Container Security

What Is Container Security?

Container technologies such as Docker and Kubernetes are a foundation of modern DevOps processes. Container security involves securing containers, the infrastructure they run on, and the applications running within them during build, deployment, and runtime. Another dimension is securing containers at a cluster and orchestrator level.

Container security is a challenge because traditional security tools are often not compatible with containerized environments. In addition, with the emergence of DevSecOps, organizations are realizing it is important to integrate container security into the entire development lifecycle. Enterprise container security must include dedicated container security tools and be aligned with the organization’s existing security policies and processes.

Why Is Container Security Important?

As organizations around the world transition to containerized infrastructure, more critical workloads run in containers, making them a prime target for attackers. A compromised container can threaten business continuity, risk loss or theft of customer data, and can expose a company to compliance risk.

A basic concern in container security is the images containers are based on. Every container is created from an image, and any files or software components in the image are inherited by all containers created from it. If an image contains a software vulnerability or a malicious file, attackers will be able to compromise the resulting containers. This makes it critical to use vetted images from trusted sources, and scan images during all stages of the development lifecycle to ensure they are safe and have not been tampered with.

Another critical concern is hardening the containerized environment. Organizations must put processes in place to ensure that every element of the environment has a secure, hardened configuration. This includes:

• Container images
• Container runtimes (like Docker)
• Container orchestrators (like Kubernetes)
• Infrastructure components such as cloud virtual machines (VMs)
• Networking and security groups

If even one element of this complex chain is not secured—for example, if a container image runs as root, or a Kubernetes cluster does not properly implement RBAC authorization—attackers can and will discover the weakness, risking a devastating breach.

8 Container Security Challenges

Here are key container security challenges:

1. Container privileges—containers should run in unprivileged mode, without access to resources outside their isolated environment. However, in reality containers can be deployed with more privileges than required, exposing the entire environment to security risks.
2. Insecure images—a container image is a building block that serves as the basis for building containers. Images enable you to reuse image components instead of constantly building new containers from scratch. However, images and their dependencies can contain vulnerabilities, and when you use an insecure image to build a container, you introduce security risks to the environment.
3. Unlimited communication—containers must communicate to accomplish their objectives. You can minimize the attack surface by allowing containers to communicate only with the least amount of containers. However, a production environment includes many microservices and ephemeral containers, making it difficult to implement networking or firewalling rules that adhere to the principle of least privileges.
4. Containers running rogue or malicious processes—the average lifespan of a container in a sprawling environment can be hours or minutes, making it difficult to monitor the environment effectively. The fast churn of containers makes it almost impossible to manually monitor the container processes running at any given time. It does not provide the visibility needed to identify malicious or unnecessary processes.
5. Open source code—open source code can introduce security threats into the environment. For example, open source components might include dependencies that have known vulnerabilities, exposing the organization to threats.
6. Compliance—a development environment is highly rapid and continuously evolves. As a result, it becomes difficult to implement compliance checks. As a result, you cannot accurately assess the state of compliance and ensure you adhere to all relevant requirements.
7. Lack of standardization—legacy security standards include outdated methodologies that organizations struggle to apply to containers. As a result, many use multiple security standards and an increasing amount of tools. However, these standards and tools add complexity instead of providing security coverage.
8. Lack of expertise—the shortage of skilled experts and steep learning curves for container tools can result in improperly configured container environments.

Types of Container Security Tools and Solutions

Container Monitoring

Container monitoring solutions help track container performance, collect event data, and measure the effects of container-sharing resources. You can set up several types of monitoring practices, including:

• Proactive monitoring—involves implementing protocols to help prevent container failure.
• Reactive monitoring—these processes raise events when containers fail to alert users.
• Adaptive monitoring—this type continually assesses your containers’ performance and the impact of new components.

These tools help organizations prevent large-scale failures and determine the causes of individual events. Container monitoring tools can also help optimize resource allocation and software-defined networks.

Container Scanning Tools

Container image scanning, or container scanning, tools scan containers and their components to find security threats. Container scanning tools analyze a container image layer by layer to identify potential security issues. It is a core container security practice commonly used by DevOps teams to secure containerized workflows.

Containerized applications include many components, such as open source dependencies, custom code, images, and Dockerfiles. It is critical to scan for vulnerabilities across all components. Most solutions use a database of known vulnerabilities to ensure organizations can stay up-to-date as the threat landscape evolves.

