Containers and Kubernetes: Why DevSecOps is Critical to Success
While containerization is certainly not without risks, the path towards a more secure environment starts with DevSecOps on day one.Today, modern development teams constantly strive to identify new ways to optimize their workloads through a combination of automation and cloud-based solutions.
For more than a decade, the concept of combining IT or engineers and operations into a single organization, DevOps, has become more prominent, especially for consumer-facing or cloud-based services that don’t need the weight of support on-premise infrastructure.
Before we get into the importance DevSecOps plays in DevOps and the CI/CD (continuous integration and continuous deployment) pipeline, it’s essential to understand the shifting tides from virtual machines (VMs) to containers. There are additional considerations to acknowledge, such as using open source solutions and having to harden them before deployment.
Virtualization Tech: Containerization and Virtual Machines (VMs)
Comparing virtual machines to containerization regarding functionality and security is not quite the same as comparing apples to oranges, nor would it be a fair comparison to say it’s oranges to oranges.
While both are virtualization technology, and VMs and containers share similar purposes and functionality, containers are considerably more lightweight and portable. In particular, containers virtualize an OS rather than hardware; in return, containers optimize efforts through an increase in speed.
Virtual machines: virtualizes an entire machine, including hardware and software
Containers: virtualizes only the software layers
Container Providers
Atlassian does a wonderful job of visually showing just how similar, yet different, the two offerings are:
Container runtime providers
Docker
Rocket
OpenVZ
Container orchestration providers
Google’s Kubernetes
Hashicorp Nomad
OpenShift
Docker Swarm
Rancher
Why Teams are Adopting Containers
As you know, containers and VMs don’t offer an excellent apples-to-oranges comparison. Before containers and the move to DevOps, most teams relied on VMs, even if they were building applications. Now, VMs can be used if engineers focus on solving infrastructure problems, and DevOps teams can use containers for cloud-based applications.
Increased Scalability and Portability
Containers are more lightweight, offer as much scalability as needed, enable microservices, increase portability, and optimize resources.
For modern, cloud-based applications, most organizations take a DevOps approach and use CI/CD to automate their workload to reduce code conflict or merges of lousy code. Red Hat has a great primer on CI/CD that explains why it’s so vital for cloud-first teams, especially in our remote and hybrid world.
Require Less Time and Resources
DevOps aside, containers also take nearly no time to spin up, require fewer resources or IT personnel, and run on the same OS.
However, the latter indicates the first primary security concern between containers and VMs in that the OS is shared between containers, and an exploit can impact all systems. VMs, on the other hand, are isolated, so any OS level exploits are isolated.
Container Security Advantages
There are two aspects to consider when looking at containers and security: container runtimes and orchestration technology. An oversimplified comparison would have container runtimes be how and where you build containers and container orchestration where you automate aspects of the container’s lifecycle.
When you drill down to container security:
Containers run on a single OS instance, and one exploit can impact all associated clusters
VMs rely on anomaly detection; containers are easier to inspect
CI/CD pipelines make patching faster
Containers and Kubernetes Security Considerations
Out of the box, containers don’t offer the same level of security as using VMs to isolate systems.
However, through hardening practices and well-defined CI/CD pipelines, containers can exceed security compliance requirements while embracing faster and more frequent releases to combat new exploits and threats. This said, it’s crucial to include DevSecOps as a component of building out a containerized environment from the outset.
Putting the Sec in DevSecOps
DevOps allows teams to be more efficient with resources, continue to adapt to change in an agile manner, and unify two teams with a common goal.
Similarly, security should be built in from the start, and it’s everyone’s job to be involved in the process.
In the past, access controls and building a perimeter around resources were sufficient, but with remote teams, cloud environments, insider threats, and a laundry list of other risks, DevSecOps plays a critical role in the success of any development effort.
This is accomplished through access controls (typically role-based access control or RBAC), data security, automating processes (merge process in particular) to follow CI/CD pipelines, and of course, security for containers.
The four DevSecOps areas of focus for containers are:
Development and build process
Testing
Deployment
Production
Throughout each of the above lifecycle stages, there are various security tools and methodologies that ensure you are meeting security requirements. This includes identifying vulnerabilities, assessing the security state of a container, checking for potentially compromised images, and monitoring container workloads.
Unlike VMs, containers are also designed to have a short lifespan, which means you are less likely to run into old containers. This is particularly the case if you have many engineers working on the same project who don’t want to run into merge conflicts.
So what areas of the lifecycle require additional security tools and resources for containers? Storage, networking, lifecycle management, and orchestration. On top of this, having a container monitoring solution may be helpful, but each area has its own risk.
Orchestration, for example, is most often tied to Kubernetes as the de facto solution. While you can mitigate some security aspects through a container as a service (CaaS) solution, for those maintaining the orchestration aspect on their own, you’ll need to consider networks, nodes, pods, data, and even the API.
Are Containers More Secure Than VMs?
As stated previously, it’s clear that there are pros and cons between VMs and container runtimes and container orchestration solutions, and the use cases between them vary based on the project.
While containerization is certainly not without risks, the path towards a more secure environment starts with DevSecOps on day one, a well thought out CI/CD pipeline, having the proper monitoring and scanning capabilities, and automating areas where human conflict could impact processes.
Stay tuned to our blog as we continue this series and look at the security implications of containerization on key security compliance controls and frameworks and how to ensure you are meeting requirements.