Container security is not a unitary action but a multifaceted process. It involves securing the build environment using secure code control and other strategies. The procedure also necessitates securing containers’ contents via code analysis and unit tests. At some point, organizations need to develop a plan to secure their containers in production systems, as well. Provided below are a few steps that organizations can take to strengthen their container runtime security. These recommendations are broken down into three categories: runtime security, platform security and orchestration manager security.
Runtime Security
Ensure the Security of the Control Plane
Limit access to two administrative accounts, one with responsibility for operating and orchestrating containers and the other for system administration. Network, physical and logical segregation should also be implemented for on-premise and cloud/virtual systems.
Resource Usage Analysis
Any external resource usage could serve as a potential attack point. It’s therefore good hygiene to limit these ingress and egress points using third-party tools that can monitor runtime access to environment resources inside and outside the container.
Selecting the Right Image
Create a trusted image repository and ensure that the production environment can pull containers from trusted sources only. Organizations should also look to procure a solution that’s capable of checking application signatures and rejecting containers that are not properly signed.
Immutable Images
One of the easiest ways that organizations can prevent attackers from manipulating their runtime containers in real time is by disallowing SSH connections. They should also keep track of changes and/or version control.
Time to Live
It’s possible that a container could be susceptible to a new vulnerability if it’s been live for weeks or months. Organizations should, therefore, limit container lifetimes to a couple hours or days at most, to update the image and to replace running containers using the old image.
Input Validation
This is a no-brainer. Organizations need to validate the suitability and policy compliance of all input data either manually or using a security tool. They should also verify that each container receives the correct user and group ID.
Platform Security
A lot of container runtime security recommendations focus on securing the hypervisor and underlying operating system. But container runtime security should encompass more than that. It should also address platform security by keeping the following advice in mind:
Host OS/Kernel Hardening
Organizations can protect a host operating system from attacks and misuse by choosing a hardened variant of the OS. They can then use a baseline configuration to remove unnecessary features. Enterprises would also be wise to set user authentication and access roles along with permissions for binary access.
Resource Isolation and Allocation
A critical element of container security is limiting container access to underlying OS resources. Organizations can do this by making sure container privileges are assigned a role and that containers don’t run as the host OS root user. They can then use a resource isolation model that employs namespaces and cgroups.
Segregate Workloads
It’s recommended that organizations isolate container engine/OS groups and their containers at the network level. They should also use only a limited number of containers per VM, grouping them by trust level/workload or assigning them to a dedicated cloud VPC.
Orchestration Manager Security
Container runtime security must also account for containers within a specific orchestration manager framework. Oftentimes, container managers need tuning in order to be secure. Here’s some guidance towards that end:
- Limit who can access admin features
- Segregate development and production resources
- Set network security policies to “default deny” inbound connections
- Limit services and users that can access metadata
- Ensure requesting parties are authorized
- Quickly patch and replace vulnerable cluster services and containers
- Collect logs from all containers and nodes
- Use security checkers and benchmarks like the CIS Critical Security Controls
There’s More Where That Came From…
Want more advice on how to strengthen your organization’s container runtime security? Download The Complete Guide to Container Security today. Also, join us for a live webinar on September 27, where we will walk you through essential tips on container assessments and streamlined DevOps security. Attendees will hear expert advice on:
- DevOps best practices for quickly resolving security issues
- Security analysis for source code and web application tools
- Avoiding misconfigurations without stalling the CI/CD pipeline
Earn a CPE credit for attending. Register here.