César D. Velandia

Container Security


Challenges

  • Traditional tools aren't fit to secure containers (and kubernetes): too heavy handed such, e.g., EDR, vulnerability scanners, hostbased firewalls, network forensics, security analytics.
Alternative dedicated lightweight tools are being used – and dahsboards are specific to containers, distributed and transient
  • Playbooks used previously (e.g., security on VMs) don't work well in this context.
  • Emerging players offer new tools but gaps in features and overall direction still prevalent. A changing landscape forces all stakeholders to adapt quickly.
  • Container adoption has sky-rocketed due to cost-effectiveness, agility and scalability (33% global developers use containers¹.
  • Security in containers is usually addressed after the fact.
  • Slim minimal containers are easier to secure but it is often the case that containers images have unnecessary elements (tools, libraries, agents)
  • Existing compliance and security constrains don't map well for containerized applications. The same case applies to existing auditing protocols. Containers are usually treated as virtual machines which is inaccurate.
  • The common practices for running containers is to deploy them in a distributed via orchestrators, the diversity and spread of these deployments is a challenge for conventional monitoring and security management tools.
  • Ensuring image integrity and authenticity can be challenging as images come from difference sources, are used and modified freely across organizations. New rules regarding permitted images, registries and verification of images are needed.

Recommendations

  • Implement container security policies and and tools in collaboration between dev and security teams, where broad requirements, policies, etc. are set by the security team and operational decisions are made by development engineers.
  • Implement solutions using new tools and watch out for larger players adapting to this trend through extended functionalities, acquisitions, advanced scanners.
  • Implement container security across all the development cycle.
  • Implement clear control policies in images, e.g., start projects with verified and secured golden images that have been tagged.  Limit image registries intially to private internal ones to set a secure baseline. Your new projects should use private images.
  • Secured administration acess to the platform is essential, apply zero trust principles to container use. Integrate container use with well-known secret management solutions. Couple access with existing RBAC to container related infrastructure such as orchestration engines and prevent priviledge scalation.
  • Limit push access to container registries which most likely should only be deployment and integration pipelines as opposed to teams and contributors.
  • Scan images for potential secrets and harden images by keeping them with minimal dependencies, components, libraries, config files, etc. Also verify segmentation and microsegmentation limits to manage inter container communications.
  • Script everything and automate all processes, from container building, configuration and deployments. Include in such process automated vulnerability scanning. Aim for a large fleet of carefully defined containers that are secure, mininal, and efficient. Forget about runtime patching as it might conflict with build pipelines and image scanners.
  • Define a consistent policy by implementing templates for new containers that already secured at the kernel and network configuration, comply with regulations and so on. By using templates functionality can be extended while minimizing changes that might breach policies. Add auditing and log trails for new containers so it is clear which template are using and what has changed.
  • Include training about new technologies to avoid applying old paradigms to new implementations, this could be achieved by scenario based training and sharing common issues across multiple teams.
  • Look out for a container security vendor that works well for your needs. Since the market is growing, many players are actively looking for feedback and implementing features on request.
  • Set a clear container governace and policy guideline that can be used during discussions as a reference point. It should include service level agreements, remediations, and escalation paths. Include access control policies with accountability and authorization records.
old tools insufficientbloated imagesawareness gapshigh container spreaduncontrolled accessstricter img control policiesdeploy containers w/ zero trustautomate deployment, no patchingimplement an image template systemimprove new tech trainingfind the right vendor & give feedbackSet a container governance & policy guidelineChallengeRecommendation