“Containers are changing the data center the same way containers changed global trade.” – Jim Zemlin, Executive Director, Linux Foundation
Today, we announced the newest addition to the Nexus Platform - Nexus Container - a solution we’re especially excited about bringing to the market and our customers. Why? We all know that securing containers and Kubernetes deployments from build to run-time requires a holistic approach to defense. Deploying efficiently and safely requires expertise spanning Development, Security, and Operations teams, and Nexus Container provides the key technologies needed not only for vulnerability and compliance scanning, but also for complete run-time container security.
So, what are these “key technologies”? The rest of the blog will delve deeper into 5 technologies necessary for full life cycle container security.
Network Packet Inspection
If you want real-time container security, you need insights and protections as they are happening. While vulnerability scanning is essential to container security, it’s only a snapshot in time. Comprehensive container security requires real-time visibility. Not only can Nexus Container protect based on application level (Layer 7) protocols (not just IPtables or Level 3/Level 4 data), but suspicious activity can be investigated by capturing network sessions and inspecting the packets directly. We can see all network traffic at Layer 7 using the best source of truth - the network.
This technology can block unauthorized connections without impacting the safe, authorized connections in the container from continuing. This unique network interception and filtering does not require an agent, sidecar, or image modification.
Auto-Learning & Scaling
Manually creating policy and rules for each environment, application, and update made is just not feasible. Automation is key to saving Dev, Sec, and Ops teams time, and they’ll get time back with Nexus Container’s ability to automatically generate rulesets and security as code - easily adapting to new and updated behaviors. As new containers with different IPs on different hosts come and go, no changes are required.
Network & Orchestration Tool Integration
We all know the importance of having the right integrations for your tools. If you’re invested in container security, it’s likely you have a growing tech stack and adding a tool that’s incompatible is off the table. On top of this, integrations in general can make it difficult to keep security policies updated and accurately enforcing rules. Nexus Container is network compatible and integrates with popular orchestration tools such as Kubernetes, Docker EE, Rancher, EKS/ECS, Istio and OpenShift.
A container needs to be monitored at every stage of its life cycle. Vulnerability scanning at build, while crucial, merely gives us a look at what’s happened in the past. Monitoring running containers requires more than just examining network activity - you need run-time vulnerability scanning, file system monitoring, process inspection and privilege escalation detection capabilities as well. These will help your containers from being compromised by determining vulnerabilities, assessing risk of exploit, and blocking suspicious processes.
Host & Platform Security & Auditing
A building is only as strong as its foundation - this applies to containers and hosts as well. By monitoring the host processes to determine if a break out is about to occur, it’s possible to protect the containers before an issue even happens. Similarly, Nexus Container can monitor Kubernetes, Docker system containers, and network connections for potential attacks. The host security settings and Docker daemon can also be audited to determine if the appropriate settings are applied.
What makes Nexus Container so Powerful?
It goes deeper than other solutions. Nexus Container has the ability to provide insights and remediation deeper than scanning container images for vulnerabilities and compliance issues and using admission controls to block those images from deploying. What is provided at run-time takes Nexus Container further by providing the deep, accurate, and unmatched insight into containers that we have yet to see in another solution. Nexus Container’s behavioral inspection can identify any and all network traffic at Layer 7 and every container process to automatically create behavior-based security policies, enforce Data Loss Protection, and prevent zero-day malware and network attacks, tunneling, breaches, etc. We hope you are as excited about Nexus Container as we are! For more information, please visit https://www.sonatype.com/nexus/container.