Container security is the use of security tools and policies to protect the container, its application and performance including infrastructure, software supply chain, system tools, system libraries, and runtime against cyber security threats.

What are the challenges of Container Security?

Containers live in an ecosystem—containers are not deployed standalone within an enterprise. Container workloads are deployed as part of an architecture that may include Public (AWS, GCP, Azure) clouds, Private clouds (VMware) and Hybrid clouds integrated with traditional workloads comprised of servers and VMs, while working with serverless components on the compute side. These enterprises may also be using IaaS and PaaS services such as S3 buckets or RDS. Container workloads therefore need to be secured as part of an enterprise ecosystem.

Containers are ephemeral: Container lifecycles are often measured in seconds, but there is also a high degree of variability that makes generalizations difficult. Security teams need to account for the security and integrity of containers that may only be online for a few seconds, and others that may be online for weeks.

Containers are built and deployed in CI/CD DevOps Pipelines. Container workloads tend to be developer led. The challenge for security is to empower developers to produce applications that are BornSecure.

Cloud Security Posture Management (CSPM)

CSPM for Containers

Skyhigh Security can provide CIS benchmark scans and other best practice evaluations for container run times, orchestration systems (such as Kubernetes), IaaS infrastructures running container workloads, storage configurations, network configurations, IAM settings/roles, etc. This helps:

  • Ensure that the environment’s configuration is not a source of risk (CSPM)
  • Ensure that the configuration of the environment does not drift over time, exposing unintentional risk

Vulnerability Scanning for Containers

Containers significantly leverage third-party components. All components of container builds must be evaluated for any known or exploitable weaknesses.

Vulnerability scanning evaluates the components embedded in containers at build time and periodically scanned to ensure that known risks are exposed and mitigated to reduce the risk of malicious actors landing in a container workload.


Discover the inter-container communications based on known good configurations to secure behavior of complex and dynamic workloads:

  • Discover and monitor the behavior of network communications between container processes in a way that can deal with the ephemeral nature of containers, and not rely on external factors such as an IP address.
  • Detect abnormal communications and notify or block based on user preference.
  • Detect changes in communication patterns between versions of containers as the application evolves over time.
  • Leverage known good configurations as a way to secure workloads, as opposed to keeping up with known bad.

Skyhigh Security solution mapped to a container lifecycle

Security should not slow down developers or the adoption of cloud friendly architectures such as containers. Skyhigh Security provides a seamlessly integrated security platform that integrates with the tools that developers choose to use to maintain their applications. Container security can provide in-depth defense by ensuring properly configured infrastructure and orchestration engines, evaluating the risk of exploit for code embedded in containers, and a flexible software defined method to certify known good network behavior that can deal with the fast-changing environment of container workloads across their lifecycle.

Shift Left: DevOps to DevSecOps

Containers are a very developer-centric type of workload. Given that developers get much more direct control over architecture and services in use, security teams need an asynchronous way to establish policy, evaluate deployments against best practices, and monitor the inevitable drift that occurs in any environment. With containers and microservice architectures, the number of variables and the pace of change has increased substantially from the formerly tightly controlled hardware or VM-based deployments. Container lifecycles are often measured in seconds, but there is also a high degree of variability that makes generalizations potentially dangerous. Security teams need to account for the security and integrity of containers that may only be online for a few seconds, and others that may be online for weeks continuously. Skyhigh Security for Containers offers BornSecure Containers that include:

  • Cloud Security Posture Management to scan cloud environment continuously to detect risk from drift integrated into the DevOps pipeline (Shift Left) to ensure that the risk is resolved before it’s deployed.
  • Vulnerability assessment of the components within the containers themselves to ensure that enterprises are not deploying code with known exploits integrated into the DevOps pipeline (Shift Left). Skyhigh Security for Containers also includes periodic rescanning of container artifacts to detect when new vulnerabilities affect containers that have already been built and may be running in production.

Traditional DevOps processes: Traditionally, security is not taken into account or verified until after the applications are deployed to production environments.

Today, cloud-native applications require BornSecure Containers: Security is embedded in DevOps pipeline providing developers with security feedback as applications are built or as code is checked in.

Container Security 101 – A glossary of terms

AKS Enterprise Container Platform S/W Suite for Azure based on k8s. Docker A company and the name of the tool they designed to make it easier to create, deploy, and run applications by using containers. Nanosegmentation A flexible and fine-grained =segmentation which is based on observed behavior.
Anomaly Something that deviates from what is standard, normal, or expected. Drift The accumulation of configuration changes or administrative actions over time that can introduce risk and deviations from the known good configuration. Network Attack Surface The attack surface is comprised of the totality of an environment that an attacker can attempt to exploit to carry out a successful attack, including all protocols, interfaces, deployed software and services.
Build Construction of something that has an observable and tangible result. Build is the process of converting source code files into standalone software artifact(s) that can be run on a computer. EKS Enterprise Container Platform S/W Suite for Amazon based on k8s. Pipeline A set of automated processes that allow developers and DevOps professionals to reliably and efficiently compile, build and deploy their code to their production compute platforms.
CICD Combined practices of continuous integration and continuous delivery. ECS Enterprise Container Platform S/W Suite for Amazon using proprietary orchestration that predates broad adoption of k8s. Privileges The concept of only allowing users to do certain activities. For example, an ordinary user is typically prevented from changing operating system files, while a system administrator is typically permitted to do so.
CIS Benchmark Best practices for the secure configuration of a target system including containers and Kubernetes. The benchmarks are developed by a non-profit called Center for Internet Security (CIS) through a consensus of cybersecurity experts. Ephemeral Property used to define containers. As containers are short-lived, with an average lifetime in hours, they are said to be ephemeral. Repository (repo) A container image repository is a collection of related container images, usually providing different versions of the same application or service.
Container Standard unit of software that packages up code and all its dependencies, so the application runs quickly and reliably from one computing environment to another. A container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings. Fingerprinting The ability to track artifacts as well as behavior of the artifacts, letting users see what went into a build and how and where that build is being used.
Forensics A postmortem analysis to understand and contain the impact of any security breach.
Shift Left The integration of the security configuration and vulnerability checks into the DevOps pipeline. Security is introduced as code is checked or built as opposed to waiting for systems to be live. This brings security left of (before) the production environments, where security is traditionally done.
Container Registry A repository for storing container images. A container image consists of many files, which encapsulate an application. Developers, testers and CI/CD systems need to use a registry to store images created during the application development process. Container images placed in the registry can be used in various phases of the development. GKE Enterprise Container Platform S/W Suite for Google based on k8s.
Immutable Property used to define containers. Individual containers don’t change across the lifecycle, once created.
Virtual Machine (VM) A virtual environment that functions as a virtual computer system with its own CPU, memory, network interface, and storage, created on a physical hardware system. Software called a hypervisor separates the machine’s resources from the hardware and distributes them appropriately so they can be used by the VM.
Container Runtime Software that executes containers and manages container images on a node. e.g. Docker Engine. k8s Kubernetes is sometimes called k8s (K - eight characters - S). Workload A discrete capability or amount of work you’d like to run on a cloud instance.
DevOps A set of practices that combines software development (Dev) and information technology operations (Ops) which aims to shorten the systems development life cycle and provide continuous delivery with high software quality. Kubernetes (k8s) An open-source container orchestration system. It provides a platform for automating deployment, scaling, and operations of application containers across clusters of hosts. Zero-Trust Never Trust But Verify. Zero trust security means that no one is trusted by default from inside or outside the network and verification is required from everyone trying to gain access to resources on the network.
DevSecOps DevSecOps is the practice of integrating security practices within the DevOps process. Microsegmentation Microsegmentation software uses network virtualization technology to create highly granular security zones in data centers and cloud deployments, which isolate each individual workload and secure it separately.