Security can’t be an afterthought. It needs to be embedded in the DevOps process, which Gartner refers to as “DevSecOps” (see “10 Things to Get Right for Successful DevSecOps”). Organizations need to plan for securing the containerized environment across the entire life cycle, which includes the build and development process, deployment and run phase of an application.Recommendations:
- Integrate an image-scanning process to prevent vulnerabilities as part of an enterprise’s continuous integration/continuous delivery (CI/CD) process, where applications are scanned during the build and run phases of the software development life cycle. Emphasize the scanning and identification of open-source components, libraries and frameworks. Developer use of older, vulnerable versions is one of the leading causes of container vulnerabilities.
- Harden the configurations by using Center for Internet Security ( CIS) benchmarks, which are available for Docker runtime and Kubernetes.
- Set up mandatory access controls, ensure separation of duties and institute a secrets management policy. Sensitive information, such as Secure Sockets Layer (SSL) keys or database credentials, will be encrypted by the orchestrator or third-party management services, and will be provisioned at runtime.
- Avoid privileged containers through policy management to reduce the effects of potential attacks.
- Deploy security products that provide whitelisting, behavioral monitoring and anomaly detection for preventing malicious activity.