Real-time protection in a containerized environment must be dynamic, unlike cluster hardening. This means that after the container is deployed to production, it must constantly scan for unusual actions within the container, such as connecting to an unexpected resource or creating a new network socket.
Developers these days tend to test earlier and more often (shift left), but containers require holistic protection across their entire lifecycle and across heterogeneous and often short-lived environments.
Gartner analyst Arun Chandrasekaran told Infoworld: “Its nature makes it very difficult to protect. Since you can’t rely on manual processes, you need to automate your environment to monitor and protect what sometimes lasts only a few seconds. We can’t respond to emails here and there,” he said.
In its 2019 white paper, “BeyondProd: A New Approach to Cloud-Based Security,” Google said, “The perimeter security model no longer works for end users or microservices. The scope of protection should be extended to “how code is changed and how microservices access user data.”
Traditional security tools focus on protecting networks, or individual workloads, but modern cloud-native environments require a more holistic approach beyond simply protecting builds. In this holistic approach, hosts, networks, and endpoints must be continuously monitored and protected against attacks. This typically includes dynamic identity management, network access control, and registry security.
The importance of runtime securityGartner’s Chandrasekaran describes four key aspects of cloud-native security:
1. The starting point is still to protect the foundation through cluster hardening.
2. But it does not end there and extends to protecting the container runtime and ensuring sufficient monitoring and logging is performed.
3. Next, you need to secure the continuous delivery process, which means using trusted container images, secure Helm charts, and continuous vulnerability scans. At the same time, confidential information must be protected through effective confidentiality protection.
4. Finally, establish an ideal state and continuously look for departures from this state to secure the network layer, from transport layer security (TLS) to application code itself and cloud security posture management.
In a 2021 Infoworld article, Karl-Heinz Frommer, technical architect at German insurer Munich Re, wrote, “An effective Kubernetes security tool visualizes all connections within a Kubernetes environment, automatically validates their safety, and ensures that any unexpected activity occurs. should be able to block With runtime protections like this implemented, even if an attacker breaks into the Kubernetes environment and starts a malicious process, that process is immediately and automatically blocked before it causes harm.”
Runtime Security StartupsNaturally, the major cloud vendors (Google Cloud, Amazon Web Services, and Microsoft Azure) all have this protection built into their managed Kubernetes services. Google VP Eric Brewer told Infoworld: “If it’s done right, there isn’t much for an application developer to do. It’s a feature that should be included for free in the platform.”
But even the cloud giants can’t protect this new world alone. “It’s a problem that no one company can solve,” says Brewer.
A group of vendors, startups, and open source projects are rapidly growing to fill the void. “The startup ecosystem in this sector is developing,” said Chandrasekaran. The basic aspect of OS hardening or runtime protection is becoming more common, and major cloud providers offer it built into their platforms.”
So, the opportunity for startups and open source projects is largely in more advanced capabilities like cloud workload protection, security posture management, and confidentiality management, with the addition of ‘smart’ machine learning-based alerting and remediation capabilities as a differentiator. there are many
Deepfence was co-founded in 2017 by Sandeep Lahan, a software engineer who worked with FireEye and Juniper Networks. As Rahan explains, deepfence embeds simple sensors into microservices that can measure the attack surface, such as MRA scans of cloud assets, to focus on what is happening at runtime. “Deepfence’s business is to monetize our customers with runtime protections that solve customer grievances and build targeted defenses,” Rahan said.
Deepfence open-sourced its underlying tool, ThreatMapper, in October 2021. The tool scans, maps and ranks application vulnerabilities, regardless of where the application runs. Currently, Deepfence is pushing to expand its platform to cover the entire runtime security risk.
Sysdig is another rising player in this space, creating Falco, an open-source runtime security tool.
Falco, like the threshold mapper, focuses on detecting anomalous behavior at runtime. The Falco github page states, “Falco makes it easy to consume kernel events and enrich them with information from Kubernetes and the rest of the cloud-native stack. Falco has a wealth of security rules built for Kubernetes, Linux and Cloud Native. When a rule violation occurs in the system, Falco sends an alert to inform the user of the violation and the severity of the violation.”
“As the world has changed, we’ve found that the technology we used to use no longer works,” Sysdig CTO Loris Dijoanni said in an interview with Infoworld. “Our starting point is to redefine the data that can be acquired about containers by collecting system calls on top of cloud endpoints, or more simply, by collecting the processes of interactions between applications and the outside world.”
Dijoanni compares runtime security to protecting a house in terms of starting from the point of view, and explained, “You can think of it as a security camera that monitors containerized infrastructure.”
Israeli startup Aqua Security, founded in 2015, uses an open source project called Tracee. Based on eBPF technology, Tracy performs low-latency runtime security monitoring of distributed apps, looking for suspicious activity.
Aqua CTO Amir Jerby said, “The moment I saw the container package everything inside and the operations team just click a button and run, I knew I had to package the security inside as well. As a developer, there is no need to wait. Developers are not security experts and don’t know how to protect against sophisticated attacks, so they need a simple layer of security where they can declare the simple elements they need. This is where runtime protection comes in.”
Other runtime security providersOther companies operating in this space include Anchore, Racework, Palo Alto Networks’ TwistLock, Red Hat’s StackRox, SUSE’s NeuVector, and Snick. Snyk) and others.
Open source is important to attract developersOne common factor for many of the companies listed above is the importance of open source principles. “Customers in this space are interested in open source and avoid completely proprietary solutions,” said Chandrasekaran, Gartner’s CEO. want to do Because open source is the foundation of cloud-native technology,” he said.
The same is the opinion of every startup executive Infoworld has contacted. “The cloud-native community is very focused on open source. Companies that actively participate and contribute to open source are recognized. Because you can try this and that, see what the company is doing, and contribute too. “We are a commercial company, but many of our products are based on open source.”
“We’re getting closer to the digital immune system,” said Phil Venables, CISO at Google Cloud, saying that an open-source approach is essential to solving the complex problems of cloud-native security. It gathers information from its own internal systems, large enterprise customers, threat hunters, red teams, and public bug bounty programs. Venables said, “This allows us to have a broader view of and respond to a number of phenomena by being poised to address any vulnerabilities and returning them to open source projects.”
An open and transparent approach like this to runtime security will be very important in a future where distributed applications are plagued with distributed threats. Cloud giants will continue to work on embedding this protection into their respective platforms, while new startups will compete to offer comprehensive protection. For now, however, practitioners tasked with protecting containerized applications across production have a daunting road ahead. [email protected]
Source: ITWorld Korea by www.itworld.co.kr.
*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!