Guide to Container Security – Everything You Need to Know

Image

Ah, the wonders of technology. In the innovation-rich Information Age, we are the beneficiaries of a nonstop wave of new advancements, each offering the ability to execute vital tasks faster and more efficiently than ever before. However, along with each breakthrough comes potential security vulnerabilities. Such is the case with containerization. Though its roots date back four decades, the rapid rise in the use of container technology today is revolutionizing cloud computing, specifically with regard to how businesses today develop and deploy applications and services. Recent estimates indicate that well over half of Fortune 100 companies have embraced the use of containers, and the numbers appear to be growing fast. The list of benefits is too impressive to ignore. According to an IBM report (“The Benefits of Containerization and What It Means for You”), these include:

• Portability between different platforms and clouds
• Efficiency through using far fewer resources than virtual machines and delivering higher utilization of compute resources
• Agility that allows developers to integrate with their existing DevOps environment
• Higher speed in the delivery of enhancements
• Faster app start-up and easier scaling
• Easier management
• Improved security by isolating applications from the host system and from each other

You’ll notice that one of the bullet points is “improved security.” However, the use of containerization also introduces potential security vulnerabilities that users must address. We’ll explore these in detail, but first a quick recap on what container technology is all about.

What Are Containers?

“Everything at Google runs on containers,” according to a report on the company’s website. “Containerization allows our development teams to move fast, deploy software efficiently and operate at an unprecedented scale.” Google reports that it starts over two billion containers, every week. But what are they? Here are several definitions. A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings. — Docker, a major player in container technology Containers are lightweight software components that bundle the application, its dependencies, and its configuration in a single image, running in isolated user environments on a traditional operating system on a traditional server or in a virtualized environment. — IBM, Rajeev Gandhi and Peter Szmrecsanyi Containers are a solution to the problem of how to get software to run reliably when moved from one computing environment to another. This could be from a developer's laptop to a test environment, from a staging environment into production, and perhaps from a physical machine in a data center to a virtual machine in a private or public cloud. — CIO.com, “What are containers and why do you need them?” Containers offer a logical packaging mechanism in which applications can be abstracted from the environment in which they actually run. This decoupling allows container-based applications to be deployed easily and consistently, regardless of whether the target environment is a private data center, the public cloud, or even a developer’s personal laptop. — Google, “Containers 101”

A Closer Look at Container Security

As container adoption continues to grow, a strong focus on security is an absolute must. In 2018, some 60% of organizations that use containers suffered a container-related security incident, according to a Tripwire survey. Along with this finding from respondents representing hundreds of organizations that currently have containers in production came several additional concerning statistics:

• 47% said they deployed containers known to have vulnerabilities, and
• 46% admitted they deployed containers without knowing whether or not they had vulnerabilities.

Overall, 94% of respondents said they have container security concerns, and 71% predicted that container security incidents would continue to increase. “As with all software, containerized applications can fall prey to security vulnerabilities of various kinds, including bugs, inadequate authentication and authorization, and misconfiguration,” according to TechBeacon.com. “Furthermore, containerized applications tend to be complex, comprising many discrete components that communicate with one another over a network. As a result, the total attack surface of the environment can be large, with potential trouble spots in multiple layers of the architecture.” The rise in popularity of containers has challenged security administrators to figure out how to best secure the container ecosystem — including the entire container stack, lifecycle and pipeline. “Introducing good security hygiene into the container ecosystem is not a simple task,” according to Tripwire which has compiled a comprehensive analysis of container security best practices titled “Securing the Entire Container Stack, Lifecycle and Pipeline.” To help defend against potential container security vulnerabilities, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has put together a detailed set of recommendations. “Container security differs from traditional security methods due to the increased complexity and dynamism of the container environment. Simply put, there are a lot more moving pieces. Container security comprises everything from the applications they contain to the infrastructure they run on,” according to DevOps platform innovator GitLab, which summarizes the key takeaways from NIST’s Application Container Security Guide as follows:

1. Rethink your organization’s operational culture and technical processes to support the new way of developing, running and supporting applications made possible by containers. Adopting containers might be disruptive to your existing culture and development methodologies, and your current practices might not be directly applicable in a containerized environment. Encourage, educate and train your team to rethink how they code and operate.
2. Use container-specific host OSs instead of general-purpose ones to reduce attack surfaces. A container-specific host operating system is a minimalist OS designed to only run containers. Using these OSs greatly reduces attack surfaces.
3. Only group containers with the same purpose, sensitivity and threat posture on a single host OS kernel to allow for additional in-depth defense. Segmenting containers provides additional defense-in-depth. Grouping containers in this manner makes it more difficult for an attacker to expand potential compromises to other groups. It also increases the likelihood that compromises will be detected and contained.
4. Adopt container-specific vulnerability management tools and processes for images to prevent compromises. Traditional tools make many assumptions that are misaligned with a containerized model and are often unable to detect vulnerabilities within containers. Adopt tools and processes to validate and enforce compliance with secure configuration best practices for images, including centralized reporting, monitoring each image and preventing non-compliant images from being run.
5. Consider using hardware-based countermeasures to provide a basis for trusted computing. Extend security practices across all tiers of the container technology by basing security on a hardware root of trust, such as the Trusted Platform Model (TPM).
6. Use container-aware runtime defense tools. Deploy and use a dedicated container security solution capable of monitoring the container environment and providing precise detection of anomalous and malicious activity within it. The most efficient way to ensure security at scale is to integrate security functions and procedures into each phase of development and deployment.

Container Security [Additional Resources]

Here is a round-up of additional resources from industry websites, public agencies and container security solutions providers:

• National Institute of Standards & Technology — Application Container Security Guide
• TechBeacon — “Container Security: What You Need to Know About the NIST Standards”
• StackRox - Docker Container Security 101: Risks and 33 Best Practices
• RedHat — “What Is Container Security?”
• Hewlett Packard Enterprise — “5 Ways to Secure Your Containers”

“Introducing good security hygiene into the container ecosystem is not a simple task,” according to Tripwire. To help, they have compiled several helpful resources on container security, including:

• Tripwire State of Container Security Report
• Securing the Entire Container Stack, Lifecycle and Pipeline

About the Author: Michelle Moore, Ph.D., is academic director and professor of practice for the University of San Diego’s innovative, online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher, author and cybersecurity policy analyst with over two decades of private-sector and government experience as a cybersecurity expert. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc