Swift deployment and increased independence of services have made microservices which is made popular amongst the developers, convenient and approachable for organizations. However, transferring from a monolithic architecture to a microservices architecture fosters many issues, among which security affairs are the most significant ones to consider. Microservice architecture based applications accommodate thousands of containers, significantly expanding the attack facade. Manipulating containers as a unit of service diminishes the transparency of the applications and their ability to audit. Introducing security to applications without dropping the benefits of a microservice approach can be challenging. Always take security measures for all the components encompassing the container technology. Containers, registers, orchestrators, and the host OS needs firm security coverage. We studied the crucial security challenges faced while adopting microservices and here we are listing out the industry best practices to ensure security in microservices and containers.
1. Immutable containers
Attackers often exploit the shell access given to images to inject malicious code. This can be avoided by creating immutable containers. Precise immutability implies that the container could be destroyed, which cannot befall if the microservices are inside the container. By creating immutable containers faulty containers can be removed instead of being fixed or upgraded. When enhancing the identity of a service always leverage vulnerability data from the container image scans.
2. Run Images from Trustworthy Sources
Always build a trusted image repository and run images only from this repository. Developers should monitor application signatures in their scripts before putting containers into production. When running across multiple cloud environments, make use of a trustworthy scanning tool.
3. Microservice Deployment
Deploy one microservice per host. Grouping containers of a certain microservice on a single host operating system kernel will help in providing additional defense to the system so that the intruders might face obstacles in compromising various groups. Automating this process may help for environments with a lot of hosts.
4. Enhance Security of The Host Operating System
Container-specific host operating systems are free from undesirable functionalities so they have a much more diminutive attack surface than the other general-purpose hosts. NIST recommends such OS for microservices and always for a platform that allows regulating egress traffic amidst a router or firewall. Following CIS Docker Benchmark list of checks can help with hardening the system.
5. Follow The Defence In Depth Approach
It involves security measures such as refining communication flows, using encryption and authenticating and authorizing access to microservices. Defending the internal environment from any outside connections is the initial layer of defense.
6. Container-native Monitoring Tools
Security Scanner or other specially designed tools are commonly used to detect the potential threats of applications. Such tools can detect the malware and other known vulnerabilities whereas a monitoring tool detects unexpected problems. Monitoring tools will have a predefined security policy to which every collected event are examined.
7. Use orchestration managers
Orchestrators give you access to handle clusters of containers, separate workloads, limit access to metadata, and collect logs. Most orchestration managers are equipped with special tools that allow developers to share and store secret data like API and SSL certificates, encryption keys, identity tokens, and passwords more securely.
8. Automated Security Testing
Integrating an efficient automated security test to the system will help you discover issues right on time and take actions accordingly. There are multiple tests available in the market which provides dynamic and static application security testing. Scanners like JFog Xray and Black Duck Hub benefit with realtime test monitoring. Such tools automatically test containers throughout the build or CI processes to ensure maximum assurance.
Reference Articles:
- NIST Special Publication 800-180, NIST Definition of Microservices, Application Containers and System Virtual Machines
- NIST Special Publication 800-190, Application Container Security Guide
- NISTIR 8176, Security Assurance Requirements for Linux Application Container Deployments
- DWP Security Policies and Standards, Security Standard – Microservices Architecture (SS-028)