According to Gartner research, by 2022 more than 75% of global organizations will be running containerized applications in production, which is a significant increase from fewer than 30% today.
Containers have become one of the most important technologies in modern cloud infrastructure as they empower developers to autonomously build and deploy applications, microservices, and APIs as self-contained units that operate the same in all environments. This approach can dramatically reduce IT labor hours and resources when managing application infrastructure.
This increase in developer velocity and self-service can challenge over-extended security teams who suddenly find themselves addressing new risks such as container vulnerabilities, permission issues, and container-specific OS images on top of all the traditional risks across the application stack .
Some companies implementing containers believe that they are easier to secure since they are complete, self-contained, isolated runtimes, therefore there is no need to monitor containers for security threats. In fact, containers and accompanying microservices should be monitored in real-time along with the rest of the cloud infrastructure stack.
Control
Container users get an enormous boost in developer productivity and deployment flexibility, but also increase challenges around data control and visibility. Developers grabbing random images from Docker Hub and automating their deployment directly to production is a nightmare for security teams. Containers should only be built from approved, hardened images - and immutable. This means that if anything needs to change, build a new image and redeploy it.
Teams should also regulate which permissions are used for the containers themselves. While Docker requires root to run, containers themselves do not. However, containers run as root by default, and a docker container running as root has full control of the host system.
Of note, Docker 1.10 introduced some important changes to help reduce this specific risk, so be sure to always update systems to the latest versions.
Additionally, be sure to cross check container orchestration tools like Kubernetes because they are increasingly an attack target. Secure the administrative interface and apply two-factor authentication and at-rest encryption of all data. Just like any other part of an organization’s infrastructure, it’s important to implement a least privilege access model for all container-related services.
Visibility & Monitoring
While it’s true that containers are self-contained environments, that doesn’t make them inherently secure. They interact with the underlying host, orchestrator, and many other applications and microservices that comprise the complete application. Each tier in each system produces its own complex set of security signals. This is why visibility is so important in container security.
Traditional tools that were designed to monitor non-container environments aren’t typically well-suited to containers because they don’t have visibility into both the host running the containers and the containers themselves. Container security visibility needs insight into container resource consumption, container level process execution, and communication among containers within nodes, or across the internet.
Full stack observability puts the containers in the context of their underlying host, the orchestrator tier, and down to the cloud management console.
Configuration & Deployment
Developers move fast with containers. That means that security teams should look for opportunities to build security into the process of using and deploying them. Provide a container repository with an appropriate selection of authorized, hardened container images so developers are less likely to pull insecure images from public repositories. Also use configuration management tools to automate the process of installing and configuring security monitoring in your containerized environments.
Containers are being adopted rapidly therefore following best practices, processes and applying specific tools to help with implementation and execution are essential. Thankfully, there is a wealth of great information available on how to use containers securely, and the NIST Application Container Security Guide is a great place to start.
NIST provides organizations with key suggestions like ensuring the use of the latest container versions, while readily communicating when updates and patches are available to be applied.
It’s important to remember that containers are just one piece of modern cloud environments which is itself just one part of full stack security. Businesses should commit to proactively managing everything they can including the cloud management console, Kubernetes, and applications.
Cyber-criminals attack every potential weak point in a cloud ecosystem so take nothing for granted, no matter how trivial it may seem.