What is Container Security?

Video: Containers is one of the most exciting innovations in application development and cloud computing, but organization looking to leverage containers need to know the best way to secure them.

Before diving into the details of container security, it’s necessary to understand the platforms used for managing containers. We’ll focus on one of the biggest and most well-known platforms, Kubernetes.

What is Kubernetes?

Kubernetes is one of the leading orchestration platforms that helps optimize and implement a container-based infrastructure. More specifically, it is an open-source platform used for managing containerized workloads that enable organizations to automate processes such as application development, deployment, and management.

As a relatively new open-source platform, there is a huge opportunity for securing Kubernetes. It's important to create a secure environment, especially when bringing open source code into a third-party application. The fact that Kubernetes is a sprawling platform with so many integrations for managing containers makes it easy to build an automated, systematic set of processes that bakes security into the core of the Kubernetes build and deployment process.

Benefits of Containers

To put it simply, containers make building, deploying, and scaling cloud native applications easier than ever. For cloud native app developers, the biggest benefits of containers are:

1. Eliminating friction: Developers avoid much of the friction typically associated with moving application code from testing through to production, since the application code packaged up as containers can run anywhere.
2. Single source of truth for application development: All the dependencies associated with the application are included within the container. This enables the application to run easily and identically across virtual machines, bare metal servers running in a local data center, or even on a public cloud.
3. Faster build times: The flexibility and portability of containers enables developers to make huge gains in productivity that were previously unattainable.
4. Confidence for developers: Developers can deploy their applications with confidence, knowing their application or platform will run the same across all operating systems.
5. Enhanced collaboration: Multiple teams using containers can work on individual parts of an app or service without disrupting the code packaged in other containers.

As is the case with any new IT architecture, cloud native applications still need to be secured. Container environments bring with them a range of cybersecurity challenges involving images, containers, hosts, runtimes, registries, and orchestration platforms, which all need to be protected.

Container vs Virtual Machine (VM)

According to the 2020 State of Cloud Native Security Report, enterprises expect to run as much as 30% of their workloads on virtual machines (VMs) and 24% on containers by 2022. A strategy and understanding for how to secure both will be a primary focus of an enterprise’s cloud workload protection platform. While they share some similarities, there are several key differences between containers and virtual machines.

• A container is specific to one application. It holds the application, all the functions necessary to run it, and nothing else. This makes it lightweight and easy to deploy across multiple environments, making it the ideal choice for cloud native application development.
• A virtual machine (VM) virtualizes the underlying hardware and can therefore run far more operations and functions than a single container. But while a virtual machine is bigger than a container, it is not necessarily better — especially when it comes to cloud native development. Trying to build and run an entire app within a VM often leads to bloated, unwieldy VMs with compounding failures and delayed updates. In short, VMs do not offer the speed, flexibility, or portability of containers.

How to Secure Containers

Container users need to ensure they have purpose-built, full stack security to address vulnerability management, compliance, runtime protection, and network security requirements of their containerized applications. Listed below are the four types of container security.

Container Network Security

Container network security proactively restricts unwanted communication and prevents threats from attacking your applications once deployed.

Organizations can use containerized next-generation firewalls to protect their containers from network-based threats. Most network based attacks are agnostic of application’s form factor. Therefore, containerized applications are subject to many of the same network-based attacks that infect bare metal and VM based apps, such as cryptojacking, ransomware, BotNetC2, and many more. Containerized next-generation firewalls stop malware from entering and spreading within the cluster, while also preventing malicious outbound connections used in data exfiltration and command-and-control (C2) attacks. While shift-left security tools provide deploy-time protection against known vulnerabilities, containerized next-gen firewalls provide protection against unknown and unpatched vulnerabilities.

Microsegementation tools coupled with next-gen firewalls provide comprehensive container network security. Identity-based microsegmentation helps restrict the communication between applications at layer-3/4 while containerized next-gen firewalls perform layer-7 deep packet inspection and scan all the allowed traffic to identify and prevent known and unknown threats.

Container Runtime Security

In-container runtime security is the process of identifying new vulnerabilities in running containers and securing the application against them.

