Federal agencies – along with most large organizations – are steadily moving to a new generation of technology in the deployment of software applications. Regular run-time code gave way to virtual machines, and now virtual is yielding to containerization managed under frameworks like Kubernetes.
This method enables more agile deployments in the hybrid, multi-cloud environments that now characterize the information technology setup at most agencies.
Here’s how Tom Hance, the director of container security at Rancher Government Solutions, put it: “Use of containers, specifically Kubernetes, is kind of exploding in the marketplace. It’s recognized as just a much more effective method for DevOps teams to produce applications. They’re more agile. They can deliver on time and with a higher quality product, using micro service based containers than they could with, let’s say, a hardware or VM environment of the past.”
This methodology brings a new set of cybersecurity risks IT staffs must mitigate, Hance said. Standard scanning and monitoring tools cannot see what is inside of containers, and therefore what happens when they combine functionally via application programming interfaces (APIs). Network admins and security operators, Hance said, “really have no idea what application protocols or what packet content is flowing across their cluster.”
He added, “And if you have security in your title, that is a big issue.”
Hance said traditional defense-in-depth, layered security approaches that scan software images and runtimes don’t equate with actual security in the containerized world.
Such techniques “don’t actually have the ability to protect your containers,” Hance said, “because they don’t sit in line with live traffic in between container pairs and govern what is allowed to cross that demarcation point.”
This is where Rancher’s NeuVector product comes in. It’s designed directly to give protection to containerized workloads.
“We not only hold the position between each container pair,” Hance said, “but we have visibility into the application and packet levels to make accurate decisions on what gets to pass in live traffic.” That is, the product doesn’t scan images or logs after something might have occurred, but rather arrests execution of malicious code.
“That’s really our differentiation,” Hance said. “We can stop malicious code execution in line before it can damage a container, a pod, an application or the system kernel.”
Hance noted that the same vectors for malicious code exist for containerized development as for traditional development methods. Phishing, something coming in from social media, something in an open source piece of software, or something in an image a developer has downloaded to incorporate. Once malicious code is incorporated into a contained, he said, then you need a specific tool like NeuVector to detect and stop it.
The product itself is architected as a Kubernetes-native container, so it runs at wire speed, Hance said, and does not degrade application performance. Because deep packet inspection can “see” application protocols, packet content and payload, it results in what Hance called contextual security for containers – security that agencies can’t obtain with scanning products running at network layers three.
“I think our adversaries are extremely sophisticated,” Hance said. “They’re much more sophisticated than just looking for an open CVE [common vulnerability or exposure] that hasn’t been patched, and applying that to gain access to our nation’s critical assets. Agencies should be migrating to this new type of protection.”