By Andrew Samusenko, Director, Cloud Workload Protection Platform (CWPP)
The earlier you catch security vulnerabilities, the less likely they are to cause damage to your organization and incur costs for repairing them later. Most companies have security policies that are designed to detect security vulnerabilities even before they are deployed, particularly when it comes to spinning up new instances of a container workload. However, even if your organization has created security procedures, it’s not easy to make sure everyone implements those procedures.
For this reason, security automation, including early detection through vulnerability scanning, is an essential part of your security posture. Early prevention of configuration errors means higher efficiency down the road when the development team is concentrating on code deployment.
Kubernetes Container Creep: Managing Container Security in a Development Environment
The move from virtual machines to containers has allowed DevOps teams to provide tools for developers to spin up their own container instances simply and rapidly. While this frees up DevOps time and creates a much more agile organization, it also opens up the possibility for human error, spread across more individuals in the organization. For example, a developer could use open-source code snippets and miss details such as hard-coded credentials in the code snippets. Even when the developer is adhering to all the policies in writing their own code, this kind of error can slip in.
The deployment of new containers needs to be based on existing images. These images determine the exact parameters of the container being launched, so it’s essential to make sure that the workload is one of the preset and approved workloads for containers in your organization. A container is a full runtime environment, so using an improperly configured container can inadvertently create vulnerabilities.
While developers won’t intentionally create containers based on faulty workload images, it is possible that a previous security breach caused corrupt workloads to get into the organization. Developers may also simply be using an older workload version by mistake.
With so many people having the authority to create containers, securing container images is critical.
Shared Responsibility for Security
Best practices for cloud security call for a shared responsibility model between cloud providers and the cloud users. In this shared responsibility model, the providers are responsible for security of the cloud, while the users must take care of security for his data, development pipeline, cloud applications and workloads. In other words, the providers are responsible for the security of their physical infrastructure resources and services while the customers must secure all the assets that they run on that infrastructure.
Workload Protection in the Development Lifecycle
Workloads are one of the riskiest aspects of application deployment because they have the most dynamic flexibility. Attackers know this and thus specifically search for vulnerabilities in workloads.
Generally, the steps involved to protect your container workloads include:
- Foundation (Layer 1) protection: Configuration and code scanning
- Network (Layer 2) security: Firewalls and micro-segmentation for zero-trust security configurations
- Workload runtime (Layer 3) security: Baselining and modeling for whitelisting; preventing common attacks; and analyzing workload network connections, processes, file access, and API usage
- Threat detection and response (Layer 4): Intelligence, machine learning, identification of suspicious patterns, forensics
- Anti-malware scanning (Layer 5): Continuous scanning of applications and workloads
Workload security includes managing the use of open-source code, privilege escalation, and data analytics management.
When it comes to privilege escalation, creating the appropriate roles and access to a workload is key. While in the past, privilege escalation might have given an attacker access to databases, in a container configuration, improper privilege control can allow malicious actors to spin up an entire service and interact with other services in the system.
Today’s faster-moving environments require you to create agile security responses as well as ongoing security measures to make sure their security doesn’t slow down the company’s progress. Image assurance plays an essential part in the workload protection process, involving the scanning of code before it is uploaded into the production environment.
Image Assurance Protection
Image assurance protection starts with the ability to identify new containers as they’re being created, verify that they are using approved images, continuously scan for vulnerabilities, and block any deployments that don’t comply. Check Point CloudGuard Workload Protection now includes an image assurance module, which provides the scanning, detection, and disabling capabilities required for assuring image compliance and security.
The key to the early detection of vulnerabilities is identifying the spinning up of every container, and scanning it before it goes into production. If the workload doesn’t comply with company policy, it is blocked from deployment. Once deployed, all workloads are continuously scanned for vulnerabilities, exploits, malware, viruses, trojan horses, credential leakage, and other malicious threats.
Registry Synchronization for Full Protection
To catch workloads before they’re deployed in production, Image Assurance employs registry synchronization. Every container needs to be written to the registry of the cloud deployment as soon as it’s created. By scanning the cloud registry, the image assurance module ensures that every single workload goes through the proper security procedures and scanning requirements before going live.
In the most recent upgrade to its image assurance module, Check Point added support for vulnerability scanning of Azure Container Registry (ACR), Amazon Elastic Container Registry (ECR), and Amazon Elastic Container Service (ECS) tasks. The coverage for Azure and AWS allows hyperscaler users to stay secure, while providing developers the ability to deploy their own workloads, as those workloads will be scanned at the registry level and protected throughout their lifecycle.
Check Point Image Assurance
The image assurance module automatically analyzes Kubernetes images on AWS, Google Cloud and Microsoft Azure at each stage of their lifecycle to protect against malicious threats. The feature identifies all images in the cloud registry, and is part of Check Point’s CloudGuard Workload Protection.
CloudGuard Workload Protection provides an end-to-end solution for securing an organization’s serverless and containerized cloud native applications. To learn more about CloudGuard Workload Protection’s capabilities, register for a free demo of Check Point’s serverless security solutions or simply try it out for free.