For containers, host OSes and cloud environments, enterprises need to employ access controls that enable permissions that are necessary for an individual or group to perform their duties while disabling abilities that their jobs do not require. This approach aligns with the typical use of access controls across all of information technology. “You need to enforce the general principle of separation of duties in the container world as you would elsewhere,” says Eric Chiu, president and co-founder of HyTrust, a cloud access control and security firm.
Separation of duties means that different administrators and groups should not have access to each others playgrounds. Those who manage containers should not have the same access that those who manage the host OS or even the cloud environment in general do; this rule is the pattern for each role. “If you don’t have a clear separation of access control and enforce that separation you get the potential of a DevOps group that mucks with the underlying Linux environment, or the Linux administrator that mucks with the application containers,” says Chiu.
There have been instances where attackers compromising the cloud administrator gained control of the containers and the whole environment, due to the lack of proper access management. The company Code Spaces was one such example. “An outside attacker gained administrative control over Code Space’s Amazon account. When that company did not pay the ransom the attacker requested, he deleted everything in terms of their EC2 and S3 environments. The company was out of business the next day because all of its IP, all of its core systems were gone. They had no backup because the backup was in S3,” says Chiu.
Containers are a unique platform. Don’t assume that existing controls and IAM tools will address new security concerns that come with it. Legacy access control tools for Linux or networking solutions won’t cut it. “There are access control products like HyTrust for the virtual infrastructure, but you know, containers enable a whole new set of capabilities that will have to have their own unique set of access controls,” says Chiu.
The lack of container technology maturity means that there is no overarching vendor and no advanced container security management solution. (Not everyone uses Docker, and even if they did, its security is still in development, though Docker has addressed many security issues with the current CIS Benchmark.)
Beyond Access Control
Until mature container security tools arrive, enterprises should consider measures such as whitelisted application containers, which you can confirm are known good and not hacked or altered from their intended state. “If someone injects a vulnerability into a container and you download that container and propagate it across your entire development or, God forbid, your staging or production environments, you have potentially propagated a security vulnerability across a large part of your infrastructure,” illustrates Chiu.
Whitelisting is key whether you’re downloading containers from an Internet-based library or using containers that you develop internally. “If you have developed a container that has a certain application in it and you have hardened and secured it, you need to make sure that the next time somebody grabs that container that it hasn’t been tampered with either accidently or purposely,” explains Chiu.
Hardening is another approach to container security. You can harden the underlying OS by closing needless accounts and terminating services such as SSH. You should harden the container platform such as by sealing the configuration files through read-only access.
Vulnerability scanning and pen testing are measures that can highlight holes in the container environment. “Given that the host OS is a general purpose Linux OS or potentially a Hypervisor, you can use most of the existing vulnerability scanning tools to test these. However, I don’t believe that these necessarily scan for specific attributes of container technologies themselves. Over time, those vulnerability scanning tools will evolve so that they’re also scanning for specific container-related elements,” says Chiu.