• Cloud Security Alliance Releases New Research Identifying Challenges in Securing Application Containers and Microservices
• Report identifies challenges in securing application containers and microservices through the lens of the developer, operator and architect
The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, recently released the Challenges in Securing Application Containers and Microservices. Produced by the CSA’s Application Containers and Microservices Working Group, this report examines and prioritizes the challenges application architects, developers and operators will encounter when designing, deploying and operating secure application containers and microservices. It is the first in a series of reports that will cover best practices to address and help mitigate the challenges for app containers and microservices outlined in this document, as well as delineating a unified standard for microservices architecture.
“Application containers and microservices have specific characteristics that come with distinct security ramifications,” said Anil Karmel, Application Container and Microservices Working Group Co-chair. “By prioritizing various challenges surrounding the securing of application containers and microservices and separating them into use case and feature categories, those involved in the software development lifecycle will be able to make informed security decisions.”
Challenges were scored based on 10 weighted questions as applied against application container and microservices features. The top three challenges surrounding application containers were identified as:
- The use of monitoring and security solutions in multi-tenant hosting environments that do not require root or “privileged” access to the container host. These solutions are specifically designed to expose information from more than one tenant and their compromise could result in information spillage or system compromise.
- Ensuring trust in host systems that store images and launch containers. The absence of host-hardening processes can result in the compromise of images, runtime environments and stored data.
- Host hardening is an important requirement for secure container hosting, and a challenge exists to ensure that hardening doesn’t interfere with authorized capabilities (e.g., network, storage) of the containers themselves. The absence can result in service availability issues.
The three most critical issues pertaining to microservices challenges were identified as:
- Finding a balance between the costs and benefits of rebuilding a microservice architecture and then orchestrating those microservices. The absence will result in either cost overruns or an application that does not fully benefit from a microservice architecture.
- A container’s lifespan when architecting stateful microservices. Care must be taken to design a microservice that does not lose state when a container is no longer running as its absence can result in data loss.
- Ensuring interoperability when writing or maintaining a microservice that interfaces with several other microservices. Reliable test harnesses are required and their absence can result in increased availability and performance issues as the application is decomposed into microservices.
The Application Containers and Microservices Working Group, co-chaired by Anil Karmel, President of CSA DC Chapter’s Board, and Andrew Wild, industry Chief Information Security Officer, was established with the goal of conducting research on the security of application containers and microservices and publishes guidance and best practices for their secure use.
