The Great Security Threat of Containerization is Really an Opportunity

News Desk -

Share

When the United Arab Emirates’ public and private sectors moved, at unprecedented scale, to the cloud in the early 2020s, organizations introduced several complexities into their everyday business cycles. Dependent as they are on technology, many business functions have been left vulnerable to previously non-traditional IT architectures. A mix of cloud environments, remote workers and third-party domains has expanded the cyberattack surface to seemingly unmanageable proportions.

One aspect of the emerging complexity is the growing popularity of application containers. Containerization is an indispensable technology when building cloud-native digital experiences. At design time, DevOps teams take the business logic of an application and bundle it in a way that it can work with an array of virtualized operating systems at runtime. Containers are eminently portable and reusable, and their deployment is easy to automate. The benefits to DevOps are clear. In a digital economy populated with digital natives, experiences must be digital and evolve with the changing needs and tastes of consumers.

Containerization has particular promise for the e-commerce, finance, and healthcare industries — three sectors that are growing in the UAE. When deploying at speed and scale, the container’s lack of interference with other applications is an extremely attractive quality, as each comes with its own virtualized system of compute, storage, and network resources. It can go anywhere; no specialized versions are required for different environments. This quality also allows devs to add microservices more quickly. Global figures from Forrester suggest as many as 64% of organizations have either implemented or are about to implement containers using Kubernetes-based public cloud services. And Gartner expects the proportion of containerized on-premises production workloads will increase from less than 5% in 2022 to 15% by 2026.

So, what about security?

There is every reason to expect the UAE to reflect the global trend. However, containers present a runtime blind-spot. We are, after all, talking about a roster of digital assets that do not exist until the container system creates them. How do you protect these potential assets? It is important to note that each real-world host machine is limited only by memory capacity in regard to the number of containers it can instantiate. It is also unlimited in how it may transport these asset instances from place to place to fulfil service-availability requirements. So, the owner organization, and its security team, is faced with lots of possibility as well as uncertainty.

Orchestration tools like Kubernetes can only go so far, in that they manage instantiation from availability and efficiency standpoints. Security tooling must go further to deliver real-time, accurate, all-encompassing views of the container environment. Agentless and snapshot-based approaches are insufficient. Another challenge is the performance issue. Kubernetes already has tools to optimize performance, but there is no denying that any security add-ons will impact this, which is bound to provoke responses from a variety of stakeholders, perhaps most of all, the DevOps team itself. Meanwhile, since container ecosystems are made of open-source building blocks, any included package or code library can bring vulnerabilities.

But strangely, the same factors that make containers such a security concern also make containerization an opportunity to improve security. Containers may carry software vulnerabilities with them wherever they go, but the process of containerization can be revisited to include fixes that also travel with the container. The presence of a consistent environment from design to production means that if we detect vulnerabilities and patch them, we can sanitize the entire development lifecycle. Modern security tools are already capable of scanning container images (the design-time templates that sit in registries waiting to become runtime entities). If problems are fixed at source, then robust security is duplicated everywhere instantiation occurs. This principle applies to every element of the development cycle, from third-party libraries to DevOps’ own code. If enterprises fix design-time flaws, runtime assets will carry these as a shield against exploitation.

Sanitizing the supply chain

Containerization best practices are still in their infancy, but cybersecurity methodologies are not. Any CISO will advise the establishment and diligent maintenance of an asset inventory that will include a real-time list of in-memory containers. This is made possible by modern security platforms that use asset inventories to predict risk at runtime. Vulnerability management is also a long-running security standard, which can be applied to prioritizing issues found in containers by uniting threat intelligence and business context. This is a critical capability for container environments because of their association with open source and the potential to have higher-than-average vulnerability counts.

As much as existing security best practices will go a long way towards securing containerization systems, not even a change as technical as this happens in a vacuum. Any steering committees already in place to address matters of digital transformation must be informed of vulnerability findings and what their mitigation will mean for non-security and even non-tech stakeholders. CISOs should impress upon dev leads the criticality of robust containerization, especially as it relates to the global rise of supply-chain attacks. Only DevOps is in a position to protect containers at runtime from zero-day threats. Assuming teams are collaborating efficiently, leading-edge threat-detection tools can be leveraged to analyze container images and nip potential vulnerabilities in the bud, thereby releasing the organization from the anxiety of having to rely on signature-based detection methods at runtime.

Containers put deployment at speed and scale within our grasp. But as tempting as it is to start grasping, we must not forget the fundamentals of risk management. The threat is real and on our doorstep. Ultimately, the future of containerization lies not only in its capacity to accelerate innovation but in the ability to balance that with diligent, forward-thinking risk management.

The article is authored by Hadi Jaafarawi, Regional VP for Middle East & Africa, Qualys.