Adopting containers promises great organisational efficiency advantages, but the fast-evolving technology can be problematic for security teams. What do CISOs need to know to safeguard containers?
Container concepts began in Linux systems and were made mainstream by Docker in 2013, which launched containerisation into the global developer community. Advances in the orchestration layer continue to mature and broaden container capabilities – especially within the hyperscale cloud supplier platforms and microservice architecture, such as Netflix or Paypal.
For CISOs looking to help their business safely adopt or continue to use this technology, they must ensure they are equipped to deal with the threats and risks they present. The resultant growth in the complexity and size of IT estate is not unique to containers, but there are four areas a CISO should be considering:
1. Ensure a code pipeline mentality within the security team, using DevSecOps to keep pace and avoid being overwhelmed with manual rebuilds
Patching a containerised application, external dependencies and the application code, requires an update to the base image and a recreation and redeployment of the container. Maintaining the implementation of updates is critical and ensuring security experts are part of your developer teams is key to staying on top of this challenge.
As with any DevSecOps pipeline, you should also take precautions around leaking hard-coded credentials which are embedded within the container images, scanning for vulnerabilities and determining the level of trust in the dependencies packaged with the software. All these activities that help improve the detection of vulnerabilities save the organisation money. Also, don’t forget that in order to patch, you need to be able to replace, stop and restart a container.
2. Implement configuration management and security tools that can cope with the scale
Effective configuration management is crucial. Orchestration services (Kubernetes, AWS Elastic/Azure Container Service), container native configuration management databases (CMDBs) such as Configuration Management by MicroFocus, and a labelling/tagging policy for containers assist with these challenges. Organisations also require a parallel approach for managing the networking security, logging, host OS and container security.
You need a way to protect containers from threats both outside and within your container ecosystem. A macro-level method is to deploy risk zones (or pods, in Docker language) where containers can freely talk to each other within that zone, but have firewall rules on the boundary of the zone. A micro-level method is to deploy agents with the container image to allow dynamic updates or build firewall rules into the CI/CD pipeline. Either method needs a standardised approach across the IT estate, coupled with automated compliance reporting.
3. Implement container resource controls, and host blast radius protections
Availability and scalability are two reasons why organisations have adopted containerisation technology. This presents governance challenges and the need for effective resource management. Applying resource limits to hosts will increase container capacity and allow for performance increases, resulting in reduced running costs and security risks.
Embedding host protection resource management controls within any container architecture will reduce configuration vulnerabilities and critical risks such as Kernel Panic, which can crash hosts and subsequent containers.
Deploying containers in the cloud allows organisations to simplify many security challenges that would otherwise require more manual processes – host management, easier security mechanisms, automation and scaling. You can significantly reduce the impact radius and overall response times to security incidents with automated actions and alerts to developers and the necessary security teams.
A concern for anyone deploying container-hosted applications is the risk of an attacker gaining access to the underlying container infrastructure through a vulnerable application. Management of container privileges, and having a policy on principle of least privilege, is a simple but effective way to reduce this risk and prevent root-level access in the event that an application is exploited.
For all organisations with containerised environments, it is vital to keep an up-to-date risk register covering all potential security risks. This enables essential security teams to monitor and develop underlying issues that could lead to a security breach.
4. Apply the best practice cyber security guidance
The most likely route of attacks and incidents is where fundamental and basic principles are not followed. This is often the result of outdated or non-existent disaster recovery and failover plans, which mean incidents are poorly managed and the organisation fails to recognise that tried and tested procedures are a vital resource in incidents where there are time pressures.
The NIST 800-190 Application container security guide provides best practice on dealing with the most common threats, including:
By automating where possible and developing a strong cyber security culture, containers provide the capability to develop a security architecture that responds to business development and enables you to keep on top of the ever-increasing regulatory burden. By thinking about these four areas, you can put the necessary safeguards into place and make best use of containers to support your business and security objectives.
Alan Taberham and Niall Quinn are cyber security experts at PA Consulting.