Leadership Compass

Container Security

This report is an overview of the market for Container Security solutions and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to securing container-based application architectures.

Alexei Balaganski


1 Introduction / Executive Summary

In less than a decade, containers have undergone an impressive evolution: from a lightweight virtualization technology to the de-facto standard for software distribution to a powerful underlying platform for complex and distributed applications. For many organizations, container orchestration platforms like Kubernetes serve as a universal foundation for deployment, scaling, and management of applications that works consistently across on-premises and multi-cloud environments.

The growing demand for new software architectures has given rise to microservices that allow businesses to develop and deploy their applications in a much more flexible, scalable, and convenient way - across multiple programming languages, frameworks, and platforms. Microservices, containers, and Kubernetes have quickly become synonymous with modern DevOps methodologies, continuous delivery, and deployment automation and are generally praised as a breakthrough in developing and managing cloud-native applications and services.

Unfortunately, this massive change in infrastructure and a major increase in overall complexity (although much of it is hidden from developers thanks to multiple layers of abstraction and convenient tools) has introduced numerous new risks and security challenges as well as new skills needed to mitigate them efficiently.

Initial attempts to repurpose existing security tools for protecting containerized and microservice-based applications have quickly proven to be inadequate due to their inability to adapt to the scale and ephemeral nature of containers. Static security products that focus on identifying vulnerabilities and malware in container images, while serving a useful purpose, do not address the full range of potential risks.

The need to secure containerized applications at every layer of the underlying infrastructure (from bare-metal hardware to the network to the control plane of the orchestration platform itself) and at every stage of the development lifecycle (from coding and testing to deployment and operations) essentially means that container security has to cover the whole spectrum of cybersecurity and then some.

The true scope of container security
Figure 11: The true scope of container security

This is why for this Leadership Compass, we have decided to focus primarily on the universal container and Kubernetes security platforms, which aim to analyze, monitor, assess, and mitigate risks along the full lifecycle of application containers - starting with developing, testing, and hardening container images to runtime monitoring and threat detection to responding to identified security incidents. At the same time, we expect container security solutions to expand their coverage to multiple layers of infrastructure including hardware, host OS, virtualization, and networking layers.

1.1 Highlights

  • In less than a decade, containers have quickly evolved from a simple idea of packaging software for distribution into a universal platform for automating application deployment, scaling, and management.
  • Docker containers and Kubernetes orchestration platform have emerged as the most popular standard for developing, packaging, and running modern cloud-native, loosely coupled, highly scalable application architectures across multi-cloud and hybrid environments.
  • Universal adoption of containerized architectures has fundamentally changed the ways of collaboration between developers, operations, and security teams, enabling new cloud-native and hybrid DevOps use cases, but bringing new risks and threat vectors as well.
  • Repurposing existing cybersecurity tools for the sheer scale and ephemeral nature of modern container platforms is a challenging task for vendors, and these tools are not suited to address the container-specific risks such as securing Kubernetes clusters and registries.
  • At various stages of the container lifecycle, different stakeholders are responsible for securing specific parts of container infrastructures, thus creating the potential for additional friction and miscommunication between teams. Removing this friction is one of the primary goals of modern container security solutions.
  • The market for specialized container security solutions is growing rapidly with large public cloud providers, large veteran security vendors, and innovative startups offering competing solutions targeted towards customers of different sizes and from various industries. As with many other cybersecurity markets, this segment is undergoing active consolidation, with large vendors acquiring specialized solution providers and integrating their tech into full-range security platforms.
  • Both small and fully cloud-native software development teams and large organizations with massive on-prem or hybrid infrastructures can find the solutions most appropriate for their needs: from fully managed natively integrated security controls in container orchestration services to universal, flexible, and open enterprise-grade platforms.
  • The overall leaders in the Container Security market are (in alphabetical order): Aqua Security, Lacework, Palo Alto Networks, Red Hat, SUSE NeuVector, Sysdig, and VMware.

1.2 Market Segment

Containers are standardized units of software that package application code and all required dependencies into portable images that can be seamlessly deployed in various environments. A container image includes everything an application needs to run - a runtime environment, system libraries and tools, and settings. A single container image can be easily shared between multiple execution environments, as well as instantiated multiple times to support scalability, high availability, and support for hybrid and multi-cloud deployments.

Originally a lightweight form of virtualization, containers have emerged as a more resource-efficient alternative to virtual machines. However, they have quickly become the de facto standard for packaging and deploying applications across heterogeneous infrastructures without any modification. For developers, this creates the opportunity to develop and test their applications as single units that are guaranteed to work the same way across all development and production environments. For operations teams, container orchestration platforms greatly simplify the deployment of complex, loosely coupled applications, both on-prem and in every cloud.

Modern container orchestration platforms build upon this foundation to provide a broad range of additional services that help automate scalability and high availability configurations and provide rich run-time management and analytics capabilities. The Kubernetes platform has emerged as a universally accepted standard for container orchestration abstracts and hides the complexity of resource management across computing clusters and incorporates functions like service discovery, load balancing, runtime monitoring, etc. A number of management APIs allow a rich ecosystem of third-party tools and services to integrate with the service.

All these capabilities have made containers and container orchestration the preferred choice for organizations around the world to develop, distribute and operate their applications at scale. However, the hidden complexity of these multilayer technology stacks has inevitably introduced new risks that have to be assessed and mitigated.

What further differentiates container security as a discipline within the larger scope of cybersecurity is that it spans multiple organizational units and teams, which often have conflicting goals and requirements. Application developers, infrastructure operations teams, cloud engineers, security analysts and incident response units, even auditors and legal experts - at different stages of the container lifecycle, they have a say at how exactly this container should be created, inspected, run, monitored, and protected from various risks.

