One of the benefits of using containers, especially in microservices-based applications, is they make it easier to secure applications via runtime immutability—or never-changing—and applying least-privilege principles that limit what a container can do.
With immutability, every attempt to change the runtime environment is interpreted as an anomaly. And, thanks to containers’ simplicity, it is easier to predict their behavior in the application context and create a tight security envelope, allowing them to perform only their required function and preventing behaviors outside that scope.
In this webinar, Tsvi Korren, Chief Solutions Architect at Aqua Security, will explain and demonstrate how an approach that enforces immutability and least privilege can secure applications in an active container environment.
Powerful Google developer tools for immediate impact! (2023-24 C)
Enforcing Immutability and Least Privilege to Secure Containerized Applications on OpenShift
1. 1Copyright @ 2018h Aqua Security Software Ltd. All Rights Reserved.
Containers: Friends or Foes?
Security and Compliance in the era of micro-services
2. 2
About Aqua
BACKED BY
Microsoft Ventures | Lightspeed | Shlomo Kramer | TLV Partners
¤ Boston ¤ San Francisco ¤ Tel Aviv
STRATEGIC PARTNERSHIPSTEAM
80 passionate, experienced
innovators coming from:
4. 4
How is that possible?
n Images with everything preconfigured
n Automated build, distribution and orchestration
n Small footprint per workload without VM overhead
Build Ship Run
5. 5
The view from Security
n Development is making infrastructure decisions
n Code moves too fast for risk analysis
n Thousands of containers with limited visibility or control
Build Ship Run
Hard-
Coded
Secrets
Malware
Known
CVEsOSS
Licenses
Unapproved
Base Images
6. 6
How Aqua can help
Automate
DevSecOps
Focus on
Prevention
Portable
Controls
7. 7
It starts with building an image
Base Image
/
├── bin
├── etc
├── proc
├── root
├── run
├── sys
├── usr
└── var
.NET
Builder Image
/
├── bin
├── etc
├── lib
├── proc
├── root
├── run
├── sys
├── usr
├── var
└── opt
.NET
Application
/
├── bin
├── etc
├── lib
├── proc
├── root
├── run
├── sys
├── usr
├── var
└── opt
└── app
< / >
14. 14
Aligned with security practices
n Mandatory security in the pipeline
n Actionable feedback for Developers (who are not security experts)
n Lean base images, supplied internally
n Multiple controls in CI and CD – Fail early, fail often
n Inventory and visibility
n Keep track of artifact state at all times
n Prevent changes after promotion
n Integration
n Alignment with Enterprise toolset and apps:
CI/CD, Orchestration, Logging, Ticketing, SIEM, Secrets Store, Cloud Provider,
Container Platforms
15. 15
Image is good, what’s next?
Networking
between
containers?
Host user
actions?
What images
are running?
Processes
inside
containers?
Patching?
16. 16
Running containers are applications
Vulnerabilities
Privilege Escalation
Data Exfiltration
Hostile Takeover
23. 23
Equipped to handle any threat
Rogue container (e.g. bitcoin)
Malicious code injection
Unwanted admin actions
Data exfiltration
Network lateral movement
Unknown vectors (“zero days”)
Block unapproved image
Prevent image drift (=immutability)
User access controls enforce least privilege
Secured secrets; block unapproved network connections
Container firewall stops unpermitted connections
Image drift prevention & Behavioral whitelisting –
container can’t do what it wasn’t meant to do
(executables, processes, files, volumes, host resources…)
24. 24
Security for the full container SDLC
CI/CD Image Scan
Image Assurance
Compliance
Secrets
User Access Control
Runtime Protection
Threat Mitigation
Container Firewall
Build Ship Run
Registry Image Scan
Host Scanning
25. 25
Secure once, run anywhere
ü Linux and Windows containers
ü Any orchestrator: Kubernetes,
OpenShift, DC/OS, Docker Swarm
ü Cloud or On-Prem: AWS, Azure, GCP,
IBM cloud, or VM environments
ü CaaS: AWS Fargate and Azure ACI
ü Multi-tenant management
ü Coming Soon: Pivotal Cloud Foundry
27. 27
For additional information
n Our Resource Center:
www.aquasec.com/resources/
n Container security Wiki:
www.aquasec.com/wiki
n Free community image scanner:
https://github.com/aquasecurity/microscanner
n Partners and integrations:
https://www.aquasec.com/partners/