Understanding and applying container security

In a microservices architecture, maintaining container security at all stages is an essential requirement and needs to cover many facets.

• The container’s inner components – a container contains images, imported or custom-created, common tools, compilers and RIBs, framework, and app code. Each of these components’ vulnerabilities needs to be managed at every step of the container’s lifecycle to ensure container security.
• The container’s communication system – a container interacts with the host’s operating system and with other containers on the same host. The container security is at risk if misconfigurations open vulnerabilities in the communication network.
• The container’s host operating system
• The container networking – containers communication intra and inter clusters and with other external sources.

• Configuring Container Storage Interface to maintain security without impeding access

• The container’s security at run time
• The container orchestration system consisting of escalated privileges access to the container via a set of APIs.

To understand the complexity of securing containers, the first step is to understand what a container is.

What is a container and how does container security work?

A container is a virtual “box” containing a piece of software and its dependencies (e.g., libraries, system tools, code, registries, etc., and, most importantly, for container security, settings, and policies.) 

Containers address several issues faced by developers when deploying applications. Thanks to their simple packaging, they accelerate application development and deployment, increase scalability, facilitate a generalization of management, reduce environmental dependencies, and support microservices. 

Microservices are critical to accelerate the integration of business demands in applications and provide the flexibility that enables the rapid integration of app updates. That flexibility is essential to rapidly adapt an app to evolving specifications emanating from an organization’s business side and provides a fast reaction time ideal for optimizing business adaptability to fluctuating market conditions and customers’ or users’ unfolding preferences. 

But this new ecosystem means that DevOps and security teams now share the responsibility of ensuring container security.

Understanding the elements of container security: Top threats to container environments

Running an app in a containerized environment implies a complete rethinking of the former security perimeter defending monolithic applications. Without this security perimeter, what are the threats to container environments?

Threats to the container build environment

When building a container, whether with an original or an imported image, DevOps need to ensure that:

• No malicious or unintentional source code changes are taking place
• The automation of the container building system is free of alteration

• Configuration for the runtime deployment and access privileges are free of errors that might expose credentials

• All runtime codes have been scanned

Threats during runtime

Communication between containers and between containers and external data sources, vendors, operating system, etc., are fraught with risks, and navigating between the need for flexibility and the need for tightening container security policies requires comprehensive mapping of the access rights to the operating system and host resources, as well of continuous monitoring to catch existing and emerging vulnerabilities.

Threats to the operating system security

A single misconfigured container can jeopardize the entire OS. Managing access privilege is a key factor in tightening container security and shielding the OS from unwanted exploits introduced when managing the container’s access to subsets of resources.

Threats from orchestration manager misconfiguration

As container technology evolved, orchestration managers, such as the now undisputed market leader Kubernetes, emerged to tackle communication between containers, and between containers, OS, and external resources. Kubernetes orchestration manager bundles containers in pods, organized in clusters interacting in an on-premise, cloud, multi-cloud, or hybrid environment. Ensuring container security requires considering all the moving parts of a container lifecycle, from the build stage to connectivity during deployment and runtime.

Applying comprehensive security for containers

Given the built-in intricate complexity of orchestration managers, opting for a container security solution is the most effective option. A comprehensive container security solution covers all the elements needed to configure and monitor the security of containers. It should provide an easy interface for rapid detection and mitigation of emerging vulnerabilities before malicious actors can leverage them. 

A typical Kubernetes environment will have several clusters (e.g., dev, testing, prod, finance …) distributed across environments. The first step to managing communication between these environments effectively is to have a clear picture of the communication between these components, both architecturally and in detail. What defines whether a connection is established or not is defined by rules and policies that must be configured at every level and every stage, for example, configuring pod policies (aka PSP). These indicate whether the right security profile is associated with the container to enable connection or deployment. Especially in a hyper-connected containerized environment, monitoring each workload, connection, event, and namespace at all times is an essential aspect of ensuring container security. Ideally, monitoring tools provide an at-a-glance evaluation of each component’s risk, including the presence and severity of identified threats and vulnerabilities, whether at deployment or runtime. For each element, an in-depth analysis of the detected risk and immediate access to remediation tools complete the components of an optimal container security solution. Panoptica, Cisco’s cloud native application security platform and acquirer of Portshift, bakes in container security from the CI/CD build process, at deployment and runtime, in every pod, cluster, and environment, including service mesh security.

Interested in reading up on container security—including protection from multiple attack vectors and implementing container security with Kubernetes? Read our guide on Kubernetes and multi-cloud security.