The Hidden Dangers In Third-Party Container Security And How To Solve Them

The Hidden Dangers In Third-Party Container Security And How To Solve Them

You just signed an outsourcing agreement with a top vendor. They’re going to take care of all your Docker containers. Fantastic! You can move on to other issues.

Listen up; if that’s how you think about managing your company’s technology, you’re in for a wakeup call. Outsourcing is a good way to access expertise from others at a fair price; however, that doesn’t eliminate your responsibility for oversight, risk management, and strategy.

Why Do You Need Outsourcing Management in the First Place?

Outsourcing is a fashionable way to improve performance in business. Whether that outsourcing takes the form of offshoring or a local arrangement, the concept is similar. You’re taking a function that would typically be performed in-house and asking a third party to get it done. What can go wrong if you have no process in place to manage outsourcing?

Let’s say you have a third-party firm manage your cybersecurity emergency response needs. When your email systems are hacked, you call them at midnight, and they swing into action. Hours tick by, and you’re wondering when the situation will be resolved. You need updates for senior management and for your customers. Part of the problem is that you have no defined service level agreement or reporting requirements that explain how the outsourcing relationship will work. As a result, the provider simply uses its standard approach, which is to stay quiet until it’s solved the problem completely.

What Mistake Can Happen with Outsourced Containers?

All the risks and rewards of outsourcing in other areas directly translate to managing containers. Without oversight, reporting, and other management, your containers are more likely to be mismanaged. To prevent that from happening, you need to know what can go wrong.

  1. You receive poor or no reporting about your container technology

Without up-to-date information, you can’t measure what’s happening with your container arrangements. This means you’re going to get a nasty surprise when you receive your monthly invoice, and that’s not the only potential cost you face. What if your CTO or CIO asks about container performance in advance of a major launch? If you struggle to answer those questions, you’re not going to look good to your leadership.

Tip: Not all your providers who use containers will disclose that fact. After all, container technology supports productivity rather than an end user application. It’s up to you to ask your technology vendors whether they use containers to serve your account, and ask how they manage security risk.

  1. Your provider doesn’t play ball with your cybersecurity program

Some technology providers take great pride in their security programs. What’s the problem with that? Well, too much professional pride translates into poor customer service. Specifically, the company may refuse to adjust its procedures and processes to meet the needs of your company. Solving this lack of flexibility is difficult. Ultimately, you may have no choice except to switch to another provider.

Speaking of “not playing ball,” you might be making a specific contractual oversight.

  1. You have no audit rights for the provider

When you suffer a cybersecurity hacking incident, you need to understand your entire technology stack. You interview staff. Your experts review system logs. Of course, you also need to talk to technology providers. When you request to send your IT auditors to visit the company, suddenly you find out that confidentiality clauses in your agreement prevent such an inspection from happening. The result? Your security review has holes, and you can’t be sure you’ve identified all your risks.

Insisting on audit right in a contract is sometimes a difficult proposition. If you’re operating in a highly regulated industry such as banking, it’s worth the effort to push for it.

  1. You haven’t tested the third-party container technology for risk and resilience

You may have originally pursued container technology as a way to scale up your company faster. What if your company’s product is featured on Slashdot, TV, or another high-profile source? You need the capacity to scale up your entire infrastructure rapidly. You may even need to set up additional containers to handle the load.

Instead of guessing whether your technology can handle that load, there’s a better way.

With all that can go wrong with outsourced technology, what can you do to mitigate these risks?

Your Options to Better Manage Outsourced Container Risk

If you’re tempted to close this article and cancel your container technology contracts, stop right there. There are ways to manage this technology risk and realize significant benefits.

  1. Use the monitoring and reporting provisions

Have you read your agreements with third-party container management providers? If not, set aside half an hour today to complete that review. In particular, look for any provisions regarding reports and key performance indicators. Make sure you’re receiving a copy of these reports and that they’re clearly defined.

  1. Educate staff on container security risks

As container use expands, take the opportunity to improve your coverage of containers. This new “container security” module is best targeted to developers and DevOps; it doesn’t need to be completed by all employees. For all employees, make sure you provide password management training.

  1. Appoint a manager for container technology risk

Appointing a single person – typically an IT security manager – with responsibility for container tech risk is a smart move. If responsibility is spread too thin, you’ll struggle to ensure full coverage.

  1. Improve identity and access management governance

If the wrong people obtain access to your containers through stolen or misappropriated credentials, your data and applications are at high risk. Fortunately, there’s an affordable and systematic way to improve this part of your IT governance program.

The New Way to Solve Container Technology Security Risk

By improving access controls, you keep your containers safe from the start. Even better, you’ll also keep your IT auditors happy because they’ll see clear evidence that access is being managed in your containers. How do you realize this improvement? Simple: implement Identity Anywhere, a flexible identity management solution that’s built with container management in mind.

Written by Nelson Cicchitto