Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Container Security Best Practices in Microservices

Home
Industry Insights
Container Security Best Practices in Microservices

Blog Article Published: 01/15/2022

Written by Nicole Krenz, Web Marketing Specialist, CSA.


The best practices in this blog assume that you have selected a microservices deployment model that leverages containers.

For microservices and security to co-exist, a framework and plan for development, governance, and management of microservices must be developed. Here are some key points to keep in mind while developing your microservices security plan.

1. Servers Should be Stateless

Servers should be treated as interchangeable members of a group. The only concern should be scalability to support the workload. It is recommended to employ auto-scaling, self-healing and a fault tolerant infrastructure. Using servers for specialized functions should be avoided.

2. Image Security in Build and Runtime

Continuously updating OSs to mitigate new container vulnerabilities is critical to protect the security of the environment. Consistent policies should be applied based on the sensitivity of applications running on containers on the same host or across the fleet.

In the build process, DevSecOps incorporates security from inception, ensuring that security and quality issues are addressed in early stages. Additionally employing automation and remediation decreases the probability of security defects reaching production. In a Software Development Lifecycle pipeline, use a combination of these methods:

  • Extend unit tests to ensure the application behaves as expected
  • Validate the security of the supply chain and assess third-party components
  • Make sure the systems are appropriately tested for misconfigurations
  • Add dynamic and status testing to the pipeline
  • Adapt and add OWASP Foundation checklists

3. Image Storage

Storing images in a central location helps with easy management. Using image registries allows for easy storage as images are created, cataloging for identification, and provides APIs for automation.

4. Third-party Image Security

Container image registries are centralized repositories used for sharing images. For public images, it is recommended to only download content from a trusted user, scan images before deployment, and to use curated official images containing certified content. It’s important to implement an audit process for the registry to ensure that older images and those with older dependencies are flagged and interdependencies captured.

Using self-signed certificates or registries over unencrypted HTTP connections leads to tampering of data transit. Additionally, image authenticity should be validated and signature verification should be performed before any image is downloaded.

5. Security of the CI/CD Pipeline

Isolation of CI/CD systems is paramount, as this system has complete access to the codebase and credentials in different stages of development. Depending on the complexity of the system, the repository of the system should be secured using an automated monitoring mechanism. Security testing of code is an integral part of the CI/CD pipeline. There should be a gatekeeper process in the pipeline that enables secure testing of code from one stage to another.

The CI/CD system should be containerized. This ensures that residual side effects from testing are not inherited by subsequent runs of the test cases.

It is critical to ensure that CI/CD pipelines are isolated from the rest of the network and that developers are not able to circumvent the pipeline partially or completely. At the same time, identity and access management of the build pipeline is a critical aspect to implement.

To learn more best practices for implementing a secure microservices architecture, check out this research publication from our Application Containers and Microservices Working Group.

Application Containers and Microservices

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Level up with Cloud Infrastructure Security Training
Related Articles:
Defining 12 CSA Research Topics

Published: 02/09/2024

Resilient Container Security: How Container Security Benefits Cybersecurity and DevOps

Published: 01/08/2024

Securing Cloud Infrastructure: Cloud Security Training Bundle

Published: 12/27/2023

Resilient Container Security: How to Achieve it in Three Steps

Published: 12/22/2023