Runtime security, the practice of protecting containerized applications while they are deployed in the orchestrator, is essential for defending against real-time cyber threats that can compromise active workloads. For geo-distributed businesses, operating across multiple locations and regions, the challenges of managing runtime security are more complex than for companies without branches. In this article, Kaspersky explores these challenges and suggests strategies for countering runtime security risks in geo-distributed organizations.
According to the latest Kaspersky study ‘Managing geographically distributed businesses: challenges and solutions’, 85% of those using container development methods said they have experienced cybersecurity incidents related to containers and/or Kubernetes in the last 12 months. Around one third were cyber incidents during runtime (32%) creating serious system vulnerabilities. In this article, Kaspersky shares what risks in protecting runtime need to be paid attention to in geo-distributed companies and how to deal with such risks.
Main risks in different aspects of runtime in geo-distributed businesses
Runtime security involves protection of containerized applications and their environment while they are deployed in the orchestrator, which includes monitoring and managing several aspects and risks associated with them:
- Traffic between containers. In a microservices architecture, multiple containers often communicate with each other, forming a complex web of interactions. For geo-distributed businesses, this traffic spans across different regions, making it even more challenging to monitor. The dynamic nature of container orchestration, where containers can be deployed, scaled, and terminated frequently, adds to the complexity. Unmonitored traffic can be exploited by attackers to move laterally within the network, gaining access to sensitive data and services.
- Processes inside containers. Each container runs processes that can be potential entry points for security breaches. Monitoring these processes is crucial to detect any unusual behavior that might indicate a compromise. However, the ephemeral nature of containers and the sheer volume of processes running in large-scale deployments make this task daunting. For geo-distributed businesses, the challenge is magnified by the need to monitor processes across different locations, each with its own set of security requirements and compliance issues.
- Visibility and context. Gaining visibility into what happens inside containers is inherently difficult because they operate as isolated environments. For geo-distributed businesses, maintaining visibility across multiple regions is one of the major challenges. Additionally, understanding the context of detected anomalies – whether they are benign or malicious – requires deep insight into the application’s normal behavior and the environment’s baseline, which can differ from one region to another.
Strategies for countering runtime security risks in geo-distributed environments
Despite these challenges, several strategies can help enhance runtime security for geo-distributed businesses. One is to segment the network, which means breaking it into smaller, isolated sections with strict access controls. This can limit an attacker’s ability to move sideways within the network if they breach a container.
Another is to monitor the behavior of containers and their processes. By using advanced monitoring tools, an unusual activity can be quickly identified and flagged as a potential threat.
Specialized security solutions with continuous scanning functionality also play a crucial role. Such tools scan for threats and respond in real time, which helps in quickly addressing any security issues that arise without needing constant human oversight. Continuous scanning can provide immediate defense against attacks, detecting and preventing malicious activities as they happen.
Additionally, keeping detailed logs of all container activities and network traffic is vital. These logs help in understanding what happened during a security incident and in taking corrective measures to prevent future breaches. For geo-distributed businesses, centralized logging solutions that aggregate data from different regions can provide a comprehensive view of security events and streamline incident response.
“Runtime security is a critical component of modern containerized application protection, yet it presents significant challenges especially for geo-distributed businesses. Their client services, business applications and entire infrastructure are spread across different regions with their specific network conditions and limitations. It is a challenge to observe such infrastructure by itself. Containerization brings another complexity level due to dynamic nature of containers and interactions between them. It is crucial to adopt a runtime security solution that can be integrated in geo-distributed infrastructure without harming it efficiency, provide behavioral monitoring of running containers, network segmentation, and threat detection tools. Our Kaspersky Container Security is designed to address these challenges, providing real-time protection and ensuring the integrity of your active workloads.” says Anton Rusakov-Rudenko, Product Marketing Manager, Cloud & Network Security Product Line at Kaspersky.