What is Container Security?
June 23, 2021
What is Container Security
Containers and the security required to protect them have become among the most important aspects of modern software development. With the launch of Docker and Kubernetes in 2013, and the subsequent popularity of these development platforms, containers are changing how enterprises build, deliver, and improve the applications they use both internally, as well as operate for customer-facing purposes.
According to a survey of senior IT leaders conducted by Capital One, 86 percent of companies are currently planning on deploying containers to build at least some of the applications in their cloud, multicloud, and on-prem environments in the next two years. Analyst firm Gartner predicts that by 2023, more than 70 percent of all enterprises will be running three or more containerized applications to drive their digital transformation. Containers are not only increasing in popularity, but are in fact becoming necessary elements for modern enterprises.
Among the advantages of containers are that they deliver new levels of speed and efficiency to modern development teams. They are designed for agile deployment and are flexible enough to be run in on-premises and virtualized infrastructures. Containers do not require the oversight and manual maintenance that large, monolithic applications typically need. Instead, containers use automated, continuous integration and delivery pipelines to ensure code is appropriately tested and staged and then moved into production.
While the benefits of containers are clearly changing how IT teams operate, they also present new security challenges that must be addressed as part of every organization’s application development and delivery processes. Containers may be enabling a faster way of doing business, but container security needs to be integrated into development and deployment processes to ensure speed doesn’t overtake risk as a priority.
Container Security Defined
Container security is the approach and methodology of defining security and compliance policies, and using security tools to ensure that the containers and container applications in your environment are operating in a safe way. It includes all resources in cloud, hybrid, or on-prem environments—infrastructure, software supply chain, runtime, applications—that contribute to, or benefit from, container operations.
Container architectures are dynamic and support automated application deployment— these are among the very things that make containers valuable. However, these are also the attributes that present new threat vectors into container environments; DevOps and SecOps teams need to be aware of some container-specific issues that, if not addressed, can create visibility gaps and threat potential.
It helps to first understand that container security follows a familiar framework around the following categories:
- Code: Access to build/update container software, code, deployment
- Host: Operating system security including patches and operating systems
- Labels: Container labels which ensure services and replication across the network node occurs appropriately
Are containers more vulnerable than any other part of the IT stack? Not necessarily, but containers have unique attributes that, if ungoverned, can create blind spots and serious security issues that could lead to significant data compromises and intrusion into internal environments. Addressing container security, therefore, requires attention in five key areas:
- Development processes: any type of malicious or poorly written code can be a security risk if it moves from development into deployment. Container development moves fast and code flaws can go unnoticed without proper security checks
- Image registries: containers are built from images stored in public or private repositories; these are often dependent upon other images, and a single vulnerability in any of them could proliferate to thousands of containers
- Runtime: all kinds of security risks can develop once a container is released into the runtime environment. Organizations must set policies that govern container behavior during runtime, use anomaly detection, and address security alerts through swift remediation
- Orchestration: one of the most significant components of container security revolves around the orchestration environment, namely Kubernetes. Orchestration automation adds a layer of complexity, which can result in misconfigurations that over-provision access and subsequently, an increased attack surface
- Ephemerality: the ephemeral nature of the containers renders perimeter, IP address-based security controls less effective and make forensic investigations more difficult. Network and IP addresses are reused frequently and that can obfuscate traceability. Logs and other evidence may be lost when containers are reset in response to a security incident
Container attacks, like the one that hit Docker in mid-2020, target these specific aspects of container environments. The Docker breach, for example, was done by a group who searched specifically for insecure containers that were operating with lax authentication policies. With access, they were able to install a crypto mining program that spread to as many as 6,000 images.
What is a Container?
To adequately understand the challenges of container security, it’s important to recognize some basics about what containers are. Stated most simply, a container is packaged code made up of an operating system (OS), application, support, and config files, all wrapped into a single, read-only image. Images are static, unchangeable files that contain executable code that enable it to run an isolated process on information technology (IT) infrastructure.
Containers are portable and lightweight, and are easy to deploy which makes them especially attractive for organizations that want to deliver applications rapidly and incorporate continuous innovation into their efforts.
In terms of their format, containers can be anything from a very simple microservice to a complex framework of applications, databases, integrated assets, and other IT resources. The ability for containers to take on many different shapes is part of their appeal.
