Adaptive Segmentationmicro-segmentation May 21, 2020

Deputizing DevOps: Is Container Security Your Weakest Link?

Katey Wood,

Is anyone formally in charge of container security at your organization? Or is it an “SEP?” “Somebody Else’s Problem” – left up to the DevOps or DevSecOps team? Or are you counting on limited and dispersed cloud-native security offerings from AWS, Azure or GCP?

Zero Trust doesn’t stop at the network. Don’t entrust non-security personnel in your organization with security’s responsibility. Just because DevOps is working on something you may not understand doesn’t mean the buck will stop with them, especially when it causes an outage or a breach.

The risks of container security can’t ultimately be delegated outside of the security team. Even if you don’t know anything about Kubernetes, much less Kubernetes security, you still need to secure containers adequately, with segmentation. Why? Because they’re another form of compute, like everything else in your environment you need to secure already – your data center, your VMs, your public and private cloud – and now containers – and they’re likely communicating with your other forms of compute as well. Containers can be the weakest link in your environment – and if DevOps oversees their security, then they’re in charge of everything containers are talking to as well.

Containers Don’t Live on an Island

Maybe you think container security with a container-centric solution is enough. Maybe you’re even in a cloud-first environment with minimal legacy infrastructure. But odds are you’re not running containerized applications exclusively. Containers talk to other things in your infrastructure, which means they are just as exposed to breach, and everything else is too.

  • A container running a vulnerable piece of code at runtime or an unprotected key can be compromised, either through the container itself, or even further, by taking control of the host running tens or hundreds of containers for different applications.
  • This container or host can then be used to move laterally from one containerized workload to another, potentially causing cascading attacks across the entire infrastructure.

Security is not baked into containers. And even though ringfencing with a container security point tool might protect your cluster – it won’t protect everything else it may be communicating with.

How will containers talk securely with the rest of your infrastructure? If you’re trying to segment them off using the same perimeter firewalls securing the rest of your infrastructure, not only are you using static tools in a dynamic environment, you will run into the same perimeter firewall issues with visibility.

Which brings us to point #2.

You Can’t Secure What You Can’t See

Without visibility of traffic from containerized applications, you may have no warning of potential container security problems until something goes wrong. In fact, Illumio customers typically discover “unknown unknowns” to address immediately. Environmental separation may be poorly defined, leaving developers working with a production environment, unknowingly risking the outage of production applications. Without visibility there may be nothing to prevent it - and without traceability, no way of knowing what happened.


Illumio ASP segments containerized hosts alongside other forms of compute across datacenter and the cloud – providing centralized visibility of traffic communicating across your environments and deep insights into your container clusters. 

So, if you can’t live with outages and interruption, you can’t live without container security. The next question to ask is, “can your DevOps team live with it?” Security – done wrong – slows down deployment, when the point of containerized applications is to speed it up.

Security Shouldn’t Slow Down DevOps

This is another reason you shouldn’t delegate security to non-security teams: it’s a conflict of interest; a little like asking a driver on a major highway what they think their speed limit should be. “How slow do you think we should force you to go? How much medicine would you like to take?” They’re put at cross purposes, forced to work against their own objectives.

In the case of DevOps specifically, security (done wrong) works against their objectives of fast application delivery.

Part of the reason is applying old tools to a new job. Typical approaches to security slow down containerized application deployments – especially if customers sometimes apply perimeter firewalls to secure containers, essentially using static rules in a dynamic environment.

How will you apply egress policy to dynamic containers using static IP addresses? Your first impulse might be by kludging the firewalls with Virtual IPs – but this dilutes the same static pool of addresses, never tearing down firewall policy once an application disappears, and generally creating delays to your CI/CD pipeline. It negates any advantages of containers by making application delivery difficult and process-heavy – as well as creating exposures in policy.

And guess what happens when security slows down users? Users circumvent security.

Deputize DevOps for “Cloud Native” Container Segmentation

But container security doesn’t have to be a painful bottleneck. It can make everyone’s life easier – even DevOps! With Illumio ASP, the security team can partner with DevOps or DevSecOps to create a DevSecOps lifecycle (or environment) and automate dynamic security policy for new pods at inception, for streamlined CI/CD, faster application delivery and better container security.

  • Illumio ASP dramatically reduces the time required to get security policies downloaded and converged on pods and services within Kubernetes clusters.
  • Illumio ASP allows security teams to pre-create container security policy profiles for easy consumption by DevOps.
  • Profiles are used to assign labels to your containerized assets and define namespace security policy. Pods and services inherit associated security policies dynamically and come online fully secure.
  • DevSecOps teams can confidently deploy applications with pre-defined policies based on security policy profiles in the PCE or derived from the annotations used in the manifest files.

Security shouldn’t be the “department of ‘no’ – or worse yet, the department of ‘I don’t know.’” Deputize your DevOps to automate security in launching new containerized applications, to speed them up without slowing them down.

Ready to learn more? Check out our latest datasheet that covers how Illumio’s ASP extends to containers.

Adaptive Segmentationmicro-segmentation
Share this post: