Container Security | Securing Containers from Potential Cyberthreats
Container security is the process of implementing tools and policies to ensure that container infrastructure, apps, and other container components are protected across their entire attack surface.
One of the most important things to know about container security is that it reflects the changing nature of IT architecture itself. The rise of cloud native computing has fundamentally changed how applications are created. With that, we must also fundamentally change how we secure them.
In the past, cybersecurity meant protecting a single “perimeter.” Containers have rendered this concept obsolete by adding new layers of complexity. Containerized environments have many more layers of abstraction that require specialized tools to interpret, monitor, and protect these new applications.
The challenge organizations will face is first understanding how the many layers of a cloud native computing environment interact with one another, and then finding the right tools to build a repeatable set of processes to secure each layer.
Now let's break down these concepts even further to understand the difference among containers, kubernetes, and virtual machines.
What Is Container Security?
A container is a standalone file or package of software files with everything you need to run an application. The application’s code, dependencies, library, runtime, and system tools are all “contained” within the container. As a result, containers have made the process of developing an application lighter, simpler, faster, and more powerful than ever.
With the rise of cloud computing and the sophistication of application development technologies, developers have grown tired of dealing with OS and application dependencies of virtual machines. The adoption of containers and container orchestration platforms, like Kubernetes and Docker, is the result of two factors: a demand for accelerated time-to-market enabled by DevOps, and a desire for application portability across clouds.
The container ecosystem can be difficult to understand, given the plethora of new tools and the unique problems they solve compared to traditional platforms. At the same time, the rapid adoption of container technologies creates an opportunity to shift security left, securing containers from development to the CI/CD pipelines to runtime, and build bridges between development and security teams.
Before diving into the details of container security, it’s necessary to understand the platforms used for managing containers. We’ll focus on one of the biggest and most well-known platforms, Kubernetes.
What is Kubernetes?
Kubernetes is one of the leading orchestration platforms that helps optimize and implement a container-based infrastructure. More specifically, it is an open-source platform used for managing containerized workloads that enable organizations to automate processes such as application development, deployment, and management.
As a relatively new open-source platform, there is a huge opportunity for securing Kubernetes. It's important to create a secure environment, especially when bringing open source code into a third-party application. The fact that Kubernetes is a sprawling platform with so many integrations for managing containers makes it easy to build an automated, systematic set of processes that bakes security into the core of the Kubernetes build and deployment process.
Benefits of Containers
To put it simply, containers make building, deploying, and scaling cloud native applications easier than ever. For cloud native app developers, the biggest benefits of containers are:
- Eliminating friction: Developers avoid much of the friction typically associated with moving application code from testing through to production, since the application code packaged up as containers can run anywhere.
- Single source of truth for application development: All the dependencies associated with the application are included within the container. This enables the application to run easily and identically across virtual machines, bare metal servers running in a local data center, or even on a public cloud.
- Faster build times: The flexibility and portability of containers enables developers to make huge gains in productivity that were previously unattainable.
- Confidence for developers: Developers can deploy their applications with confidence, knowing their application or platform will run the same across all operating systems.
- Enhanced collaboration: Multiple teams using containers can work on individual parts of an app or service without disrupting the code packaged in other containers.
As is the case with any new IT architecture, cloud native applications still need to be secured. Container environments bring with them a range of cybersecurity challenges involving images, containers, hosts, runtimes, registries, and orchestration platforms, which all need to be protected.
Container vs Virtual Machine (VM)
According to the 2020 State of Cloud Native Security Report, enterprises expect to run as much as 30% of their workloads on virtual machines (VMs) and 24% on containers by 2022. A strategy and understanding for how to secure both will be a primary focus of an enterprise’s cloud workload protection platform. While they share some similarities, there are several key differences between containers and virtual machines.
- A container is specific to one application. It holds the application, all the functions necessary to run it, and nothing else. This makes it lightweight and easy to deploy across multiple environments, making it the ideal choice for cloud native application development.
- A virtual machine (VM) virtualizes the underlying hardware and can therefore run far more operations and functions than a single container. But while a virtual machine is bigger than a container, it is not necessarily better — especially when it comes to cloud native development. Trying to build and run an entire app within a VM often leads to bloated, unwieldy VMs with compounding failures and delayed updates. In short, VMs do not offer the speed, flexibility, or portability of containers.
How to Secure Containers
Container users need to ensure they have purpose-built, full stack security to address vulnerability management, compliance, runtime protection, and network security requirements of their containerized applications. Listed below are the four types of container security.
Container Network Security
Container network security proactively restricts unwanted communication and prevents threats from attacking your applications once deployed.