The container runtime is one of the most difficult parts of a container stack to secure because traditional security tools were not designed to monitor running containers. They can’t peer inside containers or establish good baselines for what a secure container environment looks like.

Organizations using containers must leverage enhanced runtime protection to establish behavioral baselines for their container environments in a normal, secure state to detect anomalies and attacks. Runtime container security can identify and block malicious processes, file, and network behavior that deviates from a baseline. Organizations should use a defense-in-depth strategy to protect their containers. In addition to container network security via containerized next-gen firewalls, container runtime protection can serve as another layer of security to block malware.

Additionally, runtime protection can include embedded web application and API security to prevent HTTP based layer 7 based attacks, such as the OWASP Top 10, denial of service (DoS) or bots.

Container Register Security

Since containers are made up of libraries, binaries, and application code, it’s critical for enterprises to establish an official container registry in their organization. Doing so is a key first step to building security and fueling the move to DevSecOps.

A container registry provides a convenient, centralized means of storing and distributing application images. Modern organizations can easily have tens of thousands of images stored in their registries. Because the registry is central to the way a containerized environment operates, it’s essential to secure it.

Intrusions or vulnerabilities within the registry provide an easy opening for compromising running applications. Continuously monitoring registries for any change in vulnerability status is a core security requirement. Other requirements include locking down the server that hosts the registry and using secure access policies.

Container Orchestration Security

Container orchestration security is the process of enacting proper access control measures to prevent risks from over-privileged accounts, attacks over the network, and unwanted lateral movement. By leveraging Identity Access Management (IAM) in cloud security and a least-privileged access model, where Docker and Kubernetes® activity is explicitly whitelisted, security and infrastructure teams can ensure that users can only perform commands based on appropriate roles.

Additionally, organizations need to protect pod-to-pod communications, limit damage by preventing attackers from moving laterally through their environment, and secure any front-end services from attacks.

Host Operating System (OS) Security

Host OS security is the practice of securing your operating system (OS) from a cyber attack. As cloud native app development technology grows, so does the need for host security.

The OS that hosts your container environment is perhaps the most important layer when it comes to security. An attack that compromises the host environment could give intruders access to all other areas in your stack. That’s why hosts need to be scanned for vulnerabilities, hardened based on specific CIS Benchmarks, and protected against improper access control (Docker commands, SSH commands, sudo commands, etc.) or file tampering.

Container Security Solutions

In the last year alone, the container security solutions that organizations can rely on have grown in terms of both capabilities and sophistication. Regardless of what level of DevSecOps maturity has been attained, container security tools are now more accessible than ever. The container security solutions any organization will be required to adopt and master include:

• Container monitoring: The ability to monitor your registry for vulnerabilities is essential to maintaining container security. Because developers are continually ripping and replacing containers, monitoring tools that enable cybersecurity and IT operations teams to apply time-series stamps to containers are critical when trying to determine precisely what happened in a containerized environment.
• Container scanning tools: Containers need to be continuously scanned for vulnerabilities, both before being deployed in a production environment and after they have been replaced. It’s too easy for developers to mistakenly include a library in a container that has known vulnerabilities. It’s also important to remember that new vulnerabilities are discovered almost daily. That means what may seem like a perfectly safe container image today could wind up being the vehicle through which all kinds of malware is being distributed tomorrow. That’s why maintaining container image trust is a central component of container scanning tools.
• Container network security tools: Once deployed, containers need to be protected from the constant attempts to steal proprietary data or compute resources. Containerized next-generation firewalls, WAAS, and microsegmentation tools inspect and protect all traffic entering and exiting containers (North-South and East-West), granting full Layer-7 visibility and control over the Kubernetes environment. Furthermore, the containerized firewalls dynamically scale with the rapidly changing size and demands on the container infrastructure, guaranteeing security and bandwidth for business operations.
• Policy engines: Modern tools make it possible for cybersecurity teams to define policies that essentially determine who and what is allowed to access any given microservice. Organizations need a framework for defining those policies and making sure that they are consistently maintained across a highly distributed container application environment.

Not Sure Where to Begin with your Container Security Implementation?

Download the free guide to understand the basics of container security - and you can also download this eBook to understand the principles of container NGFWs.