Clarifying the Misconceptions: Monitoring and Auditing for Container Security

An effective container security strategy consists of many parts. Organizations should first secure the build environment using secure code control along with build tools and controllers. Next, they should secure the contents of their containers using container validation, code analysis and security unit tests. Finally, they should develop a plan to protect their containers in production systems by focusing on runtime security, platform security and orchestration manager security.

But container security doesn’t end there. An effective security program consists of two other items, as well. These are monitoring and auditing.

Monitoring

All the container security processes mentioned above employ preventative security controls. These measures address known attack vectors with well-understood responses like vulnerability scans and encryption. But those and other security practices can only go so far, for they are designed to solve known issues. When it comes to detecting unexpected concerns, organizations can turn to monitoring to discover the unexpected stuff, track events in the environment and detect what’s broken.

Most monitoring tools begin by collecting events like requests for hardware resources and IP-based communication. They then examine them relative to the organization’s security policies. Towards this end, it’s best to use a monitoring solution that combines deterministic white and black list policies with dynamic behavior detection. This gives organizations the best of both worlds, allowing them to detect simple policy violations and unexpected variations.

For organizations to evaluate a monitoring tool, they should look to the following criteria:

• Deployment model: How does the product collect events? Does it use an agent embedded in the host operating system or a privileged container-based monitor?
• Policy management: How easy is it to build new policies or modify existing ones?
• Behavioral analysis: What behavioral analysis options are there? How flexible are they?
• Activity blocking: Does the solution provide (Read more...)