Container security: How to get the most out of best practices

Containers are complex virtual entities that provide proven benefits to the business but also require strong security guidelines. Learn how to get the most out of container security best practices.

Containers concept

Image: Avigator Fortuner/Shutterstock

Containers, best defined as an operating system virtualization instance that can run applications, microservices and processes, are a staple in the technology industry. Containers’ flexibility and ease of deployment can help achieve faster deliverables and more robust environments.

SEE: Kubernetes: A cheat sheet (free PDF) (TechRepublic)

Must-read cloud

“Containers have taken us further along the road of abstraction where developers have to think less about their infrastructure. Virtual machines abstracted away hardware resources—containers took that further by hiding the complexities of the operating system,” said Ganesh Pai, CEO, Uptycs, a SQL-powered security analytics platform. “Containers provide robust application image management,  runtime isolation, efficient scaling, resource pooling and they have become an integral part of modern microservices architecture.” 

Chris Ford, VP of product at cloud security and compliance provider Threat Stack, noted how fast they’ve become standard fare. “Containers have quickly moved from an emerging technology to an integral part of many organizations’ cloud strategies. Gartner predicts that by 2022, 75% of organizations will be running containerized applications in production, up from less than 30% today. Why run applications in containers? Efficiency and development velocity are the objectives. Containers help organizations increase the pace of innovation, even as they optimize resource utilization.”

As with everything in technology, however, there are security concerns. SCMagazine.com recently reported that 50% of misconfigured containers are hit by botnets in under an hour, and SecurityWeek revealed that attacks against container infrastructures are increasing, including supply chain attacks.

Container security companies seek to address specific challenges

“Traditional server workload protection technology was built for relatively static on-premises workloads, but is too heavyweight to work well on minimized, ephemeral container workloads,” Pai said. “Also, developers working with containers are often using open-source software that may contain back doors and malware. Because newer continuous integration, continuous development workflows mean that software is updated, tested and deployed faster, it’s advantageous for detection of malware and other vulnerabilities earlier in the process.

“Newer types of cloud workload protection platform tools address these issues as they are built to run either on container hosts or in containers themselves, and they can easily be incorporated into CI/CD pipelines for early detection. Additionally, threat actors are targeting CI/CD pipelines to inject malicious behavior into the supply chain. Observing and actioning telemetry through all stages of agile cloud workload deployments becomes important for SecDevOps teams.”

SEE: From start to finish: How to deploy an LDAP server (TechRepublic Premium)

Ford discussed the challenges of container security. “Container security startups are looking to solve for some of the challenges that containers introduce: the increasingly automated nature of modern software development can exacerbate security issues quickly. Automation can cause misconfigurations, vulnerabilities and malware to become pervasive very quickly. Adding layers of abstraction in cloud infrastructure increases the threat surface, particularly when container orchestration (e.g., Kubernetes) is being used.

He said the challenges with solutions is that they’re focused on a single layer of infrastructure and workloads span a wide range of infrastructure types. This creates “tool sprawl.” 

“Security teams can find themselves overwhelmed by different tools that generate findings for multiple layers of infrastructure: virtual machines, containers, container orchestration, serverless,” Ford said. “This tool sprawl can also hinder visibility to the increasingly sophisticated attacks that span multiple layers of cloud infrastructure.”

The problems this generates: high operational costs, complexity, inefficient workflows, a siloed approach to security and compliance, limited risk visibility, fragmented policies and controls, inefficient risk prioritization and remediation, and siloed audit and compliance reporting.

SEE: How to use CyberPanel to easily manage Docker images and containers (TechRepublic)  

Ford suggested: “Instead of continuing to bolt on additional tools to support new infrastructure types, like containers, security organizations should consider a singular platform-centric comprehensive approach to security and compliance. By increasing full stack observability within your entire cloud infrastructure, organizations have the ability to detect, assess and respond to risk holistically across disparate environments. Security teams and the solutions they use can help accelerate their business’ adoption of modern technologies while also ensuring they can address new risks and support emerging regulations at scale.”

Best practices to secure containers and microservices

Pai said the best way to secure these systems is to make security telemetry easier to manage and analyze. 

“We believe it should be simple to analyze and ask questions about your entire environment and get fast insights by aggregating and analyzing telemetry from cloud workloads running in containers, its orchestration and cloud service providers,” he said. “The problem that we’re solving is getting all this telemetry in one place and in a normalized format so that you can apply security analytics for proactive security (audit and compliance) and reactive security (detection and response).”

SEE: Prisma Cloud can now automatically protect cloud workloads and containers (TechRepublic)

Pai said to focus on telemetry-powered security, which normalizes telemetry from container runtime (osquery), orchestration (kubequery) and cloud providers (cloudquery), and this enables security practitioners to get answers to questions, like, “‘What containers in my environment are running this known vulnerable package?’ or ‘Where else is this file hash appearing across my Kubernetes Cluster?'” 

Ford said that newer companies tend to focus solely on containers, but it’s important to look at their security posture more holistically. 

“Otherwise, painting a picture of overall workload risk can be daunting,” he said. “Disparate solutions generate disparate findings, and while a SIEM can be used to aggregate these findings, the goal should be to prioritize work for security teams, not add more to monitor. It’s critical to have a single place to monitor containers, Fargate workloads, Kubernetes, virtual machines, applications and cloud provider APIs, thereby eliminating the need for multiple tools. The goal is to provide visibility into these workloads, surfacing risky user, file, network and process activity.”

But, most critically, deploying containers quickly: “Companies moving cloud-native infrastructure to accelerate innovation will not have to sacrifice velocity for security. Threat Stack sensors, for instance, are deployed at speed and scale using cloud native tooling, ranging from popular configuration management tools to Kubernetes daemonsets and Helm charts,” Ford said. 

The future of container security

Container security can take a couple different directions, depending on which approach and architectures are adopted, Pai said. “IT, software development and deployment models will lead the charge, and security paradigms will follow. Container runtimes will continue to evolve from Docker, Cri-o, Containerd, and they will likely be complemented by micro VM technologies such as AWS Firecracker and Google gVisor. Additionally, other serverless technologies such as Function-as-a-Service coupled with SaaS services will likely shape container security. No matter which approach prevails, there will always be telemetry for configuration, behavioral/usage trail activity and flow logs. This telemetry will either be accessible directly from the runtime (container) or the service provider (API).”

SEE: Box CEO Aaron Levie: Clear skies ahead for the cloud this year (TechRepublic)

Container security capabilities will be increasingly baked into the fabric of broader security solutions, Pai said. Ford said he believes that security measures will be increasingly automated.

“The scale of cloud-native infrastructure is outpacing security team capacity to respond to incidents” Ford said. “Best-of-breed solutions will combine detection mechanisms (rules, machine learning) to identify the highest concentration of risk and will trigger automated remediation through a flexible integration framework and partner ecosystem,”

Also see