The structure of a container means it’s easier for developers to manage and scale their needs on-demand, so they have the capacity needed to deliver more when load demands increase, and downsize when the opposite occurs. Containers help organizations optimize the elastic benefits that cloud environments offer. Their architectures typically look like the client/server model, where the client initiates container creation, and code interacts at the server level. Using this model, developers coming from legacy development models are able to comfortably operate within a containerized environment.
Major Container Technologies
There is an ecosystem of container technologies that are guiding development and deployment strategies. It’s important to know what part these play in the continuum from development to deployment, and how they impact efforts in the continuous integration, continuous delivery (CI/CD) pipeline. These include:
- Docker was the first container technology and is currently the most popular one. It is considered by many to be the quintessential container platform
- Kubernetes is an open-source container-orchestration platform that automates application deployment, scaling, and management. It was originally designed by Google
- AWS Elastic Container Service (ECS) is a container orchestration service. It runs containers on an Amazon Elastic Compute Cloud (EC2) virtual machine that’s pre-installed with Docker. It installs containers and manages scaling and monitoring
- Google Container Engine (GKE) is a managed environment for deploying, managing, and scaling containerized applications Google Cloud Platform (GCP) environments
- Azure Container Service (ACS) is a container deployment and management service that supports most open-source tools and technologies for container development and orchestration in Microsoft Azure environments
- Envoy and Istio are open-source service mesh technologies that provide security and observability in container environments. They are built to encrypt traffic inside of a container cluster while also observing the behavior happening inside of it
On-Prem vs. Cloud Container Security
Even for organizations that have embraced digital transformation and cloud adoption, there’s still the question of where to create your container environment – on-prem or in the cloud? For the most part, the question is like that of any application or software resource; do I have more control and better security capabilities in one environment over the other? Some of this depends upon organizational considerations like staffing expertise and vendor relationships, but when it comes to security, there are factors that need to be considered.
With on-prem containers, teams generally have more control over their configurations of their container environment. This affords them more flexibility for things like storage and any networking that’s tied to runtime. It also means that compliance requirements can be customized and quickly updated to meet specific organizational needs (this is typically the case when a customer has unique governance needs). But it also means that scalability issues have to be resolved manually, which reduces the agility factor and usually demands more security oversight.
Cloud environments, by contrast, champion all those things that modern organizations seem to prize — flexibility, agility, speed, scalability, and automation. However, when using a public cloud service, you give up some control and have to use the tools that are integrated (or can be integrated) with your service. This means that your container “stack” is really just an environment that has been determined for you.
Many organizations run workloads in both on-prem and cloud environments, which allows them to maintain control for some factors, while still being able to achieve the speed they need.
How Do You Build Security Into the Container Pipeline?
Container orchestration feeds the CI/CD pipelines that give organizations the speed and agility they seek from containers. When developers push a containerized application to a test environment, the CI/CD pipeline steps in to ensure the right levels of testing and staging occur before the container is approved and released into production. Orchestration can be complex, and the focus on delivery can sometimes blind DevOps teams to the potential for risk.
Let’s look more closely at the issue of complexity. Developers can create containerized applications as microservices to handle very specific tasks. For example, one microservice could fulfill search requests and another could update customer information records in a database. These services may be made up of one or more identical containers and are portable, isolated, and self-contained. If there is a problem with one microservice a developer can quickly make corrective changes and push out a new container image that replaces the old without worry of disrupting other microservices. Containerized applications running as microservices, in many cases, are easier to dynamically test, distribute, and deploy than their monolithic counterparts.
The inherent nature of containers magnifies risk potential. For example, a single vulnerability in an image could lead to many vulnerable containers. Plus, an attacker that compromises an orchestration system could have direct control over the entire fleet of containers. Many of the security risks introduced by containerized applications and their supporting services and infrastructure can be discovered and mitigated or remediated by applying old principles and proven techniques together with new and updated tools.
