ment to an asset that’s outside of the data center, then that might need to go through broader segmentation controls such as zoning technologies, security groups or a firewall at the border. So, there are all these layers where you can place network security policies. When looking at a particular connectivity request (say for a new version of an application) from the point of view of a given container, you should ask yourself: what is the container connected to? What is it communicating with? Where are those other sides of the connectivity placed? Based on that determination, you will then know which security controls you need to configure to allow that connectivity through the network. How does containerization correlate with application centric security policy management? There are a number of different aspects to the relationship between container security and application security. If an application uses containers to power up workloads, then container security is very much an integral part of application security. When you’re adding new functionality to an application, powering up additional containers, asking containers to perform new tasks whereby they need to connect to additional assets, then the connectivity of those containers needs to be secured. And security controls need to be regulated or changed based on what the application needs them to do. Another factor in this relationship is the structure of the application. All the containers that run and support the application are often located in one cluster or a micro-segment of the network. So, much of the communication takes place inside that cluster, between one container or another, all in the same cluster. However, some of it can go to another cluster or somewhere that’s not even containerized. This is actually a good thing from an application point of view as the container structure can be used to understand the application structure as well. Not sure about container orchestration? Here’s what to know. Container orchestration is part of a bigger orchestration play which is, in general, related to the concept of infrastructure as code. You want to be able to power up an environment with all the assets it requires and have it function simultaneously so you can duplicate it. There are various orchestration technologies that can be used to deploy the security policies for containers, which is an excellent way to maintain container-based applications in a consistent and repeatable manner. Then if you need to double it or multiply it by 100, you can get cookie-cutter copies of the same thing. How will container security solutions play out in the future? Organizations today have the technology to enforce security controls at the container level, but these controls are very granular, and it’s time-consuming to set policies and enforce them, particularly with issues like staff or skills shortages. Looking ahead, companies are likely to take a hierarchical view where container-based security is controlled at the application level by app owners or developers, and at the broader levels to ensure that the measures deployed throughout the network have the same degree of sophistication. Procedures and tooling are all evolving, so we don’t have a definitive answer as to how this will all end up. What are organizations going to be doing? Where will they place their controls? Who has the power to make the changes? When newer technologies are deployed, customer adoption will be crucial to understanding what makes the most sense. This will be interesting as there will be multiple scenarios to help companies master their security blueprint as we move forward. o Prof. Avishai Wool is CTO and founder of AlgoSec. CYBER PATROL 10 CHANNELV ISION | SEPTEMBER - OCTOBER 2022 How the What specific security concerns do you have about containers? Source: Tripwire, 2019 54% 52% 43% 42% 40% 38% 5% ITDM vs. BDM: ITDM Inadequate container security knowledge among teams Visibility into security of containers and container images is limited Inability to assess risk in container images prior to deployment Lack of tools of defectively secure containers Insufficient process to handle fundamental differences in securing containers Not able to assess risk in deployed containers I have no concerns about container security 0 10 20 30 40 50 60 Sourc Cost o t Cloud r spec Orga Organ “clou
RkJQdWJsaXNoZXIy NTg4Njc=