Containers are often penetrated by attacks like access control or application code exploits, or attackers take advantage of container image vulnerabilities. This can lead to kernel panics, the execution of privilege escalations, or other threats against your system.
Despite these risks, containerization offers several benefits. They’re fast, lightweight, making it easy to replicate your apps’ environments. They're also a great asset during the testing and refinement phase of the development process.
Without adequate security measures, containers could expose your process to threats you wouldn’t have to deal with otherwise. The benefits, however, certainly outweigh the risks. Here are five actionable steps you can take to enhance your container security.
1. Trim the Fat Off the Operating System
You should remove any bells, whistles, and unnecessary assets from the operating system that your container will be running in. Although this may seem like an alarmist approach, the fact is that cybercriminals use each of the various services performed by operating systems as attack surfaces. Even if you have a system hosted via private or public cloud, removing everything extra (besides the cloud security features) can prevent a critical security issue.
Therefore, you should try the following:
- Identify the systems that need to support your container
- Discard everything else
- Test your container after the first go-round of deletions
- Look for any unnecessary functions you may have overlooked the first time and discard those
- Test the container again
Why You Need to Take Excess Features Off Your Container’s OS
The reasoning that justifies this approach is relatively straightforward. Each workload has its own requirements. The container workload, for example, has update cycles, stack architectures, access control parameters, security tools, and other important features of DevOps processes that an OS has to manage. This is true whether you use virtual machines or traditional environments.
Each of these features has security protocols suited to meet its needs. At the same time, another app running on the host OS has its own infrastructural requirements. Not only do these extraneous apps steal resources from the OS away from your DevOps teams, but each one, inadvertently, creates an additional attack surface. This is because container security measures invariably require different resources than those designed to secure the other programs. While your OS may be able to protect auxiliary application code, it may leave your containers exposed.
2. Distrust the Software that Came with the Container
It’s important to keep in mind that, other than the provider’s claims, you have no idea how strong container security measures are, never mind how they work. Some important questions include:
- Did the provider perform the necessary vulnerability scanning?
- What kind of intrusion prevention system did they implement?
- When combined with your containerized applications, does the environment expose them to unexpected risks?
Because you don’t know the details of the security tools bundled with the container, you can’t see or predict potential vulnerabilities. Therefore, before putting your faith in the protections that come with your container package, try implementing these security best practices:
- Double-check the container’s contents
- Do not run a container if it has obsolete software
- If you’re unfamiliar with the software, gain an understanding of how it works before deploying it
- Check each program and library to see if they do, indeed, provide the latest and greatest protections
3. Inspect the Container’s Runtime
Because the runtimes are responsible for launching and managing containers, you need to carefully track their security patches. Runtimes have been known to have distinct vulnerabilities. While this isn’t necessarily common, the potential fallout is significant.
For example, in some instances, the runtime configuration may give the container full access to the devices of the host, as well as its directories. In that case, the container, once infected with malware, could be used to launch an attack on the host. Furthermore, if you haven’t implemented adequate network segmentation, other containers and areas affected by network communications could get infected as well.
Vulnerabilities may be more pronounced in older runtime programs. Although the program may have been sound when it was first coded, since its inception, cybercriminals have been designing new attack methods. Hence, the chances of vulnerabilities being exploited in legacy runtime programs rise month-by-month. Also, in an open-source environment, it can be difficult to differentiate trusted sources from suspicious ones, which further underscores the need for caution.
4. Ensure Full Visibility
With the adoption of containers, the number of systems running on bare metal virtual machine workloads can increase exponentially. Due to the encapsulated nature of containers, you can’t assume that visibility of the workload hosting the container provides adequate visibility for the container itself. It’s important to view each container as its own entity and put visibility measures in place accordingly. To ensure full visibility, you should:
- Detail the location of each container
- Outline what each container is doing
- Map the flow of data going to and from the container
- Outline the resources each container can consume, including applications, files, and those of the operating system
This last measure is crucial because while the container itself may be secure, it draws resources from other places. Therefore, it may, inadvertently, cause vulnerabilities somewhere else. Furthermore, depending on your industry, you may need to establish the necessary compliance standards that apply to each container’s data.
5. Use Network Segmentation
When a network is thoughtfully segmented, you get the benefits of custom-designed security solutions for each segment combined with the enhanced control that results from minimizing your respective protection surfaces.
How Network Segmentation Secures Your Containers
A non-segmented network is like an apartment with no walls. If pests were to get inside, they would have free reign to propagate throughout all the living spaces. A network without segmentation has the same kind of core vulnerability. Containers, despite their name, are not inherently “contained” and protected from malware, viruses, and other cyber-pests.
If you use network segmentation to structure your network so the containers have their own segments, a threat to one segment doesn’t impact the others. In effect, you’re constructing pest-proof walls. Even if a cyber threat was able to get inside, it would be stuck inside that one segment. This stops lateral, or east-west contamination, leaving your team free to maintain productivity — even if a cyberattack penetrates one section of the network.
Through the use of network segmentation, triple-checking your container security, inspecting runtime programs, and removing excess apps off your OS, and ensuring full visibility, you can create a safer, more productive environment for your DevOps teams.
Discover how Zero Trust segmentation can help protect your organization.