Securing Containers.....

Containers, as a technology, is catching up a lot. However, when it comes to securing the containers, various aspects of security needs to be considered. To begin with, lets quickly understand the container fundamentals.

What is container?

A container is an image that is very lightweight and stand-alone piece of software which can contain all the required code, runtime, tools, libraries and settings for running. Containers can run on Linux and Windows OS.

 So, How is it different from VMs?

Virtual machines run on hypervisor based virtualization, where the system emulates the hardware i.e. software system creates individual computers instead of physical computers/servers.

 Whereas, in case of Containers, the virtualization is done at OS level, instead of hardware. Individual instances share part of kernel so that the data gets routed differently.

How do we consider the security in Container world?

As I mentioned earlier, there are different aspects that needs to be considered for security containers.

1. The Container environment/Platform
2. From DevOps perspective i.e. build environment security

 Securing Container Environment/Platform

Container has following stack components which needs to be secured and monitored -

1. Containers - Container itself, which has the code/runtime etc. There is no single tool that can secure the container itself. Proactively monitoring the statistics and analyzing would help comprehend the situation.
2. Container images - These are the templates that would be spun up into container. These templates can be inject with malware and malicious codes. There are tools available which can be used to scan images. However, point to note - this would scan the images for malware etc. But not the application level vulnerabilities.
3. Container Registries - This is the repository of container images. The access to the container registries in-terms who can upload the images/update them needs to be controlled. Else the infected container can be swapped with the normal ones and can cause huge impact in end user environment. Also the system hosting the registry needs to be properly secured, patches and controlled.
4. Daemon - This is the process/service that manages the containers on the hosts. By tampering this service, the intruders can gain unauthorized access & cause damage. This service usually would be running on Linux or Windows system. And hence, the patching and hardening of the Host OS would be extremely critical. Also, Identity management and RBAC should be fundamentals on providing access to Host OS. To mitigate the risk of privileged users, PIM should also be used.

In summary, for all the above components, identity management, roles segregation, platform segregation/isolation, securely storing the sensitive data, encrypting at network & Storage levels, and event logging & monitoring are few controls that are must.

 Challenges -

•  There are multiple Container platforms like Docker, CoreOS rkt, etc.
• There are various components in each stack/platform. These needs to be secured & monitored separately.
• Since container technology is evolving so rapidly, there are released for bugs/fixes and patches released frequently. This makes security team's job difficult to be on top of things.

Build Environment Security

Build environment is where the development team would work on the code and test it. Post the successful testing, it would be migrated to staging/QA based on organizations SDLC.

From build environment perspective, the following points needs consideration -

Source Code Control -

Like any conventional application development environment, Source code control are must to ensure quality, operations in terms of versioning, testing, configuration data and Security.

Again RBAC can be enabled coupled with stronger authentication mechanism to ensure that the access to build environment is secured. Since the containers do not have transparency and using automation to push the code in to production, makes it imperative to have the controls & processes in place.

Build Tools and Controllers:

Today there are many tools available for CI/CD for automating many tedious tasks and make it easier to quickly rollback in case of any issues e.g. Jenkins, VSTS, Chef, GitLab, Assertible etc.

With this automation, the risk of any vulnerability and gap getting pushed in to production amplifies the security risks. Some of the suggested ways to mitigate the risks would be -

• Isolate the build environment at Network level. Block the unwanted network connections to build environment.
• Privileged identity management to build environment servers,
• roles segregation/ RBAC to ensure that the environment is clean,
• Encrypting at network
• Storage levels encryption, and
• event logging / auditing & monitoring the environment

Summarizing

Container security is still evolving and there are no standard tools available that can address the security concern from end-to-end perspective. We would have to live with workarounds and manual controls till more innovation happens in this area.