Containers are popular among organisations transforming their IT operations from physical, single-tenant computing resources to a more efficient service provider infrastructure model. The container framework popularised by Docker simplifies and accelerates application deployment by packaging operating system components, applications, and all dependencies into layers within what’s known as a container image.
A primary goal of any organisation adopting a new technology should be a reduction in security risk. Organisations hesitant to adopt containers are often wary of the challenges of securing containers in production. For their many benefits, containers also represent a new layer in the application stack, which requires a new way of thinking about application security. In its Application Container Security Guide (opens in new tab), NIST points out that as containers revolutionise application deployment, organisations must adapt their security strategies to new, dynamic production environments.
Containerised production environment security challenges
Just as traditional applications are vulnerable to attack, containerised applications and the containers holding them are as well. Organisations can begin designing an effective container security strategy by understanding the risks that containerisation may pose. There are some challenges which need to be considered in advance of any attempts to secure containers:
- Isolation. Container isolation differs from virtual machine (VM) isolation. The isolation provided by hypervisors in VM systems limits the ability of an attacker to move laterally within an application stack if it is breached. However, container applications don’t require hypervisors; instead, they share elements of the host operating system. Some organisations worry that if they used containers, a breach would expose more of their sensitive data than it would if they used VMs, which may limit the reach of an attacker.
- Runtime complexities. The dynamic nature of containers introduces new runtime complexities that application deployment teams must understand and manage. Applications in containers can make calls to the host to request access to resources, including files, on shared storage systems. If attackers compromise a containerised application, they might gain access to sensitive information on these shared systems. For this reason, IT operations and security teams should monitor their containers’ behaviour and prevent unauthorised activities.
- Vulnerability management. Most container images are created from base images, which are essentially limited, lightweight operating systems. Application container images combine base images with application-specific elements, such as frameworks, runtimes, and the applications themselves. Each layer in a container image is an attack surface that can harbour software vulnerabilities, thereby introducing risk into the organisation. But discovering where these risks exist can be difficult, considering some clusters have reached the scale of 10,000 images or more. And even after an organisation has scanned all its containers, it must continue to monitor them for newly discovered vulnerabilities in any layer.
Container security strategies and technologies
While securing container clusters may seem daunting, security teams hoping to protect passwords, customer data, personal information, and other sensitive information can—and should—control the security risks associated with containers.
With the right tools, practices, and strategies, organisations can address the challenges of container security described above and protect their containerised applications from attacks. There is no golden goose for container security, so organisations should use a combination of techniques and solutions suited to their IT governance requirements. Below are some common approaches to container security, as well as their pros and cons.
Conducting manual reviews
According to a 2017 study by Forrester (opens in new tab), 43 per cent of container users perform regular security audits of their clusters. These security audits may consist of tracking components with known vulnerabilities on spreadsheets or manually testing configurations. Often, an organisation will conduct a manual review when it’s experimenting with containers. It takes time to determine which processes and technologies are appropriate for a container environment, which is why manual processes work for small, immature deployments.
However, as organisations move more of their container applications into production, this approach does not scale. NIST points out the importance of having dedicated security solutions designed to scale up and down with container clusters. Traditional IT security methods and technologies that are not meant for containerised production environments may leave gaps in application security initiatives
Running containers on virtual machines
Another benefit of containers is that they can run anywhere, including within the technology they are disrupting: VMs. Some organisations run containerised applications on VMs to isolate their containers using hypervisors. They do so to prevent attackers from moving laterally within the application stack to access data belonging to other applications, as described earlier. While this strategy can limit the severity of an attack, it will not prevent the attack from happening in the first place.
Employing container runtime security
Runtime security solutions are popular options for organisations hoping to detect and block malicious activity in their running containers in real time. By monitoring network calls to the host and attempts to log into containers, these solutions build behavioural models of every application in an environment. These behavioural models learn which network actions and file system and operating system activities and capabilities to expect.
Whenever runtime security solutions detect that a container has been asked to perform an unexpected function, they can block the action and notify IT teams. And since network security is a runtime responsibility, these solutions can also block blacklisted IP addresses—permitting only legitimate connections. By limiting network access in the face of unexpected network traffic, runtime solutions can shut down a hacker’s container network activity in the case of a breach. This limits the extent to which the attacker can move laterally through the container cluster—reducing the “blast radius” of an attack.
Runtime security is an important element of a container security strategy, acting as a last line of defence against malicious actors. However, this approach is reactive rather than proactive.
Enacting vulnerability management
Governance regulations increasingly require a level of continuous monitoring for vulnerabilities in deployed applications. Organisations should act swiftly to prevent attacks by eliminating any latent vulnerabilities that might enable attacks. In contrast to runtime security, vulnerability management is a proactive stance to container security—empowering teams to remove vulnerabilities and prevent attacks before they happen, rather than responding to them.
To secure their containers, organisations must know what they contain. After all, it’s not possible to patch something if you don’t know it exists. But the widespread use of open source poses a challenge. Open source components appear throughout container images—from the base image to the application layer.
The 2018 Open Source Security and Risk Analysis (opens in new tab) report found open source components in 96 per cent of audited codebases, with the average codebase made of 57 per cent open source (up from 36 per cent last year). Additionally, the 64 open source vulnerabilities per codebase is a 134 per cent increase from the year prior. Given the pervasive use of open source and the growing scale of container clusters, it’s unrealistic to expect organisations to track open source components and their associated vulnerabilities manually.
Vulnerability management technology can help organisations keep track of the open source components in container images, as well as their vulnerabilities. While many CISOs and heads of IT departments are wary of the risk that containerisation introduces, they can significantly lower that risk by using software solutions that give them continuous visibility into the vulnerabilities in their clusters.
As application deployment using container technologies grows in production environments, security processes must scale with them. Containerisation provides a number of intrinsic security benefits, such as consistent deployment models, and production container security models should take full advantage of these benefits. To get a full picture of the risks in a container cluster, organisations must automate the process of identifying, mitigating, and alerting on any risks – regardless of source or container origin.
Tim Mackey, technical evangelist, Synopsys (opens in new tab)
Image source: Shutterstock/TechnoVectors