Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Five Things CISOs in Financial Services Can Do to Make Containers Secure and Compliant

Published 10/19/2023

Five Things CISOs in Financial Services Can Do to Make Containers Secure and Compliant

Originally published by Sysdig.

Written by Eric Carter.

As competition ramps up in the financial services sector, agile and efficient application development is critical to delivering the seamless digital experiences today’s customers want. Chances are, if you’re not already moving applications to cloud and containers, you’re considering it.

But cloud-native development also brings security and compliance implications you may not have fully thought through. With 72% of containers living just five minutes or less, many legacy tools and processes simply cannot provide the visibility needed to satisfy auditors and stop breaches.

It goes without saying, the stakes are high. Financial institutions remain a premier target for cybercriminals and adversaries’ tactics are increasingly sophisticated. A 2022 survey found that 74% of global financial institutions experienced at least one ransomware attack over the previous year. Meanwhile, regulatory requirements are becoming ever more onerous and the penalties can be severe: current fines for violating PCI regulations stand at $5,000-100,000 per month until compliance is established.

In the absence of best practices, mistakes create openings for attackers. For instance, in 2019, a hacker managed to access over 100 million Capital One credit card applications and steal thousands of social security and bank account details. The attacker, a Capital One software engineer, gained access via a misconfigured web application firewall in a lapse that cost the company hundreds of millions of dollars. As development teams increasingly rely on open source software and third-party code, threats to container security are also arising from the software supply chain. In the recent Federal Civilian Executive Branch (FCEB) agency breach, the Iranian government exploited the Log4Shell vulnerability to deploy a cryptominer, steal credentials, and maintain persistence in the FCEB environment.


Speed is of the essence for safety and success

The later vulnerabilities are discovered, the greater the impact on your development speed – and your organization’s competitive edge. At a time when fast time-to-market is more urgent than ever to retain customers and meet the expectations of the next generation of consumers, CISOs must ensure security is explicitly designed into cloud and container environments to minimize last-minute delays.

To counter the risks, your security tool set must integrate specific FinServ security and compliance safeguards into DevOps processes. In addition to scanning for vulnerabilities, it’s important to also address runtime security and incident response.

Here are five key priorities you can work toward in your organization:


1. Scan for vulnerabilities in the build process

“Shifting left” involves building security checks into development so vulnerabilities are addressed before the container is deployed in production. These checks, which can be automated, help identify vulnerabilities faster and earlier and enable you to validate build configurations and image attributes. They can also scan third-party container libraries before applications are deployed to production. To put the importance of this critical step into perspective, Sysdig recently analyzed more than seven million containers that our customers are using on a daily basis. We found that 87% of container images running in production have a critical or high severity vulnerability. Typically, companies will fix these issues before production release.


2. Secure against runtime threats and attacks

“Shifting left” will help ensure the container is not deployed with vulnerabilities, but you also need to protect against emerging threats that can compromise your environment during runtime. This requires runtime detection of violations spanning a wide range of policies, such as unauthorized user activity, excessive privileges to containers, unauthorized network connections, and so on. Since it’s difficult to create manual policies for comprehensively detecting runtime threats, leveraging community-sourced and machine-learning policies will become critical. Another critical element is using an admission controller to govern allowable requests to the API server and prevent workloads with risky configurations, vulnerabilities, or other aspects that don’t meet security standards from running.


3. Continuously validate posture and compliance

CIS benchmarks provide a minimal set of hardening guidelines for containers. In addition, regulatory requirements are stringent and getting more so, and regulators are increasingly enforcing onerous financial penalties for failure to comply. However, meeting GDPR, PCI-DSS, NIST, ISO, etc. requirements can be complex in fast-changing container environments where containers change continually. According to our customer study, only 6% of containers now live for a week or more. Validating posture and compliance requires mapping each regulation and benchmark to specific policies and checks for the build phase of the software development life cycle and for runtime to ensure continual compliance in production.


4. Manage excessive cloud permissions

Cloud environments have many users and resources that require access and privileges to do their job. Over time, it becomes a struggle to control and manage access rights and permissions granted to cloud identities. Organizations end up with unused identities and excessive permissions that may be targeted as entry points for adversaries. Ensuring you have full visibility into cloud assets and identities to detect and remove excessive permissions is key to enforcing least-privilege access policies to grant just enough permissions to perform necessary actions. Cloud Infrastructure Entitlements Management (CIEM) tools help automatically discover all identity and access management (IAM) roles, permissions, and usage to recommend the right permission settings to safeguard your business.

90% of granted permissions are not used
90% of cloud permissions are unused. Source:
Sysdig 2023 Cloud-Native Security and Usage Report


5. Ensure you have a way to audit activity and investigate security events

With such a short life span, it’s imperative to establish a way to record detailed container activity that is retained after a container has stopped. In the event of anomalous behavior, you want to know what processes were spawned. What connections were made? What files were modified? What HTTP requests were processed? And then you need to be able to correlate this system activity with user activity. What users accessed the container? What did they do? With access to this type of deep container activity, you can effectively triage what happened and quickly respond. If you don’t, you are blind to what is happening.


Conclusion

As organizations increase their use of containers and Kubernetes for critical applications, efforts to exploit these technologies will escalate.

CISOs who rethink their security processes with these five aspects in mind will be better equipped to face security threats across their containers and cloud, in a cohesive manner that empowers innovation.