What Is Container Security?
You don’t have to look far to see that container adoption is on the rise. According to a recent report from ESG, 38% of production workloads run on containers and serverless deployments today, which is expected to increase to 46% in the next 24 months. Similarly, bare metal and VMs currently host 62% of production workloads, but this is expected to drop to 53% by 2021.
As container adoption rises, so should concerns about best practices for container security to protect running containers in production as well as secure containers across the full application lifecycle.
How Containers Differ From VMs
Container architecture changes key security concerns and requirements compared to the old world of legacy applications. With virtual machines, you have only a host OS, a guest OS and a guest application environment to secure. On bare metal and in most types of cloud-based environments, the security situation is even simpler because there are fewer layers of software.
Containerized environments have many more layers of abstraction that require specialized tools to interpret, monitor and protect these new applications. In a production container environment, for example, you have a number of different layers to secure. In addition to the host OS and the container runtime, you have an orchestrator, a container registry, images and most likely several different microservices within your application. Finally, containerized applications add complexity by redefining the old notion of protecting a single “perimeter,” requiring new approaches for securing the network layer.
How Containers Change the Security Paradigm
The methods for securing containers have morphed alongside the evolution of infrastructure:
Automation has shifted security across the software development lifecycle: Because containers encapsulate all their dependencies, they can move easily from development to testing to production, making frequent deployments by way of automation the new reality.
Containers scale up and down far more significantly: Applications built using a microservices architecture consist of many interrelated entities, and the number of deployed entities can grow quickly as orchestrators seamlessly scale your apps up or down according to demand. Additionally, manually creating and maintaining security rules for each entity is impractical.
Development cycles have shrunk from months to days or hours: As they aim to deliver business value, developers are deploying more quickly than ever – in times measured in hours and days, not months. Integrating security into CI/CD workflows and implementing DevSecOps best practices provides incredible security advantages in the world of containers.
Securing the Entire Container Stack
A container environment, in general, encompasses your images, containers, hosts, container runtime (Docker®, runC, cri-o, containerd), registries and orchestrators. Understanding potential risks and how to protect your environment against them is essential.
Image Vulnerabilities and Compliance Concerns
Vulnerabilities can impact container images just like any other legacy code framework, which is why scanning images for vulnerabilities and compliance issues, building a bill of materials, identifying any embedded secrets or malware, and correlating risk to individual image layers ensures developers are building secure images. Additionally, organizations need to remember drift can be a big problem for containers. A scanned image that passed your vulnerability and compliance requirements today may not be secure in the future as new threat data may identify vulnerabilities in components that were previously thought to be secure. This is why it’s important to continuously monitor images and containers.
Securing the Registry
A container registry provides a convenient, centralized means of storing and distributing application images. Modern organizations can easily have tens of thousands of images stored in their registries. Because the registry is central to the way a containerized environment operates, it’s essential to secure it. Intrusions or vulnerabilities within the registry provide an easy opening for compromising running applications. Continuously monitoring registries for any change in vulnerability status is a core security requirement, as are locking down the server that hosts the registry and using secure access policies.
Container Runtime Protection
The container runtime is one of the most difficult parts of a container stack to secure because traditional security tools were not designed to monitor running containers. They can’t peer inside containers or establish good baselines for what a secure container environment looks like. Organizations using containers need to establish behavioral baselines for their container environments in a normal, secure state to detect and prevent anomalies or attacks. Runtime security requires security teams to focus on securing the application, rather than only relying on network-level security tools to keep them safe.
DevOps, infrastructure and security teams should embrace the concept of immutability, replacing existing containers with new ones whenever applications or services are updated. Immutability presents security advantages so users don’t attempt to perform live updates on running containers, which leads to configuration drift and poor enforcement of security policies.
Security and infrastructure teams need to enact proper access control measures to prevent risks from over-privileged accounts, attacks over the network and unwanted lateral movement. Using a least-privileged access model, where Docker and Kubernetes® activity is explicitly whitelisted, ensures users can only perform commands based on appropriate roles. Additionally, you need to protect pod-to-pod communications, limiting damage by preventing attackers from moving laterally through your environment, and secure any front-end services from attacks like the OWASP Top 10.
Protecting the Host OS
The OS that hosts your container environment is perhaps the most important layer of the stack because an attack that compromises the host environment could give intruders access to everything else in your stack. That’s why hosts need to be scanned for vulnerabilities, hardened based on specific CIS Benchmarks, and protected against improper access control (Docker commands, SSH commands, sudo commands, etc.) or file tampering.
To learn more, grab the Container Security for Dummies Guide.