Containers help simplify the process of building and deploying cloud native applications. According to Docker, “A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.”
Containers use resources even more efficiently than virtualization, adding further value to server utilization. Lightweight and portable, containers are also fast and easy to deploy. You can package a working, running instance of the application inside an image, then deploy that image. The Docker Daemon that runs directly on the OS facilitates and manages running containers on the system and the images you create. The applications that run within these images run directly on the host machine.
Application code packaged up as containers are OS agnostic and can run anywhere. This also eliminates much of the friction in moving application code from testing to production. With containers, dependencies are baked directly into the image, making dependency management much easier.
Containerized applications are highly portable across virtual machines or bare metal servers running either on-prem or on a public cloud.
Container environments elicit a range of cybersecurity issues. You must secure images, containers, hosts, runtimes, registries, and orchestration platforms. A container is not simply a miniature version of a virtual machine. Containers are more ephemeral than virtual machines. Sandy Carielli, a principal analyst for Forrester Research states that, due to the ephemeral nature of containers, “cybersecurity teams are never going to be presented with a list of containers that need to be secured.” By the time such a list was created, most of those containers would no longer exist.
As Mike Vizard writes in Container Journal, “In the meantime, it’s not a question of whether cybersecurity concerns are inhibiting container adoption; rather it’s a question of whether adoption of containers in the absence of best DevSecOps practices might lead to a breach.”
Containers are replaced frequently, making the processes associated with remediating vulnerabilities much simpler. Frequently ripping and replacing containers is beneficial for delivering new functionality as well as applying patches.
On the other hand, container security is made more complex by the high quantity of containers most organizations have and the frequency with which they’re updated. Each update is an opportunity for vulnerabilities to be introduced.
Security can’t be copied and pasted, but rather must be tailored to your context. Know your own threat models. Similar to serverless functions, you must provide an IAM role per container and ensure those roles follow the principle of least privilege. Michael Wardrop of Netflix recommends limiting IAM permissions for the host and binding credentials to the host, in addition to restricting which IAM roles can be used by which apps.
You can also assign a VPC routable IP address per container, which allows you to assign security groups to containers, as Netflix does.
Bernard Brode writes in Container Journal, “The first and arguably the most important aspect of securing your containers is to look at the image security.” Most images, even those that are custom made, are built on third-party code and thus at risk of third-party vulnerabilities. In a containerized environment, it’s particularly challenging to retain complete upstream control of the code developers are producing. SecOps engineers must look at the source of the images in their container and scan for any vulnerabilities from upstream projects. Performing vulnerability scans on container formats is particularly important if your developers are pulling down complete images at once.
Container Journal’s security best practices states, “This means specifying a list of trusted sources and putting in place controls that ensure that only trusted images are used throughout your systems. Open source tools such as Notary, a Docker project, can be useful in this regard because they allow authors to sign the content they publish and users to verify the authenticity of this content.”
Beware the mega-container. A small quantity of large containers increases your attack surface and weakens overall security. Therefore, it’s important to minimize the number of files you store in particular containers. Limit attack surface by selecting the right base images and installing only the necessary libraries. For security as well as performance, containers should also be refreshed frequently.
Additionally, any network communication paths that are not being actively used need to be shut down.
One of many ways to shift security left is to combat vulnerabilities before deployment — you need a way to subscribe to vulnerability information from upstream projects. Integrate container security scanning tools with CI/CD platforms to identify any potential runtime security issues prior to deployment.
Container security requires more than just securing containers. Security of containers happens in an ecosystem, not in isolation. You need to also harden the entire stack, including your host as well as your daemons and harden the security of the systems that your containers are running on.
Any compromise to the host environment can enable attackers to access your entire application environment.
Traditional security tools were not designed to monitor running containers. Container security, like all security initiatives, requires visibility. Specifically, visibility of your assets beyond merely your hosts and their processes. You need to see a complete inventory of your containers, container images, and hosts. Hosts run your containers and if an attacker were to gain control of a host, it could control your entire container stack.
Comprehensive container security must monitor the following:
Ensure your solution can ingest your containers metadata so you can search or filter your container inventory by labels and tags.
Container security, like cloud security, must eliminate manual processes in addition to creating uniform templates. You should also have access to a comprehensive dashboard with insights such as filtering by severity so you can prioritize accordingly.
CheckPoint provides full lifecycle security and compliance for containers. CloudGuard Cloud Native Security provides vulnerability assessment, high fidelity posture management, and workload protection of your containers- from development through runtime, across your cloud environment.