While container security is best thought of as a holistic field, in practical application, its primary focus is on the container itself. The National Institute of Standards and Technology published its Application Container Security Guide, which summarizes several fundamental approaches for securing containers. Here are three important considerations from NIST’s report:

1. Use a container-specific host operating system. NIST recommends using container-specific host OSes, which are built with reduced features, to reduce attack surfaces
2. Segment containers by purpose and risk profile. Container platforms generally do a good job of isolating containers (among themselves, and from the underlying OS). However, NIST notes that you can achieve a greater “depth of defense” by grouping containers by their “purpose, sensitivity, and threat posture” and running them on separate host OSes. This follows a general IT security principle of limiting the blast radius of an incident or attack, meaning that the consequences of a breach are confined to as narrow an area as possible
3. Use container-specific vulnerability management and runtime security tools. Traditional vulnerability scanning and management tools often have blind spots when it comes to containers. This can lead to inaccurate reporting that all is well in container images, configuration settings, and the like. Similarly, ensuring security at runtime is a vital aspect of container deployments and operations. Traditional, perimeter-oriented tools such as intrusion-prevention systems often weren’t built with containers in mind and can’t adequately protect them.

NIST also recommends using a hardware-based root of trust, such as the Trusted Platform Module (TPM) that is suitable for containers and cloud-native development. This strategy adds another layer of security and confidence. It is also important to reinforce your organization’s focus on security by building it into your culture and processes (such as DevOps or DevSecOps). An important aspect of DevOps beyond maintenance and management is monitoring for attacks and protecting the organization. 

• Configuration: Many container, orchestration, and cloud platforms offer robust security capabilities and controls. However, they must be set up correctly and re-tuned over time to be fully optimized. This configuration includes critical settings and hardening in areas such as access/privilege, isolation, and networking.
• Automation: Because of the highly dynamic and distributed nature of most containerized applications and their underlying infrastructure, security needs such as vulnerability scanning and anomaly detection can become virtually insurmountable when done manually. This is why automation is a key feature of many container security tools—much like how container orchestration helps automate a lot of the operational overhead involved in running containers at scale.
• Container security solutions: Some teams will add new purpose-built security tools and support to the mix that are specific to containerized environments. Such tools are sometimes focused on different aspects of the cloud-native ecosystem, such as CI tools, container runtime security, and Kubernetes. Automating as many manual processes as possible through Kubernetes and similar open source technologies will help to detect issues in real-time and keep your organization more secure.
• Cloud & Network Security: Network and container security are often discussed in tandem since containers use networks to communicate with each other. But cloud security extends further, including networks, containers, servers, apps, and the broader environment—all of which are interconnected, and thus dependent on one another to remain protected. Addressing cloud vulnerabilities must be a priority for every organization.

• Forgetting basic security hygiene—Containers are a relatively new technology that require more modern security approaches. But that doesn’t mean abandoning certain security fundamentals. For example, keeping your systems patched and updated—whether an operating system, container runtimes, or other tools—remains an important tactic. 

•  Failing to configure and harden your tools and environments—Good container and orchestration tools—just like many cloud platforms—come with significant security capabilities. However, you must configure them for your particular environments to unlock their benefits—default settings will not suffice. Examples include granting a container only the capabilities or privileges it needs to run to minimize risks such as a privilege escalation attack. 

•  Inability to monitor, log, and test—When teams begin running containers in production, they may lose visibility into their application health and environments if they are not careful. This is a significant risk that some teams fail to recognize, and it’s particularly relevant for highly distributed systems that run across multiple cloud environments and on-premises infrastructure. Ensuring that you have proper monitoring, logging, and testing in place is crucial to minimizing unknown vulnerabilities and other blind spots. 

•  Not securing all phases of the CI/CD pipeline—Another potential shortcoming in your container security strategy is ignoring other elements of your software delivery pipeline. Good teams avoid this with a “shift left” philosophy, prioritizing security as early as possible in their software supply chain and consistently applying tools and policies throughout.