In the first article in this series, we discussed what zero trust security is and why it matters. In the second article in this series, we talked about the benefits of zero trust network access. In this third article installment, we will dive into using zero trust models within container security.
Containers carry many benefits for organizations. Some of these benefits include better efficiency, quick deployment and scaling of applications, and fewer system requirements. However, these benefits are not without significant costs and some challenges. Containers often rely on complicated networking and with that comes a host of security challenges from weak firewalls, container image vulnerabilities, and risks around unauthorized access.
Is there a solution that can lessen the challenges security teams face while increasing perimeters around data protection and mitigating cybersecurity risks? Zero trust could be a great solution that many organizations are turning toward these days.
How Can Zero Trust Models Help?
In the majority of traditional security environments, network complexity and limitations with traditional firewalls pose the biggest risk to organizations. Too many connections within any network can cause certain hot spots to be overlooked. Further, traditional firewalls often do not do the best job of detecting and mitigating activity from attackers within or without the network.
This is where zero trust security models can make the biggest difference. Since zero trust is built on a policy of not trusting anything or anyone, the policies around user access and workload identities help organizations to understand who is accessing what information, and what information is being transported throughout the network.
Since many enterprises no longer collect and store data in-house, the need for zero trust security models has become greater. Both on- and off-premise platforms and services now host data and access to these applications comes from a range of different devices in various geographical locations. This leaves the traditional security model unfit to protect a lot of organizations.
How Do Containers Manage Networking
Containers manage networking systems in a number of ways. For example, Docker required a way to introduce containers and so it used the network address translation (NAT) to do that. NAT changed the network address information, covering network complexity but making the ins and outs more ambiguous than before. As a result, containers have different IP addresses from the parent IP.
Furthermore, the Docker subnet can be separated from the underlying network. In this case, container networks can freely migrate and move between different platforms. For example, primary services can run on-premise while extra containers can run on Amazon Web Services (AWS). This allows for organizations to run efficiently and have the right amount of bandwidth even when there is more traffic through a network such as during the workday than after hours.
Bridging, on the other hand, is more open and available. All containers act within the same network on a consistent IP address framework. The underlying network is completely visible to IT teams. And while some connections are hosts and others are containers, containers can move through hosts with the full knowledge of an IT manager or IT team within an organization.
With overlay networks in use, containers can communicate efficiently and easily with other containers, creating a more distributed network. In this case, the entire infrastructure will move around to various hosts as the load and performance metrics are required.
While container networking is very customizable, its complexity makes policies around firewalls and other more traditional security perimeters very hard to create.
There is usually agreement about what an organization’s security policies are, but less so about how to actually enforce them across multiple environments. According to the Cloud Security Alliance’s 2021 “State of Cloud Security Risk, Compliance, and Misconfigurations,” only 30% of organizations have IT operations, development, and security teams that are aligned regarding what their security policies are and how to enforce them with DevSecOps. Zero Trust policies offer the promise of more consistent enforcement, but that will also require agreement among various teams.
Network Security Policies and Lateral Movement Complexities
If a cybercriminal wants access to a host’s secure database, with a firewall in place, only the packet would be shown from the host’s side. The host has been granted permission to trust this machine and thus it will let the packet through. The attacker will then be able to move across the network and get closer to their target with encrypted data or data exfiltration.
Organizations can build a traditional security framework with firewalls and adopt a zero trust security model to ensure containers and microservices are connected and communicating. In this case, zero trust is developed with several principles in mind.
- Implicit mutual trust between containers does not exist. Instead, mandatory authentication is required and it prevents a cyberattacker from moving laterally through one compromised container to another one. When a cyber attacker gets stuck or doesn’t see a way from one container to the next, the attacker is likely to be thwarted.
- Code and infrastructure are hosted through a local server certificate. The logs provide a record to assist with troubleshooting in the instance there is a cybersecurity attack.
- Identity and access management along with other security policies and benchmarks identify users, accesses, certificates, timelines, and role-based controls to prevent intruders from within and without.
Establishing safety and security guidelines allow containers to run in a multi-cloud environment. Underlying infrastructure can enforce the security controls with containers. Cloud-based and container-based applications will continue to drive interest in zero trust network access.
As a rule, security teams and IT leaders must enforce consistent security controls across applications, networks, and platforms. Establishing a method to secure access to containers is critical today more than ever as firewalls simply aren’t enough to manage changes within a container’s network IP.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.