The Cloud Native Computing Foundation (CNCF) adopted its first container runtime security project that is targeted at securing containers running in a production environment. The Falco project joins 10 others as Sandbox projects within CNCF.
Sysdig donated the Falco project to CNCF. It’s an open source technology originally developed as the core instrumentation technology for Sysdig’s initial open source monitoring platform.
Falco taps into the Linux kernel to provide runtime security at the application, file, system, and network levels. This can shorten the detection and response time for container and microservices architectures.
It can be linked to other CNCF projects like the Fluentd logging project, Nats streaming and messaging project, and Kubernetes container orchestration project. That linking will allow Falco to take action against security threats, notify an administrator about those threats, and isolate a Kubernetes node.
It can also access metadata from a Kubernetes API server to provide more detail on data it received from the Linux kernel. The Falco project is working to deepen those ties into Kubernetes through the addition of Kubernetes audit events as a Falco event source and support for Kubernetes network policy.
The project will also integrate with Prometheus to allow for Falco to expose detailed metrics using the OpenMetrics format.
“With Falco, developers can continuously monitor and detect container, application, host, and network activity, and do so all in one place, from one source of data, and with one set of rules,” explained CNCF Executive Director Dan Kohn.
Containers are short-lived entities designed to execute a specific function over a fairly short period of time. However, a security breach can result in a container running for longer than scheduled, providing access to or dumping out sensitive data running inside of that container.
Dealing with containers in a production or runtime environment, however, can be tricky. Analysts have warned against attempting to tamper with those running containers as that can impede the supported application. Instead, they recommend organizations keep their hands off containers in production. This requires a greater focus on securing the content that makes up a running container before that content is distributed or outside of a running container.
A number of security firms have noted that basic protocols designed to check on the running status of a container can highlight whether a container deployment has been breached.
“By making security part of the container runtime, organizations can speed the deployment of containers in production by removing gaps between developers and security teams,” Kohn noted.
The Sandbox level is considered the entry point for early stage projects and is designed to garner visibility, help align support, and work through any legal or governance issues for a project. Once those requirements are obtained the project can petition for movement to “Incubating” status.
CNCF does currently host a pair of security projects, though they are not focused on container runtime. Those are the Notary and The Update Framework (TUF) projects. The two projects are tied together as Notary is actually a commercialized version of TUF.
TUF is designed to work as part of a larger software distribution framework to provide resilience to key or server compromises. It uses cryptographic keys for content singing and verification.
Notary evolved from Docker Inc.’s work with TUF as a way to secure container image updates. It allows for the creation, management, and distribution of the metadata needed to ensure the security of user content. It also provides a client and a pair of server applications to host signed metadata and perform limited online signing functions.
“[Falco] provides intrusion and abnormality detection for cloud native platforms including Kubernetes, Mesosphere, and Cloud Foundry,” Kohn added. “When used in tandem with other cloud native projects like Fluentd, Nats, rkt, and others, Falco can provide a complete container runtime security solution.”