![\"\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2017\/05\/02160442\/Neuvector-security-300x201.png\")
<\/p>\n<\/p>\n
Managing containers requires a broad scope from application development, test, and system OS preparation, and as a result, securing containers can be a
\nbroad topic with many separate areas. Taking a layered security approach
\nworks just as well for containers as it does for any IT infrastructure.
\nThere are many precautions that should be taken before running
\ncontainers in production.* These include:<\/p>\n
*Download<\/a> \u201c15 But at the end of the day, containers need to run in a production Run-time container security focuses on monitoring and securing Containers can be deployed in seconds and many architectures assume You can try to start doing the actions above manually or with a few open But often you\u2019ll find that there\u2019s too much glue you have to script to Today, containers are being deployed to production more frequently for
\nTips for Container Security\u201d for a more detailed explanation<\/p>\n
\nenvironment where constant vigilance is required to keep them secure. No
\nmatter how many precautions and controls have been put in place prior to
\nrunning in production, there is always the risk that a hacker may get
\nthrough or a malware might try to spread from an internal network. With
\nthe breaking of applications into microservices, internal
\n\u2018east-west<\/a>\u2018
\ntraffic increases dramatically and it becomes more difficult to monitor
\nand secure traffic. Recent examples include the ransomware
\nattacks<\/a>
\nwhich can exploit thousands of MongoDB or ElasticSearch servers, include
\ncontainers, with very simple attack scripts. It\u2019s often reported that
\nsome serious data leakage or damage also has happened from an internal
\nmalicious laptop or desktop.<\/p>\nWhat is \u2018Run-Time Container Security\u2019?<\/h4>\n
\ncontainers running in a production environment. This includes container
\nand host processes, system calls, and most importantly, network
\nconnections. In order to monitor and secure containers during run-time,<\/p>\n\n
Why is it Important?<\/h4>\n
\ncontainers can scale up or down automatically to meet demand. This makes
\nit extremely difficult to monitor and secure containers using
\ntraditional tools such as host security, firewalls, and VM security. An
\nunauthorized network connection often provides the first indicator that
\nan attack is coming, or a hacker is attempting to find the next
\nvulnerable attack point. But to separate authorized from unauthorized
\nconnections in a dynamic container environment is extremely difficult.
\nSecurity veterans understand that no matter how many precautions have
\nbeen taken before run-time, hackers will eventually find a way in, or
\nmistakes will lead to vulnerable systems. Here are a few requirements
\nfor successfully securing containers during run-time:<\/p>\n\n
\nwithout manual intervention<\/li>\n
\nnetworks and orchestration services such as load balancers and name
\nservices to avoid blind spots<\/li>\n
\nseparate authorized from unauthorized connections<\/li>\n
\nkilled and no longer visible.<\/li>\n<\/ol>\nEncryption for Containers<\/h4>\n
![\"\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2017\/03\/02163952\/Screen-Shot-2017-03-02-at-3.39.06-PM-150x150.png\")
<\/a> A
\nbusiness guide to effective container app management – download
\ntoday\u00a0<\/a>Encryption can be an important layer of a run-time security strategy.
\nEncryption can protect against stealing of secrets or sensitive data
\nduring transmission. But it can\u2019t protect against application attacks or
\nother break outs from a container or host. Security architects should
\nevaluate the trade-offs between performance, manageability, and security
\nto determine which, if any connections should be encrypted. Even if
\nnetwork connections are encrypted between hosts or containers, all
\ncommunication should be monitored at the network layer to determine if
\nunauthorized connections are being attempted.<\/p>\nGetting Started with Run-Time Container Security<\/h4>\n
\nsource tools. Here\u2019s some ideas to get you started:<\/p>\n\n
\nexample<\/li>\n
\nWeaveworks for basic network policies<\/li>\n
\nTigera for example<\/li>\n
\nother tools built-in<\/li>\n
\nconnections and view suspicious activity<\/li>\n<\/ul>\n
\nget everything working together. The good news is that there is a
\ndeveloping ecosystem of container security vendors, my company NeuVector
\nincluded, which can provide solutions for the various tasks above. It\u2019s
\nbest to get started evaluating your options now before your containers
\nactually go into production. But if that ship has sailed make sure a
\nsecurity solution will layer nicely on a container deployment already
\nrunning in production without disrupting it. Here are 10 important
\ncapabilities to look for in run-time security tools:<\/p>\n\n
\nsystem services<\/li>\n
\nmanual configuration and increase accuracy<\/li>\n
\nprotocol), not just layer 3 or 4 network policies<\/li>\n
\nattacks<\/li>\n
\ncontainers, but also the ability to completely quarantine a
\ncontainer<\/li>\n
\nDocker daemon<\/li>\n
\nincrease accuracy and scalability, and improve visualization and
\nreporting<\/li>\n
\nnetworks<\/li>\n
\nfor suspicious containers<\/li>\n<\/ol>\n
\nenterprise business applications. Often these deployments have
\ninadequate pre-production security controls, and non-existent run-time
\nsecurity capabilities. It is not necessary to take this level of risk to
\nimportant business critical applications when container security tools
\ncan be deployed as easily as application containers, using the same
\norchestration tools as well. Fei Huang is Co-Founder and CEO of
\nNeuVector. He has over 20 years of experience in enterprise security,
\nvirtualization, cloud and embedded software. He has held engineering
\nmanagement positions at VMware, CloudVolumes, and Trend Micro and was
\nthe co-founder of DLP security company Provilla. Fei holds several
\npatents for security, virtualization and software architecture.<\/em><\/p>\n