Orchestration: Avoiding Container Vulnerabilities

Container orchestration is essential in helping mitigate the security challenges that arise with containers

Containers and containerized applications running on cloud resources are delivering new levels of speed and efficiency to modern development teams. Containers are optimized for agile deployment, so they require less coordination and oversight than on-premises or virtualized infrastructures and, in many cases, are simply more flexible. Automated, continuous integration and delivery pipelines help ensure code is appropriately tested and staged before being moved into production.

However, containers create new cloud security challenges. While these architectures are dynamic and support automated application deployment, the very things that make them valuable also present new threat vectors. DevOps and SecOps teams need to be aware of these potential issues and prepare for them with these considerations:

  • Unlike a virtual machine, containers share the host OS that they run on. If configurations aren’t managed properly, the host and containers can all be vulnerable to security issues.
  • Orchestration automation adds a layer of complexity, which can result in misconfigurations that overprovision access and, subsequently, an increased attack surface.
  • Containers are built from images stored in public or private repositories; these are often dependent upon other images, and a single vulnerability in any of them could proliferate to thousands of containers.
  • Containers are ephemeral, so IP address-based security controls are less effective and make forensic investigations more difficult. Reuse of IP addresses also confuses traceability.

Advantages of Speed Through Orchestration

When developers push a containerized application to a test environment, the CI/CD pipeline takes over. Orchestration can be complex and care must be taken to not introduce new security vulnerabilities into the process. Therein lies the need for a different security model for containers.

Containerized applications can also be created as microservices to handle very specific tasks. For example, one microservice could fulfill search requests and another could update customer information records in a database. Containerized applications running as microservices, in many cases, are easier to dynamically test, distribute and deploy than their monolithic counterparts. Microservice architectures will result in many more unique containers that each must be managed and secured.

These applications will ultimately transact a lot of sensitive data; security has to be not just a consideration, but embedded into the container development process.

The Container Security Equation

Many of the security risks introduced by containerized applications and their supporting services and infrastructure can be discovered and mitigated or remediated through deep visibility into the organization’s environment, along with analysis of the security events. Through analysis of those security events that provides context and delivers details about behavioral anomalies, organizations can identify the issues in their orchestration processes and fix them before they do serious damage.

The following recommendations are essential to avoiding container security vulnerabilities:

  1. Visibility into vulnerabilities and misconfigurations: Extend your vulnerability management program to include your container technologies. Look for solutions that identify vulnerabilities in your host OS, container images and the containers themselves using real-time analytical data collected across your infrastructure. Misconfigurations in container provisioning could result in a larger, more vulnerable surface area or allow untrusted access to trusted resources. Resources such as the CIS Benchmark provide prescriptive security guidance for most operating systems and many applications including Docker and Kubernetes.
  2. File integrity monitoring (FIM): Consider container-aware real-time FIM tools that alert when new applications are installed, changes in key container configuration files occur or if tampering of container logs occurs. FIM tools should identify the process or user that changed a file and these tools should recognize activity within and around a container as well.
  3. Use trusted images: Containers are built from images stored on public or private repositories. Understand where your images are sourced and look for tools to scan these images for any vulnerabilities. Remember that one vulnerability in a single image will proliferate into every container based on that image.
  4. Default to least privilege: Establish organizational discipline around access. Regularly audit and review root and other superuser access and remove privileged access from processes that do not require it. Docker containers are granted access to specific namespaces including network, processes, inter-process communications, file system mount points and the kernel. Document and understand all shared access to these namespaces and look for instances of inappropriate privilege. Mounting a container volume to the host OS/etc directory could result in a serious security vulnerability, as an example.
  5. Secure your administrative dashboards: An effective dashboard can simplify your orchestration and cloud administration. All your cloud and container assets are visible with one view, but an attacker who gains access to a dashboard can quickly gain access to across your entire environment. Use multi-factor authentication (MFA) and audit access. Inventory subscriptions and access control lists (ACLs) to ensure every asset is appropriately secured.
  6. Anomaly detection: Most security teams will send container logs to a centralized server for analysis and then alert of suspicious activity. Because of the highly dynamic and ephemeral nature of containerized environments, this won’t be enough. Analysis through machine learning, which can apply behavioral context is the most effective way to detect anomalies. This is the most accurate way of identifying issues and needs to become part of the security team’s standard operations.

Containerized applications deployed in the cloud make it easier for organizations to more quickly give needed services to their customers. There continue to be exciting advances in technologies that analyze behavior in real-time to monitor for and alert on misconfigurations and other vulnerabilities in cloud-based container infrastructures. Coupling these technologies with anomaly analysis and evolved security best practices will create the necessary threat detection, protection and response controls essential to keeping these dynamic clouds secure.

Dan Hubbard

Dan Hubbard is Chief Product Officer at Lacework responsible for driving the company’s product and security strategy for public and private clouds and security research. A pioneering force in Internet security, Dan’s expertise spans from reputation and advanced classification systems to large-scale security data mining, and cloud security. Prior to Lacework, Dan was CTO at OpenDNS, helped deliver the world’s largest cloud security network that led to the $600M acquisition by Cisco. Prior to OpenDNS, Dan was CTO at Websense, led R&D, launched the Websense Security Labs, and was instrumental in the company’s success from early days through successful IPO. Dan owns several patents in the areas of data classification and cloud security and is a frequent speaker at security conferences globally.

Dan Hubbard has 2 posts and counting. See all posts by Dan Hubbard