Container adoption, spurred by app modernization efforts, continues to grow
You don’t have to look far to see that container adoption is on the rise. According to a recent report from RightScale, container adoption increased last year over 40 percent to now hit 49 percent of organizations.* Not surprisingly, Kubernetes adoption doubled to reach 27 percent of respondents. As container adoption rises, so should concerns about best practices for container security to not only protect running containers in production, but also secure containers across the full application lifecycle.
Architecture: How containers differ from VMs
Container architecture changes key security concerns and requirements compared to the old world of legacy applications. In the diagram below, you can see some of the architecture differences between VMs and containers.
With virtual machines, you have only a host OS, a guest OS, and a guest application environment to secure. On bare metal, and in most types of cloud-based environments, the security situation is even simpler because there are fewer layers of software.
Containerized environments have many more layers of abstraction that require specialized tools to interpret, monitor, and protect these new applications. In a production container environment, you have a number of different layers to secure. In addition to the host OS and the container runtime, you have an orchestrator, a container registry, images, and most likely several different microservices within your application. Finally, containerized applications add complexity by redefining the old notion of protecting a single “perimeter”, requiring new approaches for securing the network layer.
How containers change the security paradigm
The methods for securing containers have morphed alongside the evolution of infrastructure.
Automation has shifted security across the SDLC: Because containers encapsulate all their dependencies, they can move easily from a development environment, to a test environment, to a production environment, making frequent deployments by way of automation the new reality.
Containers scale up and down far more significantly: Applications built using a microservices architecture consist of many interrelated entities, and the number of deployed entities can grow quickly as orchestrators seamlessly scale your apps up or down according to demand. Additionally, manually creating and maintaining security rules for each entity is impractical.
Development cycles have shrunk from months to days or hours: Developers, as they aim to deliver business value, are deploying more quickly than ever before — in times measures in hours and days, not months. Integrating security into CI/CD workflows and implementing DevSecOps best practices provides incredible security advantages in the world of containers.
Securing the entire container stack
A container environment, in general, encompasses your images, containers, hosts, container runtime (Docker, runC, cri-o, containerd), registries, and orchestrator. Understanding potential risks and how to protect your environment against them is essential.
Image vulnerabilities and compliance concerns: Vulnerabilities can impact container images just like any other legacy code framework — that’s why scanning images for both vulnerabilities and compliance issues, building a bill of materials, identifying any embedded secrets or malware, and correlating risk to individual image layers ensures developers are building secure images. Additionally, organizations need to remember drift can be a big problem for containers. An image that was scanned and passed your vulnerability and compliance requirements today may not be secure in future as new threat data identifies components that were thought to be secure are actually vulnerable. This is why today’s enterprises need to continuously monitor images and containers for drift.
Securing the registry: A container registry provides a convenient, centralized source for storing and distributing application images. Today’s organizations can easily have tens of thousands of images stored in their registries. Because the registry is central to the way your containerized environment operates, it’s essential to secure it. Intrusions or vulnerabilities within the registry provide an easy opening for compromising your running application. Continuously monitoring registries for any change in vulnerability status is a core security requirement, in addition to locking down the server that hosts the registry and using secure access policies.
Container runtime protection: The container runtime is one of the most difficult parts of a container stack to secure because traditional security tools were not designed to monitor running containers. They can’t peer inside containers or establish good baselines for what a secure container environment looks like. Organizations using containers need to establish a behavioral baseline for your container environment in a normal, secure state to detect and prevent anomalies or attacks. Runtime security requires security teams to focus on securing the application, rather than only relying on network-level security tools to keep them safe.
Devops, infrastructure, and security teams should embrace the concept of immutability, replacing existing containers with new containers whenever you make an update to your applications or services. Immutability presents security advantages so users aren’t attempting to perform live updates on running containers, which leads to configuration drift and poor enforcement of security policies.
Orchestration concerns: Security and infrastructure teams need to enact proper access control measures to prevent risks from over-privileged accounts, attacks over the network, and unwanted lateral movement. Using a least-privileged access model, where Docker and Kubernetes activity is explicitly whitelisted, ensures users can only perform commands based on appropriate roles. Additionally organizations need to protect pod-to-pod communications, limiting damage by preventing attackers from moving laterally through your environment, and secure any front end services from attacks like the OWASP Top 10.
Protecting the Host OS: The OS that hosts your container environment is perhaps the most important layer of the stack because an attack that compromises the host environment could provide intruders with access to everything else in your stack — that’s why hosts need to be scanned for vulnerabilities, hardened based on specific CIS Benchmarks, and protected to prevent improper access control (Docker commands, ssh commands, sudo commands, etc.) or file tampering.