Securing Your Containers Isn’t Enough? How to Encrypt Containerized Data
Everyone tries to create a trusted environment, but if your data is compromised, nobody cares that the container itself is secure. One way to prevent this problem is by encrypting your data, but encrypting data in containers is very different from encrypting data in other environments. Fortunately, you have options.
A container is a way of packaging a given application’s code and dependencies so that the application will run easily in any computing environment. This solves the common problem of portability — or, more precisely, the lack thereof. Applications are built and tested using specific language, runtime, package, and library versions Containers solve the portability problem by isolating the application and its dependencies so they can be moved seamlessly between machines. A process running in a container lives isolated from the underlying environment. You control what it can see and what resources it can access. This helps you use resources more efficiently and not worry about the underlying infrastructure.
When containers aren’t integrated into your security program, you’re leaving the door open to hackers and other problems. A major dependency for the success of container technology is securing containers over the various phases of their lifecycle.
The most common security incidents stem from improperly configured containerized environments that allow attackers to install malicious software on a single container and then from that single container distribute that malicious software to all other containers within the infrastructure. Malicious software then takes over the entire container infrastructure and has unrestricted access to containers and data. While tools such as intrusion detection and container image integrity scanners would help alert the admins of the breach, these tools would not protect the data from compromise. This emphasizes the need for data at rest encryption.
One security concern with containers is whether individual containers have vulnerabilities within. To identify vulnerabilities, DevOps pipelines for building containers were extended with scanners that search containers for packages with known vulnerabilities and alert their owners or maintainers if one is found.