Organizations can use containerized next-generation firewalls to protect their containers from network-based threats. Most network based attacks are agnostic of application’s form factor. Therefore, containerized applications are subject to many of the same network-based attacks that infect bare metal and VM based apps, such as cryptojacking, ransomware, BotNetC2, and many more. Containerized next-generation firewalls stop malware from entering and spreading within the cluster, while also preventing malicious outbound connections used in data exfiltration and command-and-control (C2) attacks. While shift-left security tools provide deploy-time protection against known vulnerabilities, containerized next-gen firewalls provide protection against unknown and unpatched vulnerabilities.
Microsegementation tools coupled with next-gen firewalls provide comprehensive container network security. Identity-based microsegmentation helps restrict the communication between applications at layer-3/4 while containerized next-gen firewalls perform layer-7 deep packet inspection and scan all the allowed traffic to identify and prevent known and unknown threats.
Container Runtime Security
In-container runtime security is the process of identifying new vulnerabilities in running containers and securing the application against them.
The container runtime is one of the most difficult parts of a container stack to secure because traditional security tools were not designed to monitor running containers. They can’t peer inside containers or establish good baselines for what a secure container environment looks like.
Organizations using containers must leverage enhanced runtime protection to establish behavioral baselines for their container environments in a normal, secure state to detect anomalies and attacks. Runtime container security can identify and block malicious processes, file, and network behavior that deviates from a baseline. Organizations should use a defense-in-depth strategy to protect their containers. In addition to container network security via containerized next-gen firewalls, container runtime protection can serve as another layer of security to block malware.
Additionally, runtime protection can include embedded web application and API security to prevent HTTP based layer 7 based attacks, such as the OWASP Top 10, denial of service (DoS) or bots.
Container Register Security
Since containers are made up of libraries, binaries, and application code, it’s critical for enterprises to establish an official container registry in their organization. Doing so is a key first step to building security and fueling the move to DevSecOps.
A container registry provides a convenient, centralized means of storing and distributing application images. Modern organizations can easily have tens of thousands of images stored in their registries. Because the registry is central to the way a containerized environment operates, it’s essential to secure it.
Intrusions or vulnerabilities within the registry provide an easy opening for compromising running applications. Continuously monitoring registries for any change in vulnerability status is a core security requirement. Other requirements include locking down the server that hosts the registry and using secure access policies.
Container Orchestration Security
Container orchestration security is the process of enacting proper access control measures to prevent risks from over-privileged accounts, attacks over the network, and unwanted lateral movement. By leveraging Identity Access Management (IAM) in cloud security and a least-privileged access model, where Docker and Kubernetes® activity is explicitly whitelisted, security and infrastructure teams can ensure that users can only perform commands based on appropriate roles.
Additionally, organizations need to protect pod-to-pod communications, limit damage by preventing attackers from moving laterally through their environment, and secure any front-end services from attacks.
Host Operating System (OS) Security
Host OS security is the practice of securing your operating system (OS) from a cyber attack. As cloud native app development technology grows, so does the need for host security.
The OS that hosts your container environment is perhaps the most important layer when it comes to security. An attack that compromises the host environment could give intruders access to all other areas in your stack. That’s why hosts need to be scanned for vulnerabilities, hardened based on specific CIS Benchmarks, and protected against improper access control (Docker commands, SSH commands, sudo commands, etc.) or file tampering.
Container Security Solutions
In the last year alone, the container security solutions that organizations can rely on have grown in terms of both capabilities and sophistication. Regardless of what level of DevSecOps maturity has been attained, container security tools are now more accessible than ever. The container security solutions any organization will be required to adopt and master include:
- Container monitoring: The ability to monitor your registry for vulnerabilities is essential to maintaining container security. Because developers are continually ripping and replacing containers, monitoring tools that enable cybersecurity and IT operations teams to apply time-series stamps to containers are critical when trying to determine precisely what happened in a containerized environment.
- Container scanning tools: Containers need to be continuously scanned for vulnerabilities, both before being deployed in a production environment and after they have been replaced. It’s too easy for developers to mistakenly include a library in a container that has known vulnerabilities. It’s also important to remember that new vulnerabilities are discovered almost daily. That means what may seem like a perfectly safe container image today could wind up being the vehicle through which all kinds of malware is being distributed tomorrow. That’s why maintaining container image trust is a central component of container scanning tools.
- Container network security tools: Once deployed, containers need to be protected from the constant attempts to steal proprietary data or compute resources. Containerized next-generation firewalls, WAAS, and microsegmentation tools inspect and protect all traffic entering and exiting containers (North-South and East-West), granting full Layer-7 visibility and control over the Kubernetes environment. Furthermore, the containerized firewalls dynamically scale with the rapidly changing size and demands on the container infrastructure, guaranteeing security and bandwidth for business operations.
- Policy engines: Modern tools make it possible for cybersecurity teams to define policies that essentially determine who and what is allowed to access any given microservice. Organizations need a framework for defining those policies and making sure that they are consistently maintained across a highly distributed container application environment.