Unifying Your Approach to Full-Stack Container Security

Containers are being adopted rapidly by a diverse range of businesses seeking a modularized microservice-based architecture. Containers are highly scalable and allow you to push code out rapidly and frequently. They also enable you to enforce consistent, conflict-free and predictable application deployments.

Saving time and cutting costs is highly desirable for any company. According to a Forrester study, 66 percent of organizations saw developer efficiency increase after adopting containers, and 75 percent achieved a moderate to significant increase in application deployment speed. But diverse hybrid cloud infrastructure can present problems for security and compliance. The right security model is essential to remediate risks and ensure your security is not compromised.

Protection from the Start

The earlier security is considered, the better, so the development of DevSecOps is encouraging. But in terms of containers, that crucial first step is to make sure that you’re starting with safe images. Check your sources, consider image hardening, and check to confirm that the images you’re consuming are free from any known software vulnerabilities. You also need to secure the container host and apply industry standards to secure your infrastructure.

This proactive approach of finding and removing vulnerabilities in base images is far more effective than trying to deal with them later down the line. The further upstream you can monitor and remediate, the faster, easier and cheaper it will be. 

Monitoring Continuously

When they’re configured correctly, containers are supposed to be immutable, but ensuring the right level of isolation between your containers can be challenging. Namespaces and control groups must be configured correctly, or they may be able to see what’s going on in each other’s environments, compromising security. By monitoring what’s going on inside the container, you can potentially catch any configuration mistakes.

This can be challenging because organizations may be running several containers concurrently. To cover the full stack, you’re looking at a virtualization layer that might be hosting one or more operating systems; the actual container runtime, such as Docker, running on top of the OS; and maybe an orchestration layer such as Kubernetes. The median company using Docker runs seven containers simultaneously on each host, and 25 percent of companies run an average of 14 containers or more at once. The average lifespan of those containers is 2.5 days, so there are a lot of moving parts here that need to be monitored.

It’s important to watch out for suspicious users who are somehow instantiating containers. Permit escalation is another common indicator of risk or compromise, and you also need to be vigilant for suspicious services. Monitoring must be tied into notifications and alerts, perhaps through email or Slack, so that security professionals are aware and can act accordingly.

Responding and Mitigating

Building in automated responses to your continuous integration (CI) or continuous delivery (CD) pipeline is important to avoid pushing out insecure code. Build security checks into the workflow and ensure that any failure halts progress and calls the attention of a security professional. They can investigate further and make sure that images are properly hardened and protected from vulnerabilities.

Securing Containers

Gartner predicts that by 2020, more than 50 percent of global organizations will be running containerized applications in production, citing security and governance as key concerns. And, while Forrester research reveals that containers are exploding in popularity, security is still named as the biggest challenge when deploying container technology ahead of data management and cost.

There’s general agreement that container security needs more attention. There are lots of useful suggestions in the NIST document, “Application Container Security Guide,” which advocates a proactive approach stating, “Deploy and use a dedicated container security solution capable of preventing, detecting, and responding to threats aimed at containers during runtime.”

You’ll also find useful benchmarks that you can use at the Center for Internet Security website—something we’ve been heavily involved in developing.

What to Look For

When evaluating technology capable of providing full-stack container security, try to keep six key things in mind. Think of this as a quick checklist:

  • Use safe images
  • Secure your container host
  • Monitor container activity
  • Safe orchestration
  • Protect and monitor your cloud account
  • Ensure DevOps integration

With such a complex system to protect, set against a backdrop of emerging threats and risks, it’s vital to quickly identify gaps in your compliance and security posture, prioritize them and remediate them. The advice in this article should help you take a holistic view and set you on the path to full-stack container security.

Rao Papolu

Dr. Rao Papolu is President and Chief Executive Officer of Cavirin Systems, Inc., a provider of continuous security assessment and remediation for hybrid clouds, containers and data centers. Rao is on the Board of Directors of SRA, Inc., a publicly-traded company, and an Advisory Board Member to Solix Technologies. He received his Doctorate degree from Indian Institute of Technology (IIT), Madras. He has published 25 technical papers in various international journals and was a visiting scientist at the University of Michigan and the Institute of Space and Astronautical Science, Japan.

Rao Papolu has 1 posts and counting. See all posts by Rao Papolu