Container Security

Container Security Report by Gartner Highlights Maturing Options for Securing the CI/CD Pipeline

Gartner recently released a Technical Professional Advice report titled Container Security — From Image Analysis to Network Segmentation, Options Are Maturing* (by Joerg Fritsch, 28 August 2018, ID: G00366118), with what we believe is the most comprehensive overview of container security to date.

In this report Mr. Fritsch identifies 11 threat vectors in an automated deployment process, and provides a framework for planning security controls for containers. One of the key recommendations, for technical professionals involved with application and data security or cloud security, in the report is to “Secure containers holistically through integrating controls at key steps in the CI/CD pipeline.” We’ll talk about how NeuVector can provide this end-to-end security below. Another recommendation related to network security is to “Add Layer 7 network segmentation for operational containers that require defense in depth.” NeuVector believes that any business critical, financial, or compliance driven container deployment should require the defense in depth referred to here.

We’re pleased to see NeuVector mentioned in this report in the Generalized Container Security Products and Network Security Products category. In addition to the network security features mentioned in the report, NeuVector is also listed as having many of the other features required for securing the CI/CD pipeline for end-to-end container security, categorized as Pervasive Container Security by Gartner.

Integrated, Automated Security for the CI/CD Pipeline

For any business critical microservices or application containers, it’s critical to build in defense in depth, from the Build to Ship to Run phases of the CI/CD pipeline. The NeuVector 2.0 release earlier this year expanded our container security platform to provide end-to-end vulnerability and compliance testing as well as security automation throughout the lifecycle.

With a Jenkins plug-in and integrated registry scanning, NeuVector can detect potential vulnerabilities during the build phase to prevent vulnerable images from being deployed to production, automatically. This complements the CIS benchmarks for Docker and Kubernetes security and run-time vulnerability scanning capabilities in NeuVector. We also help security and operations teams ‘close the loop’ on security incidents with automated response rules and integration with enterprise platforms such as Red Hat OpenShift to make sure run-time vulnerabilities, threats, and exploits can be immediately addressed.

Layer 7 Network Segmentation

It’s critical to be able to monitor, visualized, and protect network traffic between containers (aka East-West traffic) as well as ingress/egress to non-containerized workloads. This is the bread and butter of the NeuVector patented core technology, which offers unique, cloud-native Layer 7 firewall features as well as practical networking tools such as container packet capture to assist security teams. As a first step for defense in depth during run-time, NeuVector customer Jon Deeming, VP at Experian says:

“I recommend that you take a serious look at what’s running inside your container network.”

In addition to container network security, NeuVector also monitors container and host processes and file system activity to detect potential exploits. This puts NeuVector in a unique position to be able to detect an attack ‘kill-chain‘ from multiple threat vectors including network, container, and host.

Security Options Will Continue to Mature – From Platform Features to Specialized Tools

As the Gartner report indicates, “there is plenty of choice in container security tools. Container security products and options are maturing.” Security features will continue to mature going forward, from independent security companies like NeuVector and from platforms and orchestration tools such as Red Hat OpenShift, Rancher, Docker EE, AWS, Azure, Google Cloud, IBM Cloud and Alibaba Cloud. Many of the platform and orchestration tool vendors have already added security features such as image scanning, secrets management, and admission controls which can obsolete investments in separate tools.

NeuVector has chosen to work with the platform and orchestration tool vendors to complement and extend their security features to the run-time environment, integrating tightly with such technologies. Specialized security technology focused on network security, threat detection, and other run-time protections will always be needed for defense in depth, and NeuVector is committed to continuing to lead in protecting container networks and run-time deployments from attacks.

Together with our partners, NeuVector enables enterprises to deploy Kubernetes and Docker containers with confidence.

* The Technical Professional Advice report is now available to Gartner clients with the appropriate subscription on the Gartner website.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


About the Author

Glen is VP Marketing & Product Management at NeuVector.
Glen has over 20 years of experience in enterprise security, marketing SaaS, and infrastructure software. He has held executive management positions at Trend Micro, Provilla, Reactivity, Quantum and Rignite.

NeuVector, the leader in Container Network Security, delivers highly integrated, automated security for Kubernetes and OpenShift, and is the only next generation container firewall with packet-level interrogation and enforcement.

By Glen Kosaka |No Comments