Strategies and Technologies for Container Security

When adopting any new technology, the ability of that technology to mitigate or reduce security risks should always be on the table. Organizations hesitant to adopt containers are often wary of how their existing processes and paradigms address the challenges of securing containers in production.

For their many benefits, containers effectively represent a new layer in the application stack, which requires a new way of thinking about application security. In its Application Container Security Guide, NIST points out that as containers revolutionize application deployment, organizations must adapt their security strategies to new, dynamic production environments.

Just as traditional applications are vulnerable to attack, containerized applications and the containers holding them are as well. Organizations can begin designing an effective container security strategy by understanding the risks that containerization may pose. Here are a few considerations:

Isolation

For organizations using hardware virtualization, container isolation differs significantly from virtual machine (VM) isolation. The isolation provided by hypervisors in VM systems limits the ability of an attacker to move laterally within an application stack if an application is breached. But containerized applications don’t require hypervisors; instead, they share elements of the host operating system’s kernel. Some organizations worry that if they deploy container-based applications, a breach could expose more of their sensitive data than it would if they used VMs, due in part to the potential for different containers running on the same server to have access to different data.

Runtime Complexities

The dynamic nature of containers introduces new runtime complexities that application deployment teams must understand and manage. Container orchestration systems like Kubernetes are designed to quickly provision replicated instances of a container image. Containerized applications consist of one or more container images coupled to form the functionality required by the application. Application scalability is a function of the number of specific container images deployed at any given point. When a new feature is ready for deployment, the application owner creates an update strategy ensuring any existing users of the application aren’t impacted by the update. This update strategy defines the percentage of images to roll forward with the update, as well as how a rollback might occur in the event of errors being discovered.

Due to the dynamic nature of containerized deployments, monitoring for malicious behavior or unauthorized access becomes more difficult than in a traditional IT environment. Containerized applications often have different resource requests which are shared at the host server level. For these reasons, IT operations and security teams should become partners with their development teams and implement information sharing to understand expected behavior for the application.

Patch Management

Most container applications are created from base images, which are essentially limited, lightweight operating systems. Application container images combine a base image with application-specific elements, such as frameworks, runtimes, and the applications themselves with each element being a layer within the image. The contents of these layers present an attack surface that can harbor software vulnerabilities, introducing risk. While traditional application security focuses on testing the application for vulnerabilities, security testing of containerized applications must also address vulnerabilities latent within the layers of the image. This is because, absent restrictions to the contrary, any executable element within a container image can be executed – even if it’s not part of the application’s requirements.

It’s important to treat each container image as if it were a full operating system, and identify security issues as you would for any virtual machine or server. Remediation of those issues will need a different process, one which takes advantage of capabilities within containerized environments. Considering some clusters have reached the scale of 10,000 images or more, it’s not sufficient to simply scan container images; organizations must continue to actively monitor for newly discovered vulnerabilities in any layer – all without imposing performance penalties.

Common Approaches to Container Security

With the right tools, practices, and strategies, organizations can address the challenges of container security and protect their containerized applications from attacks. There is no silver bullet for container security, so organizations should use a combination of techniques and solutions suited to their IT governance requirements. Below are some common approaches to container security, as well as their pros and cons.

Conduct Manual Reviews

According to a study by Forrester, 43% of container users perform regular security audits of their clusters. These security audits may consist of tracking components with known vulnerabilities on spreadsheets or manually testing configurations. Often, an organization will conduct a manual review when it’s experimenting with containers. It takes time to determine which processes and technologies are appropriate for a container environment, which is why manual processes work for small, proof of concept deployments.

However, as organizations move more of their container applications into production, this approach does not scale. NIST points out the importance of having dedicated security solutions designed to scale up and down with container clusters. Traditional IT security methods and technologies that are not meant for highly dynamic containerized production environments may leave gaps in application security initiatives.

Run Containers on Virtual Machines

Another benefit of containers is that container runtimes can run anywhere, including within the technology they are disrupting: VMs. Some organizations run containerized applications on VMs to isolate their containers using hypervisors. They create application affinity based on data types within the VMs to prevent attackers from moving laterally within the application stack to access data belonging to other applications. While this strategy can limit the severity of an attack, it will not prevent the attack from happening in the first place.

Employ Container Runtime Security

Runtime security solutions are popular options for organizations hoping to detect and block malicious activity in their running containers in real time. By monitoring network calls to the host and attempts to log into containers, these solutions build behavioral models of every application in an environment. These behavioral models learn which network actions and file system and operating system activities and capabilities to expect.

Enact Container Patch Management

In contrast to runtime security, patch, or vulnerability, patch management is a proactive stance to container security—empowering teams to address vulnerabilities and mitigate attacks before they happen, rather than simply responding to them.

The core tenet of all patch management strategies is that you can’t patch what you don’t know you have. To secure their containers, organizations must know what they contain. With most container images originating with base images from public third-party sources, knowing the composition of an image is a critical function. Considering most container applications are Linux based, having an effective open source governance process is a key to recognizing latent issues within images. After all, open source components can appear throughout container images—from the base image to the application layer.

The 2018 Synopsys Open Source Security and Risk Analysis report found open source components in 96% of audited codebases, with the average codebase made of 57% open source code (up from 36% in the previous year). The 64 open source vulnerabilities found per codebase is a 134% increase from the prior year. Given modern applications are powered by open source technologies and the growing scale of container clusters, it’s unrealistic to expect organizations to successfully track open source components and any associated vulnerabilities manually.

While open source governance is a key component of container security, it’s important to recognize that existing patch management strategies may increase risk when applied to containers. Consider that many organizations have patch processes which remotely update running servers and virtual machines. When applied at face value to a containerized application, such a process would require shell access to running containers and wouldn’t address the lifecycle container management solutions employ. Effectively, the legacy patch model increases the attack surface and reduces application availability as the applications scale. A far more effective model would be to treat a patch like an application update and update the container image which would then be deployed using an update strategy. The net result being a more secure deployment paradigm which takes advantage of security advancements present within the technology.

While many CISOs and heads of IT departments are wary of the risk that containerization introduces, they can significantly lower that risk by using software solutions providing continuous visibility into any software vulnerabilities in their clusters – even as the external vulnerability landscape evolves. This is particularly true with open source components in image layers and within vendor supplied libraries used within applications.

Choosing the Best Container Security Strategy for Your Organization

As application deployment using container technologies grows in production environments, security processes must scale with them. To get a full picture of the risks in a container cluster, organizations must automate the process of identifying, mitigating, and alerting on any risks – regardless of source.

Since no single tool will completely secure container clusters, organizations should look to best of breed solutions which are integrated with their chosen orchestration solution. Such a model benefits from a defense in depth posture using different techniques to address some of the risks posed by containerization. Container runtime security solutions can help teams monitor and prevent unauthorized calls to the host, limiting the scope of breaches. This approach can help teams react to active attacks in real time. For those interested in proactively reducing risk to prevent attacks, vulnerability management solutions can help them automatically identify known vulnerabilities and remove them from their clusters—enabling them to reduce potential attack vectors at scale.