Containers have quickly moved from an emerging technology to an integral part of many organizations’ cloud strategies. Gartner predicts that by 2022, 75 percent of organizations will be running containerized applications in production, up from less than 30 percent today. Yet as containers have achieved widespread adoption, they’ve also caught the eyes of cybercriminals looking for another avenue to exploit.
Given the potential risk containers represent, security leaders need to create risk profiles for the types of threats and vulnerabilities they expect to experience when adopting container technology. This type of analysis is essential since the attack surface increases significantly while the level of security visibility across hosts, containers, and the infrastructure control plane decreases.
Containers can significantly streamline the way organizations build, test, deploy, and redeploy applications via increased portability and speed. However, this article will examine containers’ potential vulnerabilities and discuss how to secure them to improve organizational security posture properly.
Ingrain security into the container environment
Speed is one of the primary drivers of container adoption, but it is also a risk factor. IT and security leaders must build security into the process of using and deploying containers. Security teams can use configuration management tools to automate installing and setting security monitoring within containerized environments. Or, for container-centric organizations, you’ll likely deploy Kubernetes to conduct security monitoring.
If getting started on a container security journey feels overwhelming, there are many great resources to help get started. For example, the NIST Application Container Security Guide is a great place to learn more about container security and the tools and processes required to succeed. NIST also provides crucial suggestions on ensuring the use of the latest container versions while readily communicating when updates and patches are available for implementation.
Engage your DevOps team
Containers’ inherent speed also creates data control and visibility issues. In a container environment, developers can quickly grab random images from Docker Hub and automate their deployment into production. This capability is a massive boost to developers’ productivity but presents significant security challenges. Therefore, to solve the age-old problem of security over speed, IT and security leaders can create a central repository with an approved selection of hardened and immutable container images for developers to pull from. This method enables developers to build a new image and redeploy it if anything needs to be updated or changed.
Organizations should also regulate container permissions. The two primary risks of using containers are 1) the compromise of a container and 2) exploiting a compromised container to gain persistence and move laterally throughout the infrastructure. While Docker requires root to run, containers themselves do not. But sometimes, root is set up by default, giving a docker container running as root complete control of the host system. Of note, Docker 1.10 introduced a few significant changes to reduce this specific risk. Be sure to update your systems with the latest version upon use.
Additionally, it’s essential to cross-check container orchestration tools like Kubernetes because they are an increasingly popular target for malicious actors. At a minimum, secure the administrative interface and API using IAM (Identity & Access Management) or RBAC (Role-Based Access Control). Likewise, ensure that you limit SSH access to Kubernetes nodes. Like any other part of an organization’s infrastructure, it’s essential to implement a least privileged access model for all container-related services and nodes.
Finally, while container infrastructure is designed to be ephemeral and short-lived, our data suggests that it is very common for container workloads to run for days or even months. This makes runtime monitoring of processes, user activity, and network connections all the more essential to highlight indicators of compromise or poor security hygiene.
Full stack security observability is critical
When building a sound container security strategy, it’s important to remember that containers are just one piece of modern cloud environments, just one layer of the infrastructure stack. It can be dangerous to view containers as “self-contained.” “Integrity stacking” must be part of your thinking. Containers interact with the underlying host, orchestrator, and many other applications and microservices that encompass the complete application. Organizations must proactively monitor each layer, including the cloud management console, worker nodes, Kubernetes, and applications. Not only does this provide visibility to compromise at each layer, but it also helps to identify the increasingly sophisticated attacks that may span multiple layers of cloud infrastructure.
Since each layer in the stack produces its own complex set of security signals, traditional monitoring tools aren’t typically well-suited for container environments. Simply put, these tools don’t have visibility into the host running the containers, or the containers themselves, which dramatically limits their effectiveness. Container security visibility requires insights into several key areas: container resource consumption, container-level process execution, user access, and network flows, both “East-West” and “North-South.”
Full-stack observability monitors these behaviors and contextualizes container activity in the overall infrastructure. That enables IT and security leaders to understand what is normal within their environments and what needs to be investigated by the security team.
Some organizations implementing containers believe they are easier to secure because they are short-lived, self-contained, and have isolated runtimes. The reality is that containers increase surface area for attack. Cybercriminals can exploit developers’ innate need for speed if security leaders don’t incorporate robust, real-time visibility and incident response to protect container environments. As part of a full-stack strategy, monitoring the monitoring containers and microservices in real-time can prevent major breaches.
Chris Ford, VP of Product, Threat Stack