The process of building security into your container pipeline should follow these steps:
- Identify configuration risk: the first step in any container pipeline security process should be to establish a way to identify where misconfigurations could lead to risks to the environment. The CIS Benchmark is a good guide for applications that use Docker and Kubernetes
- Only use trusted images: one vulnerability in a single image could have repercussions across your entire environment. To avoid this, be certain you know — and TRUST — the images you’re using
- Reduce access: access to containers and images should be provided only to those whom it is absolutely necessary. Audit privileges regularly
- Secure admin dashboards: use two-factor authentication and audit access to any orchestration and cloud admin dashboards. Make sure you know what cloud tools and resources are touching your environment
- Effective log management: use logging systems that maintain a timeline of activity correlated between containers, users, and applications long after a container has gone
Common Attack Vectors for Containers
Much like the cloud, containers have advantages that can actually contribute to them having additional risk potential. Here are some common attack vectors that impact containers:
- Vulnerable code: containers can easily, and unwittingly, package applications that contain flaws or other vulnerabilities. To avoid this, all images need to be scanned continuously to identify these flaws
- Poor image configuration: a container can be inadvertently configured with root permissions that extend to far too many users. Every bad configuration can lead to vulnerabilities that aren’t discovered until it’s too late
- Host vulnerability: containers run on host machines, and sometimes they run old orchestration components with vulnerabilities. Teams should look to reduce the number of components on every host
- Credential hacking: access credentials must be used, and they need to be supported with additional measures like two-factor authentication or they can be vulnerable to theft
- Supply chain attacks: containers that are stored in registries are only pulled when they go into runtime. If the registry has been attacked, it’s likely that the containers will have been as well
The Main Benefits of Container Security
Teams that implement effective container security will discover they are able to move fast without sacrificing the health and integrity of their environments. The key benefits include:
- Maintain speed: when container security is integrated into application development and delivery, DevOps teams are not slowed down and the security of the environment is not sacrificed
- Reduced attack surface: with containers, you only need to secure the host and the application, not actual physical servers, integrations, and other elements that usually broaden the attack surface
- Increase transparency: you can easily see what’s inside an image, whereas seeing inside of virtual machines is typically much more complex. This enables faster identification of security issues within containers
- Faster updating: with containers, you can ensure your application is up to date by pulling the latest images from whichever registry you use
Pain Points of Container Security Management
While containers deliver so many benefits, there are also challenges that can make container security challenging. These include:
- Infrastructure diversity: most environments are made up of a diverse set of servers, storage tools, registries and other elements. This can be complex to automate all of these things and make them work together
- Over privileged user vulnerability: some containers have privileged status, which means they can do almost anything a host can do. If a container with this status is breached, every part of the environment that touches the container is in jeopardy
- Monitoring at scale: containers are rapidly spun up and then EOL’d, which makes it almost impossible to monitor, at scale, at any given time what container processes are running
- Overly permissioned communication: because of the number of containers you may be running, and their ephemeral nature, you will likely find it to be a challenge to implement firewall rules that adhere to the least privilege principle. You should seek to allow containers to communicate only to those containers that are absolutely necessary to minimize the surface of your attack
Industries That Rely on Container Security
In some cases, highly regulated industries will use containers to help them maintain compliance adherence in their applications. Especially when an organization can align their security and compliance needs with container-specific security tools, they can take advantage of container benefits to achieve agility and flexibility in their application delivery.
Like any application, container applications need the protection of continuous security and visibility to identify and shut down threats. Container applications are complex in nature due to the variety in components that communicate with one another in order to deliver the application in runtime. When you add the need to comply with government, industrial, and internal regulations, organizations need to be able to rely on an approach that builds in the necessary compliance.
Container Use Cases
Healthcare, biopharma, and financial services are all industries that must meet rigorous compliance standards. Their use of containers and the benefits of container security allow them to maintain a high level of service while not jeopardizing the safety of their data.
Containers and container applications give enterprises the ability to push code fast and efficiently, and put solutions in front of internal and external customers. When they are paired with effective security, they can give organizations a competitive advantage and reduce the complexities of application development and integration. Lacework delivers native container security support, reducing the attack surface, and detecting threats across containerized environments. We visualize your containerized applications in real-time, providing a clear understanding of communications, launches and other cloud runtime behaviors. Coupling container technology with security analysis and evolved security best practices will create the necessary threat detection, protection, and response controls essential to keeping containers and their applications safe and secure.
Image by Bailey Mahon on Unsplash.