Container security: why being isolated doesn’t mean protected

By NTT Security Holdings


Published September 23, 2022  |  Security

Container security: why being isolated doesn’t mean protected

Google defines a container as a package that contains all the necessary elements for the software to run in any environment. You can think of a container as "virtualizing" the user-space in an operating system, allowing applications to run as if they are the only application running on that operating system instance. And it's because of this flexibility and portability (plus the economical benefits of containers) that we're seeing an uptick in usage of containers in multiple software settings.

In fact, Gartner predicts that around seven in ten companies will be utilizing at least two applications that implement a container structure by the end of 2022.

But with the popularity of new technology comes a new risk of cyber crime --- and the proliferation of containers has already highlighted certain security concerns.

For example, it's now come to light that more than half of container developers don't run security checks on their products. Couple this with the fact that the majority of DevOps teams do not have security protocols in place for containers and other similar technologies, then the scope for security issues to arise becomes all the more clear.

The vulnerabilities of any widely-adopted system need to be swiftly addressed before the risks become overwhelming. One such approach could be to install security measures at every step of the container process.

Let's take a closer look at the importance of container security...

Why container security is essential

To better understand the security implications of a container system, you'll need some further background as to what their role is and why they were created.

Containers were devised so that applications have the ability to perform tasks independently, and so they can be packaged and easily dispersed throughout a company's system. They are designed to operate with minimal infrastructure compared to other programs such as VMs and this is enabled thanks to the use of kernel namespaces.

Because of the fact that all the containers on one host share the same operating system kernel, this makes containers easier to move laterally between containers once one is breached.  The complexity of the supply chain involved in building individual container images makes container images harder to secure. As a result, they have become an attractive target for threat actors to attack as they potentially present a large attack surface.

Ensuring that the image used as a blueprint for the containers is secure is fundamental to the safety of the application. This is because any weaknesses that reside in the image can be used to exploit the application --- and even the entire system that you're using.

So how do container image supply chains work? With the heavy reliance on repositories from the likes of Docker, there is often insufficient knowledge of the security of the software supply chain, leading to the risk of images which are installed using third party repositories potentially being compromised.

Monitoring image production is an essential aspect of safeguarding your setup.

Container security best practices

Assess your host's security

Businesses should employ an operating system distribution that is adapted to using containers. If they don't, then they could unintentionally expose themselves to the risk of threat actors. For example, common programs such as Microsoft Windows and Linux both require some modification to allow for the smooth running of container operations.

Monitor container network traffic

When you have your container up and running within your system, then it's a good idea to monitor and analyze the traffic that's generated through a network detection and response capability. Traditionally this has involved locating a network monitoring at the perimeter of the container platform.  A more thorough approach involves monitoring network traffic on every container host. This creates a more thorough analysis of the traffic.

Use the best tools for application security

When using your desired application, your working container will create a variety of files as a by-product of usage. It's useful to implement anti-malware tools to analyze these files and ensure that there's nothing malevolent lurking around.

Using an IPS can also provide benefits in the event of an attack. Through an operation known as virtual patching, some IPS solutions can block the weak spot that's being exploited as a short-term measure. This means that you're given the time to redesign the container so it's more robust for separate operations later on.

At NTT, our R&D team has begun to work with threat detection tools that work in real-time to scrutinize container and Kubernetes security. This enables the user to generate a live stream of events occurring within a container platform. It's highly effective at detecting anomalous activity.

Watch for suspicious activity inside your application

Our next piece of advice is to use a runtime application self-protection (RASP) to aid the effective monitoring of your application code. 

One of the main strengths of this kind of tool is that it can highlight the major cause of any issues that are occurring --- when used in conjunction with URL verification or Structured Query Language monitoring, for example. This is because RASP is placed inside the application's code and so it's easier to trace the trail of the code that's causing a problem.

Safeguard your container management stack

Effective management of your container stack can go a long way toward preventing vulnerabilities further down the line. 

As container deployments become more complex, the use of appropriate tooling becomes increasingly important to properly manage a container deployment. For this reason, Kubernetes is becoming increasingly popular. In cloud environments it is worth considering services like ECS in Amazon or AKS in Microsoft Azure.

Scan the foundation layers of your application

A key part of ensuring solid foundation layers is to carry out scanning operations. Checking container images for defects or weak spots should become an adopted practice --- plus it can be automated easily. 

Scanning the building blocks of your container structure to make sure they're water-tight will prevent issues from arising later. It's necessary to understand the supply chain which is used to build a container image, and ensure that container images are either sourced from a trustworthy source, or their components are scanned.

Protect the structure of the build pipeline

The continuous integration/continuous delivery (CI/CD) pipeline has recently found itself firmly inside the crosshairs of would-be hackers. 

Damage to parts within the build pipeline can often last for a considerable amount of time, so it's in your best interest to protect it. Try to shield the structure from the code repository to the container repository to ensure a solid access control plan.

How to start securing your containers

If you're just starting out with containers, here are a few handy tips to use them effectively:

  • The new practices involved when using and securing containers can be a lot for existing team members to take on. Ensure that you're promoting a culture of supported learning to ease the transition.

  • Utilize container-specific hosting platforms that are designed with a minimal approach to reduce surface areas. The more surfaces there are, then the more opportunity that attackers are afforded to carry out malicious activity.

  • Organize your container grouping so that containers with similar purposes are attributed to a single OS kernel. Doing this means that you install boundaries that help to stop threats from traveling throughout your entire system.

  • Implement container security tools that analyze all components of your container infrastructure. Traditional tools are too generic and tend to miss vulnerabilities.

  • Consider hardware methodologies to greater instill trust. Trusted module platforms (TPMs) can be a good option for enhanced authentication and resistance to ransomware.

Use security tools that are capable of working with containers and run precise and real-time monitoring.

We've discussed at length about the controls that can be implemented to secure a container environment. No matter how many precautions you take, however, the risk still exists that a vulnerability may be missed. This underscores the need for detection and response to ensure that you are covered in the event of an attack bypassing your controls.

We value your privacy.

We use cookies to enhance your browsing experience, serve personalized content, and analyze our traffic. By clicking "Accept", you consent to our use of cookies. Cookie Policy