployments. As this trend continues, there’s little doubt that similar attacks will only become more sophisticated and more commonplace, a fact that enterprises should be aware of as they plan and allot resources to container security.

3. Enterprises are building security mesh atop of service mesh to defeat attacks.

With attackers aggressively assailing containerized environments and orchestration solutions while employing ever more capable techniques for exploiting vulnerabilities, enterprises are acknowledging and acting on their need to implement brand new approaches themselves. Many are now thinking outside the traditional network and host security box by adding safeguards on top of a service mesh. By leveraging that architecture to enable a new layer of defenses in the form of a security mesh, enterprises are raising application-aware protections that feature the intelligent and automated security responses needed to repel sophisticated container API and Kubernetes exploits.

4. DevOps teams are declaring security policies in code.

Container security techniques are also advancing along the “policy as code” front, with enterprise DevOps teams making deft use of Kubernetes ConfigMaps, Custom Resource Definitions (CRDs), and other tools to automate security solutions, rules and configurations as a part of their CI/CD pipelines. In this way, DevOps teams can use standard YAML files to declare security policies based on analysis of application behavior – adding valuable automation and efficiency to the work of integrating obligatory security measures. At the same time, these same tools and techniques are available for traditional security teams to use in implementing cloud-native global security policies in their container environments.

5. Cloud 2.0 is arriving, accelerated by containers.

The road to Cloud 2.0 is undoubtedly being paved by container technologies, as enterprises recognize that opportunities to go well beyond VM-centric cloud infrastructures by adopting more data- and services-focused solutions. From containerization, to the aforementioned service and security meshes, to serverless, to cross-cluster and hyperscale management, enterprises are swiftly embracing advanced technologies that transform their cloud capabilities. The incentives are clear, as enterprises can meet their IT (and business) goals more dynamically and adeptly by using cloud-native tools to provide functionality such as networking, storage, and especially security.

By staying on top of trends and steering strategies to capitalize on emerging container security solutions and practices, enterprises can keep one technological step ahead in their cat-and-mouse game with attackers, while ensuring their businesses benefit from the myriad advantages that containers continue to deliver.

To learn more about containerized infrastructure and cloud native technologies, consider coming to KubeCon + CloudNativeCon NA, November 18-21 in San Diego.

Article Tags

Container security, containers

About Fei Huang

Fei Huang is the CEO at NeuVector, a container security platform that protects Kubernetes throughout the full application life cycle.

View all posts by Fei Huang

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_WTGVKVXEZJ	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_107693958_2	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_jsuid	1 year	This cookie contains random number which is generated when a visitor visits the website for the first time. This cookie is used to identify the new visitors to the website.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
_heatmaps_g2g_101137905	10 minutes	No description
cf_7167_id	20 years	No description
cf_7167_person_last_update	session	No description
GoogleAdServingTest	session	No description
prism_252377639	1 month	No description
querylyvid	3 months	No description
xtc	1 year 1 month	No description

Container security: 5 current trends you can’t afford to ignore

Article Tags

Subscribe to SDTimes

About Fei Huang

Related Articles

Red Hat Enterprise Linux 9.3 released, RHEL 8.9 out in a few weeks

ITOps Times Open-Source Project of the Week: Cilium

Mend for Containers offers container scanning at scale

How to think about managing modern application workloads