5 Tips to Secure Cloud Native Applications
Published on Nov 19, 2020 | 3 Mins Read
Photo by Parsoa Khorsand on Unsplash
There’s no doubt that security is of paramount importance when it comes to cloud native applications. Wether your are running containers on-premises or on public cloud, you want to make sure your data ,application, and network are secure.
In many organizations security is an afterthought and dealt with only when getting ready to go to production or after breaches. This might work for traditional applications. However, when working with cloud native applications you want to make sure to integrate security into all stages of the software delivery process (aka DevSecOps).
For example, by containerizing your (monolith) application, you’ve broken it down into microservices that communicate and work together. Now, instead of having to protect that (monolith) application running on one virtual machine inside a VPC , you are dealing with many bits and pieces (containers, pods,…etc) scattered across many hosts. The reality is, you just increased your attack surface.
While there are many advantages of using containers , you have to carefully decide if it’s the right choice. Usually you want to look into the application architecture, cost, learning curve, performance, and most importantly security.
For those applications that you decided to run in containers, there are plenty of things you can do to reduce the risk. I’ll go over five things that cost you almost nothing to implement right away. Certainly, This not a comprehensive list. However, it can act as a starting point or the bare minimum to secure cloud native applications.
Rootless Containers
The container runtime usually requires root access to create the namespaces, control groups,..etc around your application container. However, your application container is unlikely to require root access to operate.
The problem with running containers as root is that an attacker might be able to escape a privileged container to the underlying host with root access. This can cause a lot of damage (i.e: CVE-2019-5736).
There are many ways to run rootless containers:
In the Dockerfile, by using the USER command
At the orchestrator level using runAsUser security context or pod security policies in Kubernetes
Minimalist Images
You can reduce the attack surface by being a minimalist when it comes to the container image file. Start with the smallest image possible and only add the libraries required for the application to run. As you release more versions of your software, you can always go back and rebuild the image.
Image Scanning
Integrate into your CI/CD pipeline guardrails to identify possible vulnerabilities. This includes:
Container image scanning
Static code analysis
Using a linter
Golden Images
Develop golden images for all your development teams. This will allow you to :
Reduce the number of errors to deal with when building images
Limit the exposure to vulnerabilities from untrusted images
Increase the consistency across the board
Patching
You want to make sure to regularly patch the underlying host or virtual machine and container runtime, . A container is a process and it’s as secure as its underlying host
Wether you’re just getting started with containers or you are running workloads in Production, Security is something you have to deal with from day one. Not only it will protect your bottom line, but it will make you sleep better and serve your customers with confidence.
The aforementioned steps are among hundreds of things that could be done to secure your cloud native applications. Depending upon the underlying infrastructure, application architecture, and exposure to attacks you want to formulate an effective security strategy that works for your organization.
