Applications and endpoints are one of the most vulnerable attack vectors, to the extent that 70% of all breaches originate at the endpoint, according to a report last year. With the focus on protecting data in the cloud, data in transmission from apps and endpoints to the cloud, or endpoints within the enterprise, most organizations are fully in control.
With the current shift in working practices and millions of employees accessing the corporate network from remote locations, multiple devices are entering the picture, and with them considerable risks.
The security posture of these unmanaged endpoints is below that of the organization’s managed devices, so it becomes essential to protect them, and the data that flows through them, for the overall corporate cloud ecosystem to be deemed secure.
It’s at this point that containerization should be considered as an additional tool in the security armor, and one which may enhance the protection of many applications and sensitive data.
Containerization and virtualization both entail the encapsulation of an application in its own operating system environment. However, whereas containerization shares the operating system with its host, a virtual environment incorporates its own operating system.
Containerization is a form of fast, light-weight virtualization (it has a smaller file size, consumes less resources, and is faster to provision). This is the reason why containerization is sometimes referred to as operating system virtualization: both containerization and virtualization share the host’s kernel components which opens vulnerabilities.
Applications that run within a container require that all the resources that are likely to be needed are inside the container (dependencies, libraries, configuration files, and all other related files). There are different ways of creating containers, all requiring varying degrees of complexity to be provisioned. Utilizing the Windows operating system to provision a new user or new desktop are low-overhead, easily provisioned methods.
Docker containers were originally developed for Linux, and there are now Windows versions as well. Docker containers share the host operating system. Windows Defender Application Guard creates single-purpose containers for running untrusted websites, isolating potential threats from the website from other applications and the rest of the operating system. The method chosen for creating the container should be appropriate to the situation.
An application running inside a container has no access to applications or environment settings outside the container (i.e. both those on the host operating system as well as those in another container), and likewise, applications outside the container cannot access applications inside. This provides two-way security benefits as applications within a container have a degree of isolation from malicious applications residing on the host or in other containers, and any malicious code inside the container is isolated from outside. The security benefits of containers include:
- The ability to take control over the environment in which an application executes. A newly-created container is clean of any malware, and the environment can be established in the most secure manner. This narrows the attack vector – only the minimum services can be included in the container.
- Container environments are consistent, predictable and replicable. Security vulnerabilities can be defined and restricted.
- The container exists for the required time only, and is destroyed when no longer required, with leave-no-trace. When the container is destroyed, all applications within it cease execution.
- Environmental parity of containerization enables laboratory testing to be extended to real-world situations with higher levels of confidence.
This is good news for enterprises, however, there are provisos. Containerization security can potentially be compromised. It is very important that applications involving sensitive data within a container are bolstered with additional security measures to those built into the container itself. Without additional security measures, containers can be vulnerable to:
- Malicious applications which are able to gain permissions to execute inside the container.
- Malicious applications which can gain access to applications and/or data within the container through the kernel (Kernel-level key loggers or screen capture for example).
Docker containers may have additional security threats such as allowing network traffic between containers by default, as well as enabling attackers who have gained access to one container to get access to other containers on the same host.
It is most important that containerized applications processing sensitive data should mitigate against security threats inherent in containerization by utilizing specific techniques to at least prevent malicious applications running within the container, as well as guarding against kernel level attacks on data such as key logging.
To do this, enterprises can use solutions that have been designed to secure the key vulnerabilities in the security ecosystem by using a combination of simple containerization, injected security and anti-key logging to securely wrap remote access, enterprise and SaaS applications.