Container Security is the continuous process of using security tools to protect containers, the container pipeline, deployment infrastructure, and the supply chain from cyber threats and vulnerabilities. Container security differs from traditional cybersecurity because the container environment is more complex and ephemeral, requiring the security process to be continuous.
A container is a package of software and its dependencies — such as code, system tools, settings and libraries — that can run reliably on any operating system and infrastructure. A container consists of an entire runtime environment, enabling applications to move between a variety of computing environments, such as from a physical machine to the cloud, or from a developer’s test environment to staging and then production. Containers are a useful tool, but they are not built with a security system of their own, meaning they introduce new attack surfaces that can put the organization at risk
ESG Report: The Maturation of Cloud Native Security
Learn about cloud-native security challenges and how maturity gaps result in inconsistency, misconfigurations and visibility gaps.Download Now
Common Cloud Container Platforms
Containers are suited for cloud environments because they deliver more services on the same infrastructure as hypervisors, which makes them more economical and faster to deploy.
There are many approaches to containerization, and a lot of products and services have sprung up to make them easier to use. These are the most popular platforms that are relevant to container technology:
- Docker Container: Docker is a container platform that lets users build, test and deploy applications quickly. As the pioneer in its sector, Docker runs on about one of every five hosts and has over 5 million users and 6 million repositories on Docker Hub.
- Kubernetes: Kubernetes is a portable, extensible, open-source platform for orchestrating containerized workloads and services. Unlike Docker, which runs on a single node, Kubernetes uses automation to orchestrate container management to run across a cluster.
- AWS Elastic Container Service (ECS): Amazon ECS is a scalable container orchestration service that runs Docker containers on the AWS cloud. It lets users run ECS clusters with AWS Fargate, a serverless compute that removes the need to provision and manage servers, and integrates natively with other AWS services as well.
- Microsoft Azure Kubernetes Services (AKS): AKS is the new version of Azure Container Service. AKS simplifies Kubernetes management, deployment and operations with serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance.
- Google Cloud Platform (GCP): Google Cloud Platform enables users to migrate quickly with pre-packaged cloud infrastructure solutions in hybrid and multi-cloud environments with no vendor lock-in.
How to Secure Containers
To protect a container environment, the DevOps pipeline, including pre- and post-runtime environments have to be secured.
Container Security starts with a secured container image. Developers sometimes use base images from an external registry to build their images which can contain malware or vulnerable libraries.
Developers also can forget to remove passwords and secret keys used during development before pushing the image to the registry. When the infrastructure is compromised these passwords would be leaked along with the images.
That’s why it’s critical to integrate an image assessment into the build system to identify vulnerabilities, and misconfigurations.
Integrating your container security tool with your CI/CD pipeline allows for accelerated delivery, continuous threat detection, improved vulnerability posture in your pipeline, and a smoother secops process.
To protect application data on a running container, it’s important to have visibility within the container and worker nodes. An effective container security tool should capture and correlate realtime activity and meta data from both containers and worker nodes.
This level of visibility helps to:
- Stop malicious behavior: Behavioral profiling enables you to block activities that violate policy with zero impact to legitimate container operation.
- Investigate container incidents faster: Easily investigate incidents when detections are associated with the specific container and not bundled with host events.
- See everything: Capture start, stop, image, container runtime information and all events generated inside each and every container.
- Deploy seamlessly with Kubernetes: Deploy easily at scale by including it as part of a Kubernetes cluster.
- Improve container orchestration: Capture Kubernetes namespace, pod metadata, process, file and network events.
Container Security Challenges
Containers do not include security capabilities and can present some unique security challenges.
The primary challenge is visibility. Visibility is the ability to “see” into a system to understand if the controls are working and to identify and mitigate vulnerabilities. Containers can lack centralized control, so overall visibility is limited, and it can be hard to tell if an event was generated by the container or its host. And because containers are short-lived, forensic evidence is lost when they are terminated.
It can be difficult for enterprises to know if a container has been designed securely. Typically, the IT team receives a container from a development team, which most likely was built using software from other sources, and that other software was built using yet another software, and so on. Unless security was documented in the development and the container’s user has access to that documentation, it is reasonable to assume that the container is insecure.
A Set and Forget Mentality
Another container management pitfall is that managers often utilize a containers a “set and forget” mentality. But like any other part of the computer environment, containers should be monitored for suspicious activities, misconfigurations, overly permissive access levels and insecure software components (such as libraries, frameworks, etc.). What was secure yesterday is not guaranteed to be secure today.
Some enterprises do a good job of subjecting their containers to security controls. And that responsible approach gives rise to a new set of problems: Every vulnerability scan produces a massive volume of results that have to be sorted, prioritized and mitigated. Teams that still rely on manual processes in any phase of their incident response can’t handle the load that containers drop onto them.
Traditional tools mostly focus on either network security or workload security. But securing containers requires attention to both, since hosts, networks and endpoints are all part of a container’s attack surface, and vulnerabilities exist in multiple layers of the architecture.