Be Quick But Don’t Hurry: Container Security in Cloud Environments
April 25, 2019
It’s hard to argue against the benefits of containers and containerized applications running on cloud resources. Containers enable agile deployment capabilities, so require less coordination and oversight than on-premises or virtualization infrastructure and, in many cases, offer more flexibility. Advances in container orchestration, service meshing, and microservices mean applications are more portable and can be deployed and scaled more quickly and reliably than in traditional deployment models. Automated continuous integration and delivery pipelines help ensure code is appropriately tested and staged before being moved into production. Errors in applications can often be quickly isolated to a specific container, fixed, and replaced with a new container running updated code. All these advantages have made containers extremely popular for organizations.
However, containers create new cloud security challenges. While these architectures are dynamic and support automated application deployment, the very things that make them valuable also present new threat vectors; DevOps and SecOps teams need to be aware of these potential issues and prepare for them with these considerations:
- Unlike a virtual machine, containers share the host OS that they run on. If configurations aren’t managed properly, the host and containers can all be vulnerable to security issues.
- Orchestration automation adds a layer of complexity, which can result in misconfigurations that over-provision access and subsequently, an increased attack surface.
- Containers are built from images stored in public or private repositories; these are often dependent upon other images, and a single vulnerability in any of them could proliferate to thousands of containers.
- Containers are ephemeral, so IP address-based security controls are less effective and make forensic investigations more difficult. Reuse of IP addresses also confuses traceability.
Security for container orchestration
Many of the security risks introduced by containerized applications and their supporting services and infrastructure can be discovered and mitigated or remediated through deep visibility into the organization’s environment, along with analysis of the security events. Through analysis of those security events that provide context and delivers details about behavioral anomalies, organizations can identify the issues in their orchestration processes and fix them before they do serious damage. The following recommendations are essential to avoiding container security vulnerabilities:
Visibility Into Vulnerabilities and Misconfigurations: Extend your vulnerability management program to include your container technologies. Look for solutions that identify vulnerabilities in your host OS, container images, and the containers themselves using real-time analytical data collected across your infrastructure. Misconfigurations in container provisioning could result in a larger, more vulnerable surface area or allow untrusted access to trusted resources. Resources like the CIS Benchmark provide prescriptive security guidance for most operating systems and many applications including Docker and Kubernetes.
File Integrity Monitoring (FIM): Consider container-aware real-time FIM tools that alert when new applications are installed, changes in key container configuration files occur, or if container logs are tampered with. FIM tools should identify the process or user that changed a file and these tools should recognize activity within, and around a container as well.
Use Trusted Images: Containers are built from images stored on public or private repositories. Understand where your images are sourced and look for tools to scan these images for any vulnerabilities. Remember that one vulnerability in a single image will proliferate into every container based on that image.
Default to least privilege: Establish organizational discipline around access. Regularly audit and review root and other superuser access and remove privileged access from processes that do not require it. Docker containers are granted access to specific namespaces including network, processes, inter-process communications, file system mount points, and the kernel. Document and understand all shared access to these namespaces and look for instances of inappropriate privilege. An example would be mounting a container volume to the host OS /etc directory could result in a serious security vulnerability.
Secure your Administrative Dashboards: An effective dashboard can simplify your orchestration and cloud administration. All your cloud and container assets are visible with one view, but an attacker who gains access to a dashboard can quickly gain access to across your entire environment. Use multi-factor authentication (MFA) and audit access. Inventory subscriptions and ACLs to ensure every asset is appropriately secured.
Anomaly detection: Most security teams will send container logs to a centralized server for analysis, and will then alert on suspicious activity. Because of the highly dynamic and ephemeral nature of containerized environments, this won’t be enough. Analysis through machine learning, which can apply behavioral context is the most effective way to detect anomalies. This is the most accurate way of identifying issues and needs to become part of the security team’s standard operations.
Containerized applications deployed in the cloud make it easier for organizations to more quickly give needed services to their customers. There continue to be exciting advances in technologies that analyze behavior in real-time to monitor for and alert on misconfigurations and other vulnerabilities in cloud-based container infrastructures. Coupling these technologies with anomaly analysis and evolved security best practices will create the necessary threat detection, protection, and response controls essential to keeping these dynamic clouds secure.