Introduction
What is container security ? Before I deep dive into explaining about container security. We need to understand what is container and why we need to secure it and how its different from traditional VM security and finally why we cannot use the same technique to secure the containers like virtual machines. Okay – Let’s explore each questions bit further.
What is container?
A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another
https://www.docker.com/resources/what-container/
Container is light weight and easily deployable into any platform. In short, you can test and deploy the container in desktop, server ,laptop ,cloud provider environment or any operating system of your flavour (however, there are some exceptions on different processor and windows operating system how to build and deploy the containers)
What are container risks?
Container risks are not from different VM risks and also you have similar threat vectors such as
- vulnerable application code
- malware
- secret exposure
- unauthorised access
- insecure networking
so why we cannot use the same security software tools to protect the containers just like VM. For that, we have to understand what are the challenges of securing container images.
What are the security challenges?
As we all know VM based execution model you have separate stack for storage, network and process whereas container share the same machine OS system kernels and the isolation is based on linux primitives such as namespace and cgroups which will do the good job for allocation of memory and CPU appropriately but its not hardened enough to provide security boundary for containers
Traditional security tools such as firewalls, Intrusion detection system (IDS) and Intrusion prevention system(IPS) is not container aware and container environments are dynamic which is started and stopped very often so its hard to get visibility and apply policies at rapidly changing environment. so it warrants different approach for securing container workloads
How to secure Containers?
From human persona perspective containers goes through different stages or phases. Phases such as build , deploy and runtime just like any other application code.
build
In build stage, high-level steps involves downloading base images and build the application using docker build
command and store the build images in registry or repository.
Deploy
At deploy stage, human personas interacting with registry and orchestrator API (Kubernetes / Docker Swarm) and deploy the images into runtime compute environment (mostly virtual machines)
runtime
In runtime, containers serves the workloads
So as you see there are different stages before container images started serving application so we have to secure containers are different stages
Let’s explore different stages and identify different mechanism securing containers at different stages
Build
Below are the categories to consider during build stage:
- Image security
- Repository security
- Cluster security
- Host security
Image Security
- Minimal Base images – Less is good 😊 . Build images using trusted base images and one of the minimal image is to use Alpine image which is light weight
- No secrets in the container
- Less is more secure – use one service per container
- Scan the images for software vulnerabilities
- Sign the images during build stage
- The process of creating an attestation is sometimes called signing an image. An attestation is created after image is built. Each such image is globally unique digest. A signer signs the image digest using the private key from a key pair and uses signature to create the attestation. At deploy time, enforcer uses attestor’s public key to verify signature in the attestation.
Repository Security
- Mirror images only from trusted external repository
- Public repositories infected with malware such as crypto-mining
- Use private registry to upload newly built image
- Continuously scan images in the repository
- Remove stale images from the repository
- Stale images are the images stored in the repository without being used. Risk of stale images is not patched and developers accidentally downloading which may introduce new security risks
Cluster Security
- Hardened the Cluster as per CIS benchmarks
- Implement Access Control for control plane API
- Limit the cluster access endpoints to external world
Host Security
- Container Optimised OS
- Container Optimised OS is the minimal OS is purpose built to run container images which is secured by default
- Harden the OS as per industry standard CIS benchmarks
- Scan the OS for vulnerabilities
- Limit the SSH access to the machine and the workloads
- containers are immutable so humans having interactions with machines defeats the purpose of immutability
- Separate the sensitive workloads or same risk profile workloads into different worker nodes so its difficult for the hacker laterally move after initial access
Stay tuned Part 2 of Container Security where we explore the topics about container runtime monitoring to provide visibility inside containers.
Comments
One response to “Container Security: Part 1”
[…] is the continuation of container security: Part 1, in this post we are going to discuss about container runtime […]