For a long time, the concept of “infrastructure” remained relatively unchanged: Firewalls, routers, servers, desktops, and so on make up the majority of your network. Yet over the last few years, the tides have begun to shift. Virtualization is now ubiquitous, giving employees tremendous leeway in their ability to spin up and take down new machines at will. Large chunks of critical processes and applications run in cloud services like Amazon Web Services (AWS) and Microsoft Azure. Containers have made it easy to create and launch large applications across any infrastructure.
With all these magical improvements to flexibility and efficiency comes additional risk. Network infrastructure is no longer a room on the second floor of your office building; instead, it's a constantly morphing and shifting mass of potentially vulnerable virtual and cloud devices. Soon, InsightVM, Rapid7’s analytics-driven vulnerability management solution, will provide the ability to understand and assess the modern and ever-changing network. Our first major step: container security.
I’ve got a container security problem
Container technology has been growing by leaps and bounds in recent years; it has come a long way from the days of Solaris Zones. If you’re into data, check out DataDog’s view of Docker adoption. Year-over-year growth of real, productive use of Docker is 40%. Why is that?
Containerization shifts not only the deployment philosophy, process, and speed, but more importantly the ownership of IT assets. What once was a clear divide between IT asset owner and software developer/service provider may now be blurry. Software developers use containers to manage more and more application deployment, meaning IT becomes less and less responsible for patching libraries and dependent software packages. When shipped within the container, software dependencies are no longer managed by the host OS but instead by the runtime container environment.
Application developers get more efficient. IT teams have less control and less visibility, without any reduction in responsibility.
With greater efficiency comes greater risk
In the history of infrastructure, containers are just another technology with which security teams must come to grips. But they also have some unique characteristics that change the behavior of infrastructure. Specifically:
- Containers are ephemeral. They make modern infrastructure move faster. According to DataDog, “containers have an average lifespan of 2.5 days, while across all companies, traditional and cloud-based VMs have an average lifespan of 23 days.”
- Container hosts may be densely packed with risk. Much like their hypervisor relatives, container hosts can run any workload and, therefore, assume any risk.
- Containers are designed to be mixed and matched in myriad ways. Containers aren’t assets—nor are they business applications. Container images are immutable building blocks, defined by their cryptographic hash.
When combining the factors above, it becomes clear that securing container technology is different than securing a general purpose server or virtual machine.
Securing containers with InsightVM
We are working on capabilities in InsightVM to help you assess and contain this risk in 3 primary ways:
1. Discovery: InsightVM will increase visibility of where your Docker hosts live in your world so you know where to begin your efforts to contain your container problem. InsightVM will also identify container images, whether running or stopped, and put them at your fingertips: fully searchable by cryptographic hash or container metadata.
Simple, easy-to-understand solutions often win the day for time-starved teams. Start with discovery, and increase capability from there. InsightVM will allow customers to discover Docker containers across their environment and understand their container attack surface.
2. Configuration: InsightVM will identify container hosts that do not comply with CIS benchmarks for common OSes and Docker itself, and combine that with best-in-class vulnerability and remediation built for IT teams.
Ask yourself, which represents less risk, a) or b)?
- A container image: purposefully configured, built for an application’s specific needs
- A container host: a general purpose computer, configured to run Docker, patched or unpatched
At face value, I’ll take the purposefully configured container over the general purpose computer any day. Even though container images are ephemeral, numerous, and—worst of all—created by those wily developers, they are not general purpose computers and present a different attack surface. Confirm your container hosts are securely configured and vulnerability-free, and you’ve reduced risk across any container that runs on the host.
3. Assessment: InsightVM will offer a fully integrated container assessment service, providing visibility into vulnerabilities and risk associated with the components and layers of a container. This includes full searchability by cryptographic hash or container metadata.
With these additions, InsightVM will make it easy for you to:
- Perform vulnerability assessment on the container image as it is deployed and exists in production
- Perform vulnerability assessment on the container image as it is built, prior to deployment
Security teams that have strong application development partnerships can integrate directly into DevOps pipelines (i.e. CI/CD). But for those who do not enjoy such visibility or relationships with development teams, fear not, you can collect and assess a container image as it exists on the container host itself.
We are now conducting direct customer engagement on these capabilities through the Rapid7 Voice program with InsightVM customers and will roll out new capabilities starting in Q2 2017. Of course, we have much, much more in store, and I encourage you to reach out to your Customer Success Manager or Account Executive to learn more. Also, if you're not a Rapid7 customer, you can try a free trial of InsightVM for 30-days!
NOTE: Rapid7 creates innovative and progressive solutions that help our customers confidently get their jobs done. As such, the development, release, and timing of any product features or functionality described remains at our discretion in order to ensure our customers the excellent experience they deserve, and is not a commitment, promise, or legal obligation to deliver any functionality.