Containers accelerate the developer experience and allow applications to run smoothly in any environment — but they also introduce complexity and interdependencies that can have serious security consequences.
With this in mind, the process of securing containers is a continuous one. It should be integrated into the development process, automated, and extended into infrastructure maintenance and operations.
When building out a security strategy for containers, there are generally seven primary concerns. Here’s what they are, and what to do:
- Securing the host OS
Whenever possible, use a distributed operating system that is optimized to run containers. If you’re using a stock OS, disable or remove unnecessary services to optimize performance and reduce the attack surface.
Then, add a layer of security and monitoring tools to ensure that the host is running as expected. Tools like application control are very useful in this situation. For traffic that goes to the internet, web gateways and intrusion prevention systems (IPSs) provide an excellent level of filtering.
- Monitoring traffic between containers
Once a cyber-criminal gains a foothold in a system, they quickly look to move laterally. You can counteract this threat by ensuring all internal network traffic between containers passes through an IPS. Implement the system at the host level, which allows for all traffic to be effectively monitored without significantly impacting performance.
- Securing the application in the container
Security controls can help ensure that seemingly ordinary activities like processing data, generating log files and caching files are not, in fact, malicious. Real-time anti-malware controls are critical.
An IPS plays a role here as well — if a vulnerability is exposed remotely, the IPS engine can detect attempts to exploit it and drop packets to protect the application, buying time to address the root cause.
- Monitoring the application
When deploying an application into a container, a runtime application self-protection (RASP) security control can add another layer of defense. Besides security features like Structured Query Language (SQL) monitoring, dependencies checking and remediation, URL verification, and others, a RASP can also solve one of the biggest challenges in security: root cause identification.
When positioned within the application code, these controls can help connect the dots between a security issue and the line of code that created it. That level of awareness is difficult to compete with and creates a huge boost in the security posture.
- Securing the container management stack
There are two critical pieces of infrastructure to help manage container deployment — a privacy container registry and Kubernetes to help orchestrate.
Scanning each container for known vulnerabilities, malware, and any exposed secrets before it is made available in the registry helps to reduce issues downstream. Additionally, you’ll want to make sure that the registry itself is well protected.
Kubernetes also provides the ability to implement a number of operational and security controls. Implementing Pod (cluster level resources) and network security policies allows you to enforce various options to meet your risk tolerance.
- Building the application on a secure foundation
Regardless of which type of container you use, you need a workflow to ensure they are reliable and secure against common threats. The best workflow for this is container image scanning. This class of tools will scan the contents of a container before it is used as a building block for the application, and offer a final set of checks before it is deployed to production.
When properly implemented, fully automated scanning becomes a natural part of the coding process. A good scanner will look for malware, known vulnerabilities, and any secrets or confidential information to mitigate risks during development.
- Ensuring the integrity of the build pipeline
Attackers have started to shift their attacks toward earlier stages of the delivery pipeline. If an attacker successfully compromises the build server, code repository, or developer workstations, they can reside in the environment for significantly longer since most security programs don’t actively monitor these critical resources.
The first step here is to ensure that these systems have a strong set of security controls that are kept up to date. The second is to implement a strong access control strategy throughout the pipeline. Implement the principle of least privilege (only providing the access needed to accomplish the required tasks) and audit that access regularly.
Implement All Steps Holistically and Continually
There is no silver bullet when it comes to container security. Despite the simplicity of the container itself, the underlying infrastructure can grow to be quite complex. That complexity needs to be understood, monitored, and secured like the critical asset it is.
Addressing any one of these areas will help ensure that applications are protected and work as intended — but it is only by addressing all of these container security areas that you can have full confidence.