Container Security

A container is an isolated and lightweight environment for running an application on the host operating system. Containers are built on top of the host operating system's kernel and contain only apps and some lightweight operating system APIs and services. While a container shares the host operating system's kernel, the container doesn't get unrestricted access to the kernel. Instead, the container gets an isolated and, in some cases, virtualized view of the system. 

Containers are built from images that are stored in one or more repositories. These repositories can belong to a public registry or to a private registry. A private registry can be installed on-premises or in a virtual cloud environment. A publicly available container image does not guarantee security. To help reduce the threat of attacks, private registry should be used to store and retrieve images. We can also use cloud-based private container registry available as a service with most of the cloud service providers. The base image serves as the foundational layer upon which the container is built, providing it with operating system services not provided by the kernel. Container images consist of multiple software layers, and each software layer might have vulnerabilities. Vulnerability scanning should be incorporated throughout the container lifecycle.

New vulnerabilities are discovered all the time, so scanning for and identifying vulnerabilities is a continuous process. The vulnerability scan on containers should be performed before pushing the images to a public or private registry. When a vulnerability is exploited, it generally gives the attacker access and privileges equal to those of the compromised application, so the concept of least privileges which is a security best practice also applies to containers. Ensuring that containers operate with the lowest rights and access required to get the job done reduces the risk. The potential attack surface can be minimized by removing any unnecessary processes or privileges form the container runtime. An effective way of reducing the attack surface and preventing developers from making critical security mistakes is to control the flow of container images into the development environment. Image signing can provide a chain of custody that helps to verify the integrity of the container.

Credentials such as password or tokens required to login or to have API access to containers must be secured. All credential secrets should be inventoried, and use of emerging secrets-management tools designed for container platforms is recommended. We should make sure that the solution includes encrypted databases, TLS encryption for secrets data in transit, and least-privilege role-based access control. Accurate audit trail of administrative access to the container environment should be maintained. These logs might be necessary for auditing purposes and will be useful during forensic investigation after a security incident. 

While container technologies have existed for decades, it was the launch of Docker that made it more practical for organizations to adopt a container-first development and operations model. It is imperative for us now to have a comprehensive program that secures the applications in the container, the applications’ dependencies, the container development pipeline, and the infrastructure that is running these containers.