Understanding and Applying Container Security
In a microservices architecture, maintaining container security at all stages is a primordial requirement and needs to cover many facets.
The container’s inner components– a container contains images, imported or custom-created, common tools, compilers and RIBs, framework, and app code. Each of these components’ vulnerabilities needs to be managed at every step of the container’s lifecycle to ensure container security.
The container’s communication system– a container interacts with the host’s operating system and with other containers on the same host. The container security is at risk if misconfigurations open vulnerabilities in the communication network.
The container’s host operating system
The container networking– containers communication intra and inter clusters and with other external sources.
Container Storage Interfaceto maintain security without impeding access
The container’s security at run time
The container orchestration systemconsisting of escalated privileges access to the container via a set of APIs.
To understand the complexity of securing containers, the first step is to understand what a container is.
What is a Container
A container is a virtual “box” containing a piece of software and its dependencies (e.g., libraries, system tools, code, registries, etc., and, most importantly, for container security, settings and policies.) Containers address several issues faced by developers when deploying applications. Thanks to their simple packaging, they accelerate application development and deployment, increase scalability, facilitate a generalization of management, reduce environmental dependencies, and support microservices. Microservices are critical to accelerate the integration of business demands in applications and provide the flexibility that enables the rapid integration of app updates. That flexibility is essential to rapidly adapt an app to evolving specifications emanating from an organization’s business side and provides fast reaction time ideal to optimize business adaptability to fluctuating market conditions and customers’ or users’ unfolding preferences. But this new eco-system means that DevOps and security teams now share the responsibility of ensuring container security.
Understanding the Elements of Container Security
Running an app in a containerized environment implies a complete rethinking of the former security perimeter defending monolithic applications. Without this security perimeter, what are the threats to container environments?
Threats to Container Build Environment
When building a container, whether with an original or an imported image, DevOps need to ensure that:
- No malicious or unintentional source code changes are taking place
- The automation of the container building system is free of alteration
- Configuration for the runtime deployment and access privileges are free of errors that might expose credentials
- All runtime codes have been scanned
Threats during Runtime
Communication between containers and between containers and external data sources, vendors, operating system, etc., are fraught with risks, and navigating between the need for flexibility and the need for tightening container security policies requires comprehensive mapping of the access rights to the operating system and host resources, as well of continuous monitoring to catch existing and emerging vulnerabilities.
Threats to the Operating System Security
A single misconfigured container can jeopardize the entire OS. Managing access privilege is a key factor in tightening container security and shielding the OS from unwanted exploits introduced when managing the container’s access to subsets of resources.
Threats from Orchestration Manager Misconfiguration
As the container technology evolved, orchestration managers, such as the now undisputed market leader Kubernetes, emerged to tackle communication between containers, and between containers, OS, and external resources.
Kubernetes orchestration manager bundles containers in pods, themselves organized in clusters interacting in an on-premise, cloud, multi cloud or hybrid environment. Ensuring container security requires taking into account all the moving parts of a container lifecycle, from build stage to connectivity during deployment and runtime.
Applying Comprehensive Security for Containers
Given the built-in intricate complexity of orchestration managers, opting for a container security solution is the most effective option. A comprehensive container security solution covers all the elements needed to configure and monitor the security for containers and provides an easy interface enabling rapid detection and mitigation of emerging vulnerabilities before they can be leveraged by malicious actors. A typical Kubernetes environment will have several clusters (e.g., dev, testing, prod, finance …) distributed across environments. The first step to managing communication between these environments effectively is to have a clear picture of the communication between these components, both architecturally and in detail.
What defines whether a connection is established or not is defined by rules and policies that must be configured at every level and every stage, for example, configuring pod policies (aka PSP). These indicate whether the right security profile is associated with the container to enable connection or deployment.
Especially in a hyper-connected containerized environment, monitoring each workload, connection, event, and namespace at all times is an essential aspect of ensuring container security. Ideally, monitoring tools provide an at-a-glance evaluation of each component’s risk, including the presence and severity of identified threats and vulnerabilities, whether at deployment or runtime.
For each element, an in-depth analysis of the detected risk coupled with immediate access to remediation tools complete the components of an optimal container security solution.
Cisco Cloud Native Security Solution bakes in container security from in the CI/CD build process, at deployment and runtime, in every pod, cluster, and environment, including service mesh security.
Read more about:
- Protection from Multiple Attack Vectors
- Detecting Runtime Vulnerabilities
- Securing a multi-cluster service mesh
- Or check our guide on how to Implement Kubernetes Security