Container security is the process of using tools and setting policies to ensure that containers are safe from threats and operate in a secure environment while also protecting the organization’s infrastructure from attack.
Container security is important for the same reason that all network and application security is important — containers compromised by a malicious third party could not only corrupt the processes and tasks that the container is undertaking, it could also open the door for a cascade of additional attacks against the organization’s network.
Container security is naturally a complicated subject because of the general complexity of the container environment. A team’s container security strategy must secure containers and the code running within them, container dependencies and libraries, container deployment, application development, DevOps and orchestration platforms — and the broader infrastructure upon which all of these technologies operate.
In order to protect the enterprise, the security of containers must be a key part of the development process, largely because container security is considerably more difficult to implement after you’ve deployed your container environment. In this article, we’ll dig deeper into the best practices for securing containers and containerized applications, and discuss the challenges of securing the various container platforms that are popular in the market.
What Is Container Security: Contents
What is a container?
A container is a small, lightweight, standardized piece of code that is designed to be modular and portable, allowing teams to deploy it easily on any computing environment. Containers are called such because they contain an application’s code along with the code’s dependencies that allow it to run, such as system libraries and various settings. Containers do not contain operating system code, however, and they operate on top of a shared OS environment, making them small and fast. The typical container is just a few hundred megabytes in size, whereas the typical virtual machine (which does include operating system code) can be 80 gigabytes or more.
Containers are a key element in the development of microservices, which break down code into single-function modules that are loosely coupled and independently deployable. Conceptually, microservices allow for rapid development and easier management of complicated applications. IDC recently predicted that “by 2023, more than 500 million new logical applications will be created — equivalent to the number of applications created in the past 40 years,” and that containers would be a critical component of that trend.
Container technology has congregated around two major platforms, Docker and Kubernetes. In addition, all of the major cloud service providers offer a range of tools designed to streamline container development, deployment and management.
As containerization has become the dominant environment for deploying applications, the need to secure them has correspondingly grown. One of the selling points for containers is that they are widely perceived as more secure than traditional applications, although in actuality they are neither more or less secure than other applications.
The biggest problem driving container security is attributed to the nature of containers. While code runs faster on containers, their inner workings are relatively invisible to operations. Security challenges emerge when the ops or security teams may unintentionally overlook threats, access control issues and other security problems, and container developers may be oblivious to the trouble spots in their code.
Container security is even more complex because of how broadly it impacts the environment, affecting not just the container runtime but also the development, build and orchestration environments and related security policies. Securing a container means ensuring that it does not contain malicious code while also protecting the larger ecosystem from attack.
As development increasingly migrates to containers, their security will become even more essential. Containers’ relative opacity as outlined above makes security, and associated security tools, critical in initial development. And because containers in general — and the techniques required to secure them — are relatively new, container security needs to be implemented correctly from the beginning, before a major incident occurs.
Security remains a significant concern (if not the top concern) for anyone involved with container development and deployment. Many believe that container security is already falling behind and that the industry has now been forced into a role of playing catch-up with remediation. Also, while numerous security tools are available to improve security posture, many organizations lack a true container security strategy.
Container security revolves around five key areas that include container development, container registries, container runtime environment, container orchestration and underlying network and architecture.
Containers themselves are not inherently more or less secure than non-containerized environments, but their complexity does create security challenges that teams must carefully manage. Many of these vulnerabilities are due to configuration errors: A recent study by Security Boulevard found that 67% of respondents had a serious misconfiguration in their container or Kubernetes environment and that 90% of respondents had experienced a security incident in their container or Kubernetes environment in the last 12 months.
Containers in cloud-native environments can and should be as secure as any other type of computer infrastructure, but as with any cloud security-related undertaking, a secure environment is often a work in progress.
A wide range of threats are common in a containerized environment. Some of the most common attacks and vulnerabilities include:
Container security and related container security solutions, along with cybersecurity, represent different disciplines and require different skill sets, largely because the tools that teams used to develop, manage and orchestrate containers are different from those they use for managing the network. Although both environments are likely to be the foundation for container operations, security in Kubernetes means something much different than security on an open source Linux server or an Amazon Web Service (AWS) environment.
However, almost any threat that can impact the enterprise network environment may also represent a threat against the container environment. And a container is only secure if the infrastructure it’s running on is also secure.
Docker cites four main considerations for security — the intrinsic security of the kernel, the Docker daemon attack surface, container configuration errors or loopholes and kernel hardening security features. If you address these issues thoughtfully, your Docker containers should be as secure as any other type of code.
As Kubernetes is a management and orchestration tool, “security” means something different than in the Docker environment. Kubernetes security revolves around the server(s) upon which the Kubernetes cluster is running, the cluster infrastructure, and the components and configuration of the cluster itself, making it closer to network-based cybersecurity than to security embedded in code development. While Kubernetes is widely regarded as a tool that has improved security for containerized environments, it is only as secure as the policies and principles of the people who manage it.
There are several container security best practices that you can apply to create a solid foundation for your container defense strategy.
The most significant challenges with container security are around making security an integral part of the container environment. This entails following the below practices for the organization’s operational, supply chain and managerial processes:
The shift toward containers has given developers more responsibility around security. Consequently, developers will need to spend time learning what trusted container image development really means, how to properly vet code for security, and how to adopt continuous security assessment tactics and minimize the attack surface of the overall container by removing unnecessary components. To truly keep containers secure, developers also need to have end-to-end visibility into their entire container environment, allowing them to immediately detect and block malware and other security threats before they cause significant damage. With strong attention to some basic security best practices and benchmarks, administrators can make containers as secure as any type of code.
Container security deserves increasingly more thought and attention, especially as container technology continues to dominate the enterprise. As an evolving computing environment reveals new threats and vulnerabilities, it will be imperative for security professionals to include container security explicitly in their best practices and posture. Protecting the containerized environment is the first step to protecting the enterprise, its infrastructure and its customers.