How to Improve Container Security with John Morello of Twistlock

Improve Container Security
Kubernetes and containers provide users with a fast, mobile, and functional development tool. They run on an OS kernel, eliminating many operational headaches. However, security vulnerabilities have been difficult to manage manually. Proper management and automation solutions help absolve this problem.

To explore the key issues facing container management, we spoke with CTO of Twislock, John Morello. Twistlock offers a complete, automated, and scalable container cybersecurity platform. They also provide full-lifecycle and compliance management, runtime defense, cloud native firewalls, and more.

What responsibility do users have when securing containers?

We talk a lot about security ‘shifting left’ with containers and that’s a key operational difference relative to traditional technologies.  With containers you’re running the exact same artifact in product that you built in dev and tested in test. Thus, that artifact shouldn’t change after deployment.  Traditionally, the ops team would be responsible for security configuration and vulnerability patching in deployment. However, since the dev team creates artifacts, they’re responsible for those tasks.  This increases the importance of security integration tooling early in the development process. Devs see and act on problems before they ever leave their environment.

Is there anything overlooked in container security?

There are a lot of point solutions out there that focus on 1 aspect of security – for example, only providing vulnerability management.  At the same time, there are some existing legacy security vendors starting to add compatibility with containers.

I think both of these miss the big opportunity here. If you’re using a modern security platform that leverages the core characteristics of containers, you can do security that’s more automated, more efficient, more effective, and more complete than traditional solutions.  A point solution may do one thing well, but if you have to integrate 4 or 5 of them together, it’s impractical to operationalize. If you have a legacy, heavy, agent based approach to security that requires lots of manual configuration and rules, you lose a lot of the potential advantage to doing security in a more cloud native way, one that scales along with the apps it protects.

What new threats do you expect as containers grow in popularity?

For the majority, the softest target is still your own apps.  Whether you run those apps in containers or only in VMs, attackers will gravitate towards the path of least resistance.  So, it’s less about what new threats come from containers and more about whether you capitalize on the security advantages containers and a cloud native security platform can provide. Manually creating firewall and IDS rules, or learning about vulnerabilities after deployment, is the wrong approach.

How can Developers stay secure while using a public repository?

Like reusing any public software, be smart about the source (stick with images provided by organizations and projects you trust). Users must integrate security early into the development process (scan for vulnerabilities as part of every build). Also, constantly refresh your baseline and pull the freshest images every time you build your app.

Does speed need to be sacrificed for container security?

No, security ‘agility’ is a key advantage of container security.  Not only can a container security platform like Twistlock run as a container itself (thereby providing specific guaranteed ceilings on resource consumption), but because it can integrate with your CI/CD process the whole workflow is more efficient.  Security shouldn’t be a separate process after development, but instead something that happens automatically in every build. No human being should have to define security policies for protecting containers. Your security platform should learn what’s normal in each version of every app you run and create policies to protect them.

Check out all of Twistlock’s offerings here. 

Be sure to check out some of our other interviews exploring container security: