• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   AWS   »   Securing Containers at Scale: Amazon EKS, Amazon ECS and Deep Security Smart Check

Securing Containers at Scale: Amazon EKS, Amazon ECS and Deep Security Smart Check

  • Posted on:June 13, 2018
  • Posted in:AWS, Security
  • Posted by:
    Wendy Moore
0

Containers present a new opportunity for teams. An opportunity to deploy faster, more consistently, and with a simplicity rarely seen. But in order to make that happen a lot of infrastructure needs to be setup ahead of time.

A cluster of hosts for the container runtime, an orchestration layer, and—of course—security throughout.

To simplify this infrastructure, most teams turn to a cloud service provider like AWS. Complementing the power of the Amazon Elastic Container Service (ECS), the newly released Amazon Elastic Container Service for Kubernetes (EKS) eliminates the operational burden of Kubernetes from you container stack. 

Trend Micro Deep Security has long protected your Amazon ECS hosts with security controls applied at runtime. In 2017, that protection was extended to containers themselves, with the platform applying intrusion prevention and anti-malware controls to individual containers. This week we extended our container security solution with the launch of Deep Security Smart Check to deliver container image scanning. 

Shift Left With Deep Security Smart Check 

Protecting containers in production is a critical play in your security playbook. But what about earlier in the development process? How can you reduce the cost and impact of security issues?

The answer is to catch them earlier in the development process. You need to shift security controls to the left side of the CI/CD pipeline. The introduction of Deep Security Smart Check does just that.

 

Deep Security Smart Check is a new image scanner for containers. By connecting to popular private and cloud registries—including Amazon ECR—it continuously scans images for vulnerabilities and malware.

Deep Security Smart Check is designed to seamlessly slide into your CI/CD pipeline to make automated decisions not only based on failed integration and unit tests, but security tests, as well. 

Automate for Success 

The speed of your development process hinges on automation. Adding security earlier in the CI/CD pipeline poses the risk of slowing the entire pipeline down. That outcome must be avoided at all costs.

Deep Security Smart Check helps you accelerate your CI/CD pipeline via its complete API. You can use this API to added scanning to your container build process as a step before publication.

If the container passes a smart check, you can automatically sign it and promote it to your registry of choice. If it fails, you can send detailed results to your favorite collaboration tool like Slack or ServiceNow.

This eliminates the need for manual security processes and facilitates a streamlined lifecycle for your containers. 

How it Works 

Here’s a simple example of how you can build security into your CI/CD pipeline:

 

  • Code is committed to GitHub and Jenkins automatically builds your custom container.
  • Deep Security Smart Check scans the container for malware and vulnerabilities.
  • Smart Check’s Image Assertion feature signs and promotes images that meet security requirements to your registry of choice. Image Assertion lets you define your policy based on the risk inherent in specific malware and vulnerability profiles.
  • Deep Security —running on your Amazon ECS hosts— integrates with Kubernetes via an initializer to intercept pod deployments, verifying and enforcing Deep Security runtime policies.
  • Your container is deployed to production with no known vulnerabilities or malware and under the full protection of Deep Security runtime protection.

Fully Embracing AWS

As a long time AWS Advanced Technology Partner, Trend Micro has supported a number of critical AWS service launches and programs. The launch of Amazon EKS is no exception.

One of the most eagerly awaited services, Amazon EKS is Kubernetes at scale with little-to-no effort on your part.

A fully managed service that is highly available and highly redundant, Amazon EKS delivers Kubernetes clusters that are secure, Certified Kubernetes Conformant, and compatible with the rest of the K8S ecosystem.

It’s the simplest way to get K8S up and running in the AWS Cloud. In fact, Deep Security Smart Check itself is container based and Amazon EKS can be used to manage it as an EKS cluster because Trend Micro is always striving to deliver simplicity to our customers and fit their processes.

When you combine Amazon EKS with Amazon ECS, you get a one-two punch that simplifies your container environment. But under the shared responsibility model, even with these fantastic services you are still responsible for the security of the contents of your containers, your data, and the service configuration.

You’ll need to leverage AWS IAM and other AWS Cloud security features to harden your deployments. That still leaves a gap, one that is addressed by Trend Micro Deep Security and Deep Security Smart Check.

Do Less, Get More

The goal of using containers is to simplify and accelerate your deployments. If you try to use traditional security platforms to protect your deployments, you are going to slow down your CI/CD pipeline while forcing your teams to jump through needless security hoops.

A modern set of security tools will seamlessly support and improve your CI/CD pipeline by shifting left into the development cycle and simultaneously providing protection for containers running in your production environment.

The new Deep Security Smart Check image scanner in combination with the Deep Security platform is a fantastic example of this approach.

With full support for on-premises and hybrid environments, this security combination will protect your container deployments wherever they run.

Related posts:

  1. AWS Invites Trend Micro to Give a Sneak Peek Of Our New Stuff
  2. Extending Trend Micro’s Container Protection with Deep Security Smart Check
  3. Securing Containers in The AWS Cloud with Trend Micro
  4. Smart Check Validated for New Bottlerocket OS

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.