Adopting a container-based platform is the primary way development teams are streamlining their work and implementing secure DevOps. Pulling down a publicly available container image saves a lot of image preparation time. Automated toolchains also enable teams to develop and deploy innovative new apps more quickly, delivering frequent updates to customers.
Safeguarding data associated with those apps is critical. While app developers may understand the general need to add safeguards, they are not necessarily security experts. Today, addressing complex security challenges means enabling developers to seamlessly build security into their creations without delaying (or derailing) the DevOps process.
Though a public software image is convenient to re-use, you don’t know what’s in it. Trusting the uploader is a risk that is bound to compromise app data at some point. Is the time it takes to verify that a public image is free of vulnerabilities greater than the time saved in building the image yourself?
Since there’s really no substitute for scanning every image before releasing it into the DevOps pipeline proper, expect any cloud platform to provide an efficient way of doing it. IBM Cloud Container Service, for example, offers a Vulnerability Advisor (VA) scanning tool that operates on images in repositories, and in both static and live containers. Alerts are tiered and make recommendations.
VA inspects every layer of every image in a cloud customer’s private registry to help detect vulnerabilities or malware before image deployment. While that’s a good start, to catch problems like drift in from static to live containers, VA also scans running containers for anomalies.
Other VA capabilities include:
Policy violation settings: With VA, administrators can set image deployment policies based on three types of image failure situations: installed packages with known vulnerabilities, remote logins enabled, and remote logins enabled with some users who have easily-guessed passwords.
Best practices: VA currently checks 26 rules based on ISO 27000. Checks include settings such as password minimum age, minimum password length and remote logins enabled.
Security misconfiguration detection: VA flags each misconfiguration issue, provides a description of it and recommends a course of action to remediate it.
Threat rating system: VA pulls in security intelligence from five third-party sources and uses criteria such as attack vector, complexity and availability of a known fix to rate severity. The rating system (critical, high, moderate or low) helps administrators quickly understand which vulnerabilities need priority action.
As you deploy workloads to the cloud, you should expect cloud service providers to help protect your valuable data and applications. You need to be confident about the integrity of both the platform and the containers that run on it. Make container scanning—both live and static scanning—one of the subjects you ask about when evaluating cloud providers. Learn more about container security.
In this post, we will explore a proof of concept illustrating how we can leverage identity federation using a single IBM Cloud App ID instance along with common operational patterns, such as Kubernetes and Istio, to create a centralized identity and access management model that can transparently secure applications/services across cloud environments.