Container Runtime Security

Container runtime security refers to the tools and processes used to secure containers against threats and vulnerabilities once they hit production. Container runtime security strategies typically introduce a strong automation component, with developers and security teams handling container configurations and live environment scanning for vulnerabilities and configuration drift.

Kubernetes Security

Kubernetes is a container orchestration platform that can help reduce container security issues by minimizing human error and programmatically scaling secure configurations. However, Kubernetes is notoriously complex and can be exposed to various security issues, creating a high-value attack surface that actors try to compromise.

Organizations using Kubernetes in production must implement Kubernetes security measures. Kubernetes security includes various techniques, technologies, and strategies designed to secure the Kubernetes platform and the containers it orchestrates. It helps keep container workloads secure.

Best Practices for Container Security

Secure Your Images

Image security is a critical aspect of container security. Containers are created from images, which are either sourced from public container registries or developed internally by an organization. In either case, these images can contain vulnerabilities. It is critical to scan all images, whatever their source, and avoid using images with security vulnerabilities.

Scan All Packages

Teams often think they need to scan only operating system packages. That is a common misconception that can expose your environment to security risks. You need to scan everything running in the container, including non-operating system packages.

Scanning is critical because any package can potentially contain a vulnerability that may allow threat actors to breach the system. You must scan all packages, including open source, commercial, non-operating system, and operating system packages.

Do Not Run Images as Root

Configuring an image to run using the “root” user is convenient for developers, but also creates severe security risks. If images run as root, any code they execute will also run under the root user. This means attackers who compromise the container will have root access and can run malicious processes inside the container.

In principle, kernel isolation will prevent attackers from accessing other parts of the host operating system or the environment. However, the attacker will be able to exploit any service available to the container over the local network.

In addition, attackers with root access can attempt container breakout attacks, which are made possible by several Linux kernel vulnerabilities.

Containers run as root by default, so it is critical to ensure that all development processes configure images in such a way that root access is not used. Risky configurations should be detected in runtime, and a rogue image that uses root access should not be deployed to a production environment.

Use Thin, Short-Lived Containers

Containers are designed to be short-lived and should run only the essential components required for their workloads. This means containers can be more secure than traditional servers: short runtime means containers are more frequently updated, and less components means a limited attack surface.

However, in reality, many developers treat a container like a server, running them for weeks at a time and adding files and components until container images become bloated. Another antipattern is using one container for multiple workloads. This tendency to use a small number of bloated containers is detrimental to security.

To ensure containers are secure, reduce the number of files in a container to an absolute minimum, ensure each container runs a small, specific workload, and tear down containers regularly to update them.

Control Container Network Access

Controlling the egress network traffic containers send is a critical security practice. You can implement it by using monitoring tools that track traffic passing between containers. These tools automatically determine the correct container networking surfaces, including bindings between processes and ports.

A monitoring tool can help you control container network access in various ways. It can detect traffic of data flowing between containers and various entities on the network. Additionally, these tools can detect anomalies to identify abnormal network activities like port scanning or unusual traffic.

Configure the On-Failure Restart Policy

The restart flag enables you to define how you want each container to restart or not restart on exit. This process requires proper configuration because containers that keep exiting and then try to restart can cause Denial of Service (DoS) on the host.

If you ignore a container’s exit status and let it continuously attempt to restart, you cannot identify the exit’s root cause. You must investigate container attempts to restart on exit, but you do not necessarily need to do so manually. You can configure the on-failure container restart policy to restrict the number of allowed restart attempts.

Protecting Container Environments with Imperva

Defined by cloud-native applications to infrastructure as code, modern coding is created, tested, and deployed at incredible speed. While deploying modern applications has created new attack surfaces, DevOps has the daunting task of balancing the need for speed for applications and the demand for securing them.

Both RASP and WAF are great solutions to protect containers running within Kubernetes clusters. For hybrid enterprises, Imperva lets you manage thousands of containers, each with their operating system versions, system files, packages, and executables, dynamically protecting against security vulnerabilities.

Additionally, Advanced API Security can be used to monitor and protect the Kubernetes API that is used to administer and interact with clusters, something that is commonly targeted by attackers.  Imperva enables comprehensive API visibility for Kubernetes operators, without requiring development to add resource-intensive workflow to their CI/CD processes.

Imperva also provides comprehensive protection for applications, APIs, and microservices:

Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your applications.

Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.

API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.

Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.

DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.

Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.

Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.