14 Best Practices to Secure your Container Environment

Technology is changing at an unbelievable pace, so are the threat vectors and techniques to address them. It’s not a long time ago when packet filtering firewall with some segmentation capabilities was enough to secure your infrastructure. Power the firewall, connect the console, add a few access lists commands, configure DMZ, inside & outside interfaces, create static routes, NAT and you are good to go in production. It was also not long ago when we were working with bare metal servers. Life was so easy for a network and security engineers.

Then came the beast of “virtualization” Virtualization relies on software to simulate hardware functionality and create a virtual machine. This enables IT organizations to run more than one virtual system – and multiple operating systems and applications – on a single server. The resulting benefits include economies of scale and greater efficiency. You may have a single chassis deployed in your organization with 1000 VMs and a single 10G cable connecting to your switching infrastructure (ignore high availability for the time being). Everything starting from network traffic isolation, firewalls, security policies, DMZs, VLANS, etc are configured in the virtual environment. Security engineers hardly adjusted with virtualization technologies and we moved again to a new era of “DevOps”. DevOps is a set of practices that combines software development and information-technology operations which aims to shorten the systems development life cycle and provide continuous delivery with high software quality.

Containers offer several key benefits that help to enable DevOps workflows. A container is a standard unit of software that packages up code and all its dependencies, so the application runs quickly and reliably from one computing environment to another. A container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.

Many suppliers are offering containerization tools and integrating open source container technology into their products and services. Some of the popular suppliers are Docker, Microsoft,AWS,Oracle,Google,Redhat etc.

Let’s look at the main components of a docker container:

The Docker daemon: The Docker daemon (dockerd) listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. A daemon can also communicate with other daemons to manage Docker services.

The Docker client: The Docker client (docker) is the primary way that many Docker users interact with Docker.

Docker registries: A Docker registry stores Docker images.

Docker objects: When you use Docker, you are creating and using images, containers, networks, volumes, plugins, and other objects. This section is a brief overview of some of those objects.

IMAGES: An image is a read-only template with instructions for creating a Docker container.

CONTAINERS: A container is a runnable instance of an image.

SERVICES: Services allow you to scale containers across multiple Docker daemons

SECURING YOUR CONTAINERS

Container security is the protection of the integrity of containers. This includes everything from the applications to the infrastructure they are dependent on.

Follow these recommendations to help ensure the security of container technology implementations and usage:

1. Adapt your operational processes to the new containerized model. Embrace the recommended practices for securely building and operating apps within containers.
2. Use hardened container-specific host OSs instead of general-purpose ones to reduce attack surfaces. When using a container-specific host OS, attack surfaces are typically much smaller than they would be with a general-purpose host OS, so there are fewer opportunities to attack and compromise a container-specific host OS. A
3. Group containers with the same purpose, sensitivity, and threat posture on a single host OS kernel. Segmenting containers by purpose, sensitivity, and threat posture provides additional defence in depth. By grouping containers in this manner, organizations make
4. it more difficult for an attacker who compromises one of the groups to expand that compromise to other groups.
5. Adopt container-specific vulnerability management tools and processes for images to prevent compromises. Organizations should use tools that take the declarative, step-by-step build approach and immutable nature of containers and images into their design to provide more actionable and reliable results.
6. Use container-aware runtime defence tools. Utilize a container-native security solution that can monitor the container environment and provide precise detection of anomalous and malicious activity within it.
7. Secrets, which include API keys, login credentials, and tokens, should be stringently managed to ensure container access is limited to privileged users. User access can also be defined by role-based access control, allowing you to limit access to an as-needed basis.
8. Monitor your container environment for suspicious behaviours such as network calls, API calls, and unusual login attempts.
9. Consider using hardware-based countermeasures to provide a basis for trusted computing.
10. Extend security practices across all tiers of the container technology by basing security on a hardware root of trust, such as the Trusted Platform Model (TPM).
11. Use registries that have a valid registry certificate or ones that use TLS to minimize the risk of traffic interception.
12. Use only trusted base images when building your containers.
13. Use minimal base images that don’t include unnecessary software packages.
14. Build a process that regularly identifies and removes stale or unused images and containers from the host.

Here is a list of some key vendors who can help find vulnerabilities, block threats, maintain compliance, and examine activity to secure containers. 

Anchore Enterprise: Anchore Enterprise performs deep analysis on container images, defines policies to certify images, and ensures compliance standards and organizational best practices are met.

Aqua Cloud Native Security Platform: The Aqua Cloud Native Security Platform provides full lifecycle security for container-based and serverless applications. It secures applications before they are deployed, mitigating risk, enforcing immutability and easily detecting and blocking anomalies based on the application context.

Qualys: Qualys expanded its container security platform with the acquisition of Layered Insight in 2018. Qualys Container Security offers deep visibility as well as the ability to detect and prevent security breaches during runtime.

Aporeto: Aporeto is acquired by Palo Alto.Aporeto has positioned its container security platform as being about application identity. The Aporeto technology provides multiple elements that can help organization enforce application identity, including access control, runtime protection and network security functions.

Aqua Security: Aqua provides full dev-to-prod security across your entire CI/CD pipeline and runtime environment, giving you end-to-end visibility and protecting your applications against attacks.

NeuVector: NeuVector takes a networking-focused approach to container security, providing automated segmentation capabilities and attack detection.

StackRox: The StackRox platform provides security capabilities for the build and deployment phase of container usage as well as runtime threat detection features.

Twistlock: Holistic Protection – Host, Network, and Application. Securing VMs, containers, serverless functions, service meshes, or a mixture of all.

DevOps technologies are in demand and will continue to grow, as will the need to put in place the right practices and security controls. The most effective way to ensure security with containers is to take a risk-based approach. A systematic approach to risk that should be incorporated throughout the entirety of your DevOps lifecycle, rather than treating containers as a single component. This forces you to be proactive rather than reactive which promotes continual improvement.

References:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf

https://about.gitlab.com/blog/2019/08/27/beginners-guide-container-security/

https://www.redhat.com/en/topics/security/container-security

https://docs.docker.com/get-started/overview/