As security threats and opportunities to tamper with organizations escalates, it’s increasingly important for organization to assess their system’s attack surface to identify all possible points of vulnerability. Container Security is a critical part of a comprehensive security assessment. It is the practice of protecting containerized applications from potential risk using a combination of security tools and policies. Container Security manages risks throughout the environment, including all aspects of the software supply chain or CI/CD pipeline, infrastructure, and container runtime, and lifecycle management applications that run on containers. When implementing solutions for container network security, ensure your strategies are integrated with the underlying container orchestration to provide context awareness of the application.
While containers offer some inherent security advantages, including increased application isolation, they also expand an organization’s threat landscape. The significant increase in container adoption in production environments makes containers an appealing target for malicious actors and adds to system workloads. A single vulnerable or compromised container could potentially become a point of entry into an organization’s broader environment.
Potential threats continues to increase as more access points become available to attackers. One of the most common container security threats is from malware that is embedded in container images. In August 2021, Docker found five malicious container images with code that secretly mined cryptocurrency using 120,000 users’ systems. In a similar attack, a separate Docker image was pulled 1.5 million times, demonstrating how quickly this type of threat can spread.
A rise in east-west traffic traversing the data center and the cloud combined with limited security controls monitoring this source of network traffic underscores the importance of container security. Traditional network security solutions do not offer protection against lateral attacks. It’s crucial to create specific strategies for securing containers to reduce your organization’s security risks.
Container security has become a primary concern as container usage becomes more popular. The increasing awareness about container security is beneficial, as various stakeholders are acknowledging its importance and beginning to invest in it through various platforms, processes, and training programs.
Because container security is concerned with all aspects of protecting a containerized app and its infrastructure, this focus is leading to a wealth of benefits. Container security is quickly becoming a catalyst and force multiplier for improving IT security overall. By requiring continuous security monitoring across development, testing, and production environments (also known as DevSecOps), organizations can enhance security in total—for instance, by introducing automated scanning earlier in your CI/CD pipeline.
While container security is best thought of as a holistic field, in practical application, its primary focus is on the container itself. The National Institute of Standards and Technology published its Application Container Security Guide, which summarizes several fundamental approaches for securing containers. Here are three important considerations from NIST’s report:
- Use a container-specific host operating system. NIST recommends using container-specific host OSes, which are built with reduced features, to reduce attack surfaces
- Segment containers by purpose and risk profile. Container platforms generally do a good job of isolating containers (among themselves, and from the underlying OS). However, NIST notes that you can achieve a greater “depth of defense” by grouping containers by their “purpose, sensitivity, and threat posture” and running them on separate host OSes. This follows a general IT security principle of limiting the blast radius of an incident or attack, meaning that the consequences of a breach are confined to as narrow an area as possible
- Use container-specific vulnerability management and runtime security tools. Traditional vulnerability scanning and management tools often have blind spots when it comes to containers. This can lead to inaccurate reporting that all is well in container images, configuration settings, and the like. Similarly, ensuring security at runtime is a vital aspect of container deployments and operations. Traditional, perimeter-oriented tools such as intrusion-prevention systems often weren’t built with containers in mind and can’t adequately protect them.
NIST also recommends using a hardware-based root of trust, such as the Trusted Platform Module (TPM) that is suitable for containers and cloud-native development. This strategy adds another layer of security and confidence. It is also important to reinforce your organization’s focus on security by building it into your culture and processes (such as DevOps or DevSecOps). An important aspect of DevOps beyond maintenance and management is monitoring for attacks and protecting the organization.
- Configuration: Many container, orchestration, and cloud platforms offer robust security capabilities and controls. However, they must be set up correctly and re-tuned over time to be fully optimized. This configuration includes critical settings and hardening in areas such as access/privilege, isolation, and networking.
- Automation: Because of the highly dynamic and distributed nature of most containerized applications and their underlying infrastructure, security needs such as vulnerability scanning and anomaly detection can become virtually insurmountable when done manually. This is why automation is a key feature of many container security tools—much like how container orchestration helps automate a lot of the operational overhead involved in running containers at scale.
- Container security solutions: Some teams will add new purpose-built security tools and support to the mix that are specific to containerized environments. Such tools are sometimes focused on different aspects of the cloud-native ecosystem, such as CI tools, container runtime security, and Kubernetes. Automating as many manual processes as possible through Kubernetes and similar open source technologies will help to detect issues in real-time and keep your organization more secure.
- Cloud & Network Security: Network and container security are often discussed in tandem since containers use networks to communicate with each other. But cloud security extends further, including networks, containers, servers, apps, and the broader environment—all of which are interconnected, and thus dependent on one another to remain protected. Addressing cloud vulnerabilities must be a priority for every organization.
- Forgetting basic security hygiene—Containers are a relatively new technology that require more modern security approaches. But that doesn’t mean abandoning certain security fundamentals. For example, keeping your systems patched and updated—whether an operating system, container runtimes, or other tools—remains an important tactic.
- Failing to configure and harden your tools and environments—Good container and orchestration tools—just like many cloud platforms—come with significant security capabilities. However, you must configure them for your particular environments to unlock their benefits—default settings will not suffice. Examples include granting a container only the capabilities or privileges it needs to run to minimize risks such as a privilege escalation attack.
- Inability to monitor, log, and test—When teams begin running containers in production, they may lose visibility into their application health and environments if they are not careful. This is a significant risk that some teams fail to recognize, and it’s particularly relevant for highly distributed systems that run across multiple cloud environments and on-premises infrastructure. Ensuring that you have proper monitoring, logging, and testing in place is crucial to minimizing unknown vulnerabilities and other blind spots.
- Not securing all phases of the CI/CD pipeline—Another potential shortcoming in your container security strategy is ignoring other elements of your software delivery pipeline. Good teams avoid this with a “shift left” philosophy, prioritizing security as early as possible in their software supply chain and consistently applying tools and policies throughout.