5 Steps to Achieve Effective Container Security
May 5, 2021
Container security is a critical, but often under appreciated element of operating a rapid, DevOps approach to application development and deployment. Containers are rapidly becoming the go-to method for streamlining software development for innovative organizations of all sizes and IT budgets. Yet, in order to balance their inherent advantages with container-specific risk, companies must combine a container security and compliance strategy with an adoption plan that supports development speed without sacrificing security.
Enterprises have been quick to adopt containers because of their microservices-based architecture, which allows development teams to modularize and scale applications which speeds every aspect of building, delivering, updating, and innovating. Containers also use an agile runtime environment, which supports the ability to run applications in different types of infrastructures and environments. At their core, containers are adaptable to changing technology and business needs which makes them an ideal structure for digital-first organizations.
But for all the advantages of containers, their emphasis on speed and ephemerality can lead to visibility gaps and security issues that result from continuous additions, removals, or misconfiguration resolving. Traditional security tools fall short of giving you the ability to audit your cloud services for misconfigurations during development, as well as catch configuration drift at run-time.
Balancing container advantages with container risk
Container champions favor speed, and business leaders are obsessed with getting solutions into the market faster than ever before. Combining these mindsets seemingly creates a happy marriage of functionality with outcome. It’s a nice story, but the ending can often be quite different if security threats challenge the narrative.
The reality is that development teams become conditioned to move fast which fits aggressive release cycles, but meeting these types of demands often reduces the desire to identify and address security issues. Containers are like any type of IT asset in that integrations, user access, compliance demands, and a host of other issues that are core to any technology resource can be vulnerable to threats. When speed is a factor, these vulnerabilities may be masked more than is realized, as teams seek to eliminate obstacles to their primary delivery goals. This increases the potential for visibility gaps as development becomes fragmented across many different containers.
In order to establish a container security and compliance foundation that will support container adoption, DevOps and security teams need to align their efforts to ensure the following:
1: Reduce the attack surface of containers
The first step to an effective container security approach is to prevent code with vulnerabilities from entering the production environment. This primary goal sets the stage for almost all other elements that are critical to creating and maintaining safe container environments.
To truly understand how important this is, consider the architecture of containers. In containerized environments, ANY user or service that has kernel root account access has carte blanche to change code or configurations. There is freedom in that because for the right users, it allows for quick updates and additions. But, of course, in the wrong hands it can lead to misappropriating code and changing configurations, both of which make a container more vulnerable.
Continuous and real-time data about container activity are essential to reducing the attack surface. It’s through these insights that teams will be able to detect malware, bad code, or new security gaps. Continuous analysis will discover vulnerability trends that can be used to prevent the attack surface from widening.
2: Validate that your images originate from trusted sources
Containers are different from virtual machines in that they use one kernel, and that kernel acts as a single operating system. Container applications are built using an image, which is a unique file that includes executable code that can be run for that specific kernel.
These image assets are usually stored in either internal repositories, or public-facing ones like GitHub. These images need to be available for recall so they can be used as needed. But in order to ensure they are usable, they should be signed by authorized users and originate only from a trusted image registry.
That all may sound simple, but in a busy environment where containers are spun up and eliminated in minutes, it’s easy for developers to pull images without vetting them for vulnerabilities. Some will suggest that developers simply don’t have time to check each image, and that’s probably true. It’s also why continuous vulnerability assessment and remediation must be done so that developers can operate without having to stop and validate each image.
3: Establish continuous configuration assessment and analysis
Rules cannot address the rate of change and the complexity within container environments. Updating a rule to any system may take days or weeks to implement across the IT landscape. Yet, containers are being spun up, deployed, and EOL’d often within minutes, and if compliance rules haven’t been applied yet, activity within that container instance will not adhere to the change.
Note that misconfigurations are also common when using orchestration platforms like Docker or Kubernetes. Misconfigurations at this layer can expose vulnerabilities, like over-provisioning of privileged access. The control plane and extensive use of APIs to deliver the actual compute service exposes application internals and adds to complexity. In microservice architectures, application-breakdown multiplies a small number of workloads by a factor of 10 or 100 and thus expands the attack surface.
4: Extend your vulnerability detection efforts
It’s best to use solutions that identify vulnerabilities in your host OS, container images, and the containers themselves using real-time analytical data collected across your infrastructure. Containers share their host’s operating system which also must be hardened. Misconfigurations in container provisioning could result in a larger, more vulnerable surface area or allow untrusted access to trusted resources. Resources like the CIS Benchmark provide prescriptive security guidance for most operating systems and many applications including Docker and Kubernetes. Incorporate benchmarks like these together with threat intelligence feeds as data source inputs for your vulnerability scanning.
5: Reduce access (where appropriate)
Be careful of over-provisioning access to containers. It is important to audit and review root and other superuser access and remove privileged access from processes that do not require it. Docker containers are granted access to specific namespaces including network, processes, inter-process communications, file system mount points, and the kernel. Document and understand all shared access to these namespaces and look for instances of inappropriate privilege. For example, mounting a container volume to the host OS /etc directory could result in a serious security vulnerability.
Effectively protecting your containerized environments
Containerized applications deployed in the cloud make it easier for organizations to more quickly give needed services to their customers. There continue to be exciting advances in technologies that analyze behavior in real-time to monitor for and alert on misconfigurations and other vulnerabilities in cloud-based container infrastructures. Coupling these technologies with anomaly analysis and evolved security best practices will create the necessary threat detection, protection, and response controls essential to keeping these dynamic clouds secure.
Lacework provides a comprehensive container security solution that allows organizations to apply real-time threat and anomaly detection, process-level security visibility, and host and configuration compliance controls with immediacy, and with the ability to evolve as the enterprise’s needs change. This platform-based, comprehensive approach gives organizations a container security infrastructure that can be employed immediately to meet the changing needs of today’s threat landscape.
Photo by Antoine Petitteville on Unsplash.