Skip to content

Secure by Default

Certification

Security is a core design principle of the Contain Platform. We operate on a "secure by default" philosophy, meaning that our platform is architected from the ground up to protect your workloads and data.

We follow a defense-in-depth strategy, layering many security controls across the entire stack. This ensures that a failure in one layer does not compromise the entire system.

Platform Foundation Security

The security of your applications starts with the security of the underlying platform. We harden the core infrastructure to protect it from threats.

  • CIS Hardening: We apply relevant practices from the Center for Internet Security (CIS) benchmarks to our infrastructure. This provides a rigorous, industry-recognized baseline for securely configuring the platform's components, reducing the attack surface.
  • Resource Management: We implement Quality of Service (QoS) and resource quotas to ensure that no single application can monopolize resources. This protects the stability of the platform and prevents noisy neighbors from impacting your services.

Workload & Application Security

We provide automated guardrails to ensure that the applications you deploy are secure and isolated from one another.

  • Policy-Based Admission Controls: We use admission controllers to enforce security policies automatically. This means that workloads that do not meet your security standards (e.g., running as root, using insecure images) can be prevented from ever running on the platform.
  • Workload Segregation: The platform is designed to keep your workloads logically isolated from each other. A security issue in one application is contained and cannot readily spread to others.
  • Least Privilege Networking: We implement default-deny network policies, meaning pods cannot communicate with each other unless explicitly allowed. This strict network segmentation limits the ability of an attacker to move laterally within the cluster if a workload is compromised.
  • Container Image Scanning: We integrate vulnerability scanning into the application lifecycle. This can help us identify and remediate known vulnerabilities in the container images before they are deployed to production.
  • Role-Based Access Control (RBAC): We enforce the principle of least privilege using RBAC. This ensures that users, applications, and services only have the permissions they absolutely need to perform their functions, minimizing the potential impact of a compromised account.

Data Security

Protecting your sensitive information, such as API keys, database credentials, and certificates, is critical.

  • Encryption: We enforce encryption for data both in transit (using TLS) and at rest, protecting your data as it moves across the network and when it is stored on disk.
  • Built-in Secrets Management: The platform provides a secure, integrated solution for managing secrets and certificates. This allows you to avoid hardcoding sensitive information in your application code or configuration files, which is a common and dangerous security risk.