"Containers are changing the data center the same way containers changed global trade." – Jim Zemlin, Executive Director, Linux Foundation
Today, we announced the newest addition to the Sonatype Platform - Sonatype Container - a solution we're especially excited about bringing to the market and our customers. Why? We all know that securing containers and Kubernetes deployments from build to run-time requires a holistic approach to defense. Deploying efficiently and safely requires expertise spanning Development, Security, and Operations teams, and Sonatype Container provides the key technologies needed not only for vulnerability and compliance scanning, but also for complete run-time container security.
So, what are these "key technologies?" The rest of the blog will delve deeper into five technologies necessary for full life cycle container security.
Network packet inspection
If you want real-time container security, you need insights and protections as they are happening. While vulnerability scanning is essential to container security, it's only a snapshot in time. Comprehensive container security requires real-time visibility. Not only can Sonatype Container protect based on application level (Layer 7) protocols (not just IPtables or Level 3/Level 4 data), but suspicious activity can be investigated by capturing network sessions and inspecting the packets directly. We can see all network traffic at Layer 7 using the best source of truth - the network.
This technology can block unauthorized connections without impacting the safe, authorized connections in the container from continuing. This unique network interception and filtering does not require an agent, sidecar, or image modification.
Auto-learning and scaling
Manually creating policy and rules for each environment, application, and update made is just not feasible. Automation is key to saving Dev, Sec, and Ops teams time, and they'll get time back with Sonatype Container's ability to automatically generate rulesets and security as code - easily adapting to new and updated behaviors. As new containers with different IPs on different hosts come and go, no changes are required.
Network and orchestration tool integration
We all know the importance of having the right integrations for your tools. If you're invested in container security, it's likely you have a growing tech stack and adding a tool that's incompatible is off the table. On top of this, integrations in general can make it difficult to keep security policies updated and accurately enforcing rules. Sonatype Container is network compatible and integrates with popular orchestration tools such as Kubernetes, Docker EE, Rancher, EKS/ECS, Istio and OpenShift.
Container inspection
A container needs to be monitored at every stage of its life cycle. Vulnerability scanning at build, while crucial, merely gives us a look at what's happened in the past. Monitoring running containers requires more than just examining network activity - you need run-time vulnerability scanning, file system monitoring, process inspection and privilege escalation detection capabilities as well. These will help your containers from being compromised by determining vulnerabilities, assessing risk of exploit, and blocking suspicious processes.
Host and platform security and auditing
A building is only as strong as its foundation - this applies to containers and hosts as well. By monitoring the host processes to determine if a break out is about to occur, it’s possible to protect the containers before an issue even happens. Similarly, Sonatype Container can monitor Kubernetes, Docker system containers, and network connections for potential attacks. The host security settings and Docker daemon can also be audited to determine if the appropriate settings are applied.
What makes Sonatype Container so powerful?
It goes deeper than other solutions. Sonatype Container has the ability to provide insights and remediation deeper than scanning container images for vulnerabilities and compliance issues and using admission controls to block those images from deploying. What is provided at run-time takes Sonatype Container further by providing the deep, accurate, and unmatched insight into containers that we have yet to see in another solution.
Sonatype Container's behavioral inspection can identify any and all network traffic at Layer 7 and every container process to automatically create behavior-based security policies, enforce Data Loss Protection, and prevent zero-day malware and network attacks, tunneling, breaches, etc. We hope you are as excited about Sonatype Container as we are!
