Securing Containers at Scale: Amazon EKS, Amazon ECS and Deep Security Smart Check

Containers present a new opportunity for teams. An opportunity to deploy faster, more consistently, and with a simplicity rarely seen. But in order to make that happen a lot of infrastructure needs to be setup ahead of time.

A cluster of hosts for the container runtime, an orchestration layer, and—of course—security throughout.

To simplify this infrastructure, most teams turn to a cloud service provider like AWS. Complementing the power of the Amazon Elastic Container Service (ECS), the newly released Amazon Elastic Container Service for Kubernetes (EKS) eliminates the operational burden of Kubernetes from you container stack. 

Trend Micro Deep Security has long protected your Amazon ECS hosts with security controls applied at runtime. In 2017, that protection was extended to containers themselves, with the platform applying intrusion prevention and anti-malware controls to individual containers. This week we extended our container security solution with the launch of Deep Security Smart Check to deliver container image scanning. 

Shift Left With Deep Security Smart Check 

Protecting containers in production is a critical play in your security playbook. But what about earlier in the development process? How can you reduce the cost and impact of security issues?

The answer is to catch them earlier in the development process. You need to shift security controls to the left side of the CI/CD pipeline. The introduction of Deep Security Smart Check does just that.

Deep Security Smart Check is a new image scanner for containers. By connecting to popular private and cloud registries—including Amazon ECR—it continuously scans images for vulnerabilities and malware.

Deep Security Smart Check is designed to seamlessly slide into your CI/CD pipeline to make automated decisions not only based on failed integration and unit tests, but security tests, as well. 

Automate for Success 

The speed of your development process hinges on automation. Adding security earlier in the CI/CD pipeline poses the risk of slowing the entire pipeline down. That outcome must be avoided at all costs.

Deep Security Smart Check helps you accelerate your CI/CD pipeline via its complete API. You can use this API to added scanning to your container build process as a step before publication.

If the container passes a smart check, you can automatically sign it and promote it to your registry of choice. If it fails, you can send detailed results to your favorite collaboration tool like Slack or ServiceNow.

This eliminates the need for manual security processes and facilitates a streamlined lifecycle for your containers. 

How it Works 

Here’s a simple example of how you can build security into your CI/CD pipeline:

  • Code is committed to GitHub and Jenkins automatically builds your custom container.
  • Deep Security Smart Check scans the container for malware and vulnerabilities.
  • Smart Check’s Image Assertion feature signs and promotes images that meet security requirements to your registry of choice. Image Assertion lets you define your policy based on the risk inherent in specific malware and vulnerability profiles.
  • Deep Security —running on your Amazon ECS hosts— integrates with Kubernetes via an initializer to intercept pod deployments, verifying and enforcing Deep Security runtime policies.
  • Your container is deployed to production with no known vulnerabilities or malware and under the full protection of Deep Security runtime protection.

Fully Embracing AWS

As a long time AWS Advanced Technology Partner, Trend Micro has supported a number of critical AWS service launches and programs. The launch of Amazon EKS is no exception.

One of the most eagerly awaited services, Amazon EKS is Kubernetes at scale with little-to-no effort on your part.

A fully managed service that is highly available and highly redundant, Amazon EKS delivers Kubernetes clusters that are secure, Certified Kubernetes Conformant, and compatible with the rest of the K8S ecosystem.

It’s the simplest way to get K8S up and running in the AWS Cloud. In fact, Deep Security Smart Check itself is container based and Amazon EKS can be used to manage it as an EKS cluster because Trend Micro is always striving to deliver simplicity to our customers and fit their processes.

When you combine Amazon EKS with Amazon ECS, you get a one-two punch that simplifies your container environment. But under the shared responsibility model, even with these fantastic services you are still responsible for the security of the contents of your containers, your data, and the service configuration.

You’ll need to leverage AWS IAM and other AWS Cloud security features to harden your deployments. That still leaves a gap, one that is addressed by Trend Micro Deep Security and Deep Security Smart Check.

Do Less, Get More

The goal of using containers is to simplify and accelerate your deployments. If you try to use traditional security platforms to protect your deployments, you are going to slow down your CI/CD pipeline while forcing your teams to jump through needless security hoops.

A modern set of security tools will seamlessly support and improve your CI/CD pipeline by shifting left into the development cycle and simultaneously providing protection for containers running in your production environment.

The new Deep Security Smart Check image scanner in combination with the Deep Security platform is a fantastic example of this approach.

With full support for on-premises and hybrid environments, this security combination will protect your container deployments wherever they run.

Read More HERE