Our Reports

Next-Generation Cybersecurity: Containers and Orchestrators

Published on: May 14, 2019

Author: Johna Till Johnson, Founder & CEO

Developers are increasingly moving towards a coding paradigm based on DevOps and Agile methodologies and relying on public and private cloud infrastructure. This DevOps/cloud paradigm in turn is based on the software constructs of containers (self-contained application environments like Docker) and orchestrators (the container-management and administration engines like Kubernetes).

Containers with associated orchestrators offer many benefits, including streamlining application build, deployment, and shipping processes; enabling faster and more effective testing; reducing infrastructure costs by enabling greater application density; improving portability; and writing code that more closely aligns with business requirements.

However, containers and orchestrators also introduce new potential cybersecurity vulnerabilities. Many of these vulnerabilities—such as privileged-account compromises, unauthorized access, and man-in-the-middle attacks—are familiar to most cybersecurity professionals. These fundamental vulnerabilities have simply been transposed to a containers/orchestrators environment. As with the majority of vulnerabilities, remediation is a matter of implementing the appropriate technology and configuration safeguards.

The challenge to cybersecurity professionals is that for many, software development is unfamiliar terrain. Even if they have solid coding chops (and most cybersecurity professionals don’t), software development hasn’t been a primary area of focus for the
cybersecurity team. Moreover, when containers were first introduced, the general perception was that they were “secure by nature,” and therefore would require very little cybersecurity overhead.

Making matters worse, most senior managers thought until recently that container/orchestrator security was a solved problem, even as their teams were aware it wasn’t. The recent spate of Kubernetes vulnerabilities has showcased the need for a cybersecurity initiative focused on containers and orchestrators.

This report brings cybersecurity professionals quickly up to speed in the fundamental concepts underlying containers and orchestrators, highlights some of the key vulnerabilities, and provides an overview of recommended fixes, including the tried-and-true trio of people, process, and technology.

Table of Contents
  • Executive Summary
  • The Container Revolution
    • What is A Container?
    • Containers and the SDLC
    • Container Orchestration: Kubernetes
      • Cluster
      • Pods
      • Node
      • Scheduler
      • Controllers
      • Controller manager
      • Services
      • Management and configuration components
    • Container and Orchestrator Benefits
  • So What’s the Problem? Container and Orchestrator Risks
    • Container Cybersecurity Risks
      • Container image vulnerabilities
      • Container registry vulnerabilities
    • Orchestrator Cybersecurity Risks
      • Unbounded administrative access
      • API access
      • Inter-container network traffic opacity
      • Orchestrator node trust
  • Solutions: Technology Providers
  • Solutions: Best Practices
    • Organization
    • Processes
  • Conclusion

You are currently viewing a preview of this content. Nemertes Clients, please log in for full access to all research content. If you are not a client, please click below to purchase access to this research report. We also invite you to become a client.


Purchase Access