Just some of the risks containers are subjected to
Figure 12: Just some of the risks containers are subjected to

Thus, the primary challenge for vendors creating container security solutions is therefore not coming up with groundbreaking detection or protection technologies, but rather making sure that all these numerous technologies can operate together, fully automated and at the cloud scale, taking into account the ephemeral and stateless nature of containers that differentiates them from traditional endpoints.

Also, whether these solutions are delivered as tightly integrated packages or suites of loosely coupled individual tools, a key success factor for them is the ability to correlate security findings across environments, architectural layers, and, ideally, 3rd party integrations providing additional context for security analysts.

For this Leadership Compass, we are looking for solutions that implement capabilities from one or more of the following functional areas:

  • Container image security
  • Container registry security
  • Orchestration platform security
  • Runtime container monitoring
  • Threat mitigation and incident management
  • Audit and compliance

However, we explicitly exclude traditional security products repurposed or extended to provide additional services for containerized architectures, such as general-purpose vulnerability scanners or network security tools. Also, to avoid potential overlaps with other published or planned Leadership Compasses, we are not addressing such capabilities as API security or tools specifically designed for securing microservices, even though we recognize that such capabilities can be integral to container security platforms as well.

1.3 Delivery Models

The very nature of container-based architectures implies that containers can be found on any platform and in any IT environment - from fully on-prem deployments running on bare-metal hardware to fully managed "serverless" platforms operated by public cloud providers. Various business, technical or regulatory requirements can force organizations to choose different deployment options on a per-project basis, leading to the need to operate, monitor, and secure complex hybrid infrastructures.

Smaller companies that have selected a fully managed serverless container orchestration service from a public cloud provider might have radically different requirements and expertise in their DevOps teams as compared to large enterprises with complex hybrid and multi-cloud application deployments.

Accordingly, cloud security solutions' delivery options might vary from fully managed SaaS offerings already integrated directly into container orchestration services to flexible vendor-agnostic platforms that require substantial deployment efforts to integrate across multiple heterogeneous environments.

However, since modern container security solutions are themselves usually container-based, their deployment can be much quicker and more efficient than traditional on-prem software, which makes the whole issue somewhat less of a dichotomy than for many other areas of cybersecurity.

Still, companies looking for the solution most appropriate for their container projects should carefully consider both the specific protection, detection, and response capabilities and general aspects like scalability and flexibility, interoperability with existing security tools and third-party solutions, the degree of automation and intelligent decision support, etc.

1.4 Required Capabilities

As mentioned above, the scope of security solutions for containers and container orchestration platforms essentially encompasses nearly every area of cybersecurity - from endpoints (host systems) to network-level and cloud-specific threats to application-level issues - as well as new risks specific to orchestration platforms themselves, as well as container image registries.

Some of these attack surfaces can be already protected with existing security tools utilized by different organizational units - application developers, operations engineers, cloud administrators, IAM specialists, or security analysts - while others are already built into the orchestration services themselves.

Organizations looking to design their own best-of-breed container security solutions from individual components and integrate them into their existing development pipelines and security operations centers should consider the complexity and potential costs of such an approach. On the diagram below one can see just some of the security capabilities that such an architecture should implement, to say nothing about integrating all these functions into a cohesive, unified management and analytics platform.

The other end of the spectrum can be represented by organizations relying solely on basic integrated security controls of cloud-based managed container orchestration services. Some of the solutions offered by large cloud service providers offer quite substantial built-in security functions, which can also be easily extended with 3rd party addons via their marketplaces.

Container security controls
Figure 13: Container security controls

In this Leadership Compass, however, we primarily focus on container security solutions offered by vendors, which can combine prevention, detection, mitigation, and incident response capabilities for each stage of the container lifecycle in a single integrated offering.

Here are the primary functional areas we expect to be provided by such container security platforms.

Container image security: these capabilities integrate directly with existing development environments, helping to ensure that container images start their life according to the modern design best practices. This includes scanning for known or zero-day vulnerabilities in images, preventing them from being infected by malware, not allowing hardcoded credentials to leak into them, etc. The results of container vulnerability scans should be aligned and ranked according to risk assessment models.

Container registry security: providing continuous visibility, access control, and security for container images stored in registries, ensuring that valid images cannot be compromised, and unauthorized access, modifications of images, or infiltration of rogue containers are prevented.

Orchestration platform security: the container orchestration platform itself must be properly secured across all layers of its underlying infrastructure - from securing host systems to implementing network segmentation, workload isolation, and securing all management interfaces. Both proactive hardening and real-time monitoring must be implemented, along with configuration management and comprehensive access governance, enforcing segregation of duties and least privilege principles.

Runtime container monitoring: provides continuous real-time visibility into activities within running containers, utilizing both signature-based detection and ML-powered behavior analytics to identify runtime threats. Container security platforms should utilize the full range of security controls on the host, network, container, and application levels to block or otherwise mitigate detected threats quickly and automatically.

Incident management: these capabilities allow security analysts to react to identified threats quickly, conduct forensic investigations, reach the right decisions, and, finally, automate threat remediation using a combination of native orchestration controls and specialized security tools.

Audit and compliance: regulatory compliance is a major challenge and simultaneously a business driver for organizations of any size or industry. Security data retention and comprehensive compliance reporting are the basic capabilities here. Out-of-the-box support for regulatory frameworks like GDPR, HIPAA, or PCI is a major differentiator for many customers.

Integrations: container security solutions cannot operate as standalone tools without deep integrations with existing cloud services, container orchestration platforms, DevOps and DevSecOps pipelines, as well as SIEM platforms and other security operations tools. Maintaining an open ecosystem of 3rd party integrations is a key differentiator for vendors.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.