Building a Highly Secured Container Platform

While Containers and related technologies provide a multitude of benefits over Virtual machines, usage of Containers pose unique security challenges that need to be thoroughly assessed and mitigated. When it comes to Container Security, it is essential to take a step back and look at the security posture of the complete Container environment. Traditional, time-tested security techniques like access control, encryption etc. need to be augmented with ones that address the unique security risks posed by Containers.

Unique Security Challenges posed by Containers:

• Kernel-level threats: A container shares the host kernel along with other containers. Though this provides unique benefits in terms of better utilization and instant scaling, it exposes the host kernel to attacks and vulnerabilities from an infected/compromised container. Once the host kernel is compromised, it leads to compromising other containers on the host. Should a container cause a kernel panic, it will take down the whole host, affecting all the containers. Whereas in a virtual machine, damage arising due to such situations will be entirely confined to the individual VM only. If an attacker hacks into a Container, it becomes easy to gain access to the Host Kernel. In VMs, an attacker would have to route an attack through both the VM kernel and the hypervisor before being able to touch the host kernel. If someone can leverage a security flaw to get inside the host kernel, they can get into all the other containers running on the host. 
• Malicious Container Images: A Container image is prone to get infected with malicious software quite easily, if sufficient security controls and best practices are not implemented. The size of a container image is just a fraction of the size of a VM image. While this helps users to share and distribute images much more easily and freely, this increases the risk of malicious code creeping into it. This calls for special actions in securing and verifying the images. An additional serious security risk arises when one considers the number of many pre-built container images that are available online from sources such as the Docker Hub. While it’s great to see developers take advantage of these pre-built images, this increases the risk of getting infected with malicious software.
• Additional Attack surface: Though the essential piece to run containers is the container runtime, often a Container Engine and Container Orchestration Engine are required to manage and orchestrate the lifecycle of containers. This adds additional attack surface. These security risks need to be assessed thoroughly and mitigated appropriately. 
• Ephemeral nature of Containers: A container environment is often prone to frequent and rapid scaling out and in. Often the container orchestration engine decides the best possible node to place new containers. Hence containers are highly ephemeral in nature, due to which traditional security solutions simply aren’t equipped to handle containers. 

Overcoming the security challenges posed by Containers:

A holistic look at the complete container environment is essential in order to implement effective security controls. To begin with, we will need to break down the container environment into a layered stack. This way it becomes easy to visualize the different components in a layered model and define security controls to be applied in each layer. Let’s look at a reference container security stack of a typical container environment.

• Host Security: The Host is the machine in which containers run. The host has to be security-hardened to provide production-grade security. GRSEC & PAX Linux kernel security patches, AppArmor & seccomp security profiles for Docker, SELinux policies for Docker are some techniques recommended for Containers on Linux hosts.
• Container Runtime Security: Containers should not be run in privileged mode. If privileged containers are required, then user namespace mapping should be employed. Containers should be run with only the required capabilities and with resource limitation.
• Network Security: Both internal and external traffic of a Container environment should be secured via TLS. Certificates and Private Keys need to be backed up securely and rotated frequently. Traffic between containers should be isolated using techniques like policy-based network firewall.
• Hypervisor-based Containers: Containers indeed provide production-grade isolation and security. If use cases require VM-like isolation and Security, Hypervisor based Container solutions need to be used. Hyper Containers, Kata Containers and vSphere Integrated Containers are few options.
• Container Orchestration Engine Security: Orchestration Engines like Docker EE, Kubernetes, Mesos etc. provide several in-built security mechanisms, tools and add-ons. One should have a thorough understanding of these security features in the Orchestration Engine. These security features should be leveraged to the maximum to provide the right balance of security and functionality required in the container environment. For instance, Kubernetes has a security feature called “Network Security” using which it is possible to allow or block traffic between two different containers.
• Image Security: In a container environment, the container image is the most vulnerable attack surface. Malicious code can easily creep in, if proper security mechanisms are not implemented. Using images from trusted providers, using certified images, using digitally signed images, Security scanning of images, protecting the image registry with RBAC etc. need to be implemented. Docker Security Scanning, Aqua’s Continuous Image Assurance, BlackDuck Docker Security are some of the solutions available for Security Scanning of Images

Container Platform: Security Reference Architecture

Let’s take a look at the security reference architecture of a typical container platform. After securing the Container platform itself, it’s time to look at how to easily manage the lifecycle of the security controls implemented in the Container platform. Depending on specific use cases and security requirements, additional components/layers might need to be added.

• Access Control: Access Control is the layer that authenticates and authorizes users and applications, access to the Container platform. Essential pieces in this layer include IAM (Identity and Access Management), AD/LDAP (Storing User Identities) and Certificate/Key Management. Users/Applications should be authorized to access only specific resources within the container platform and to perform only the required actions on those resources, meaning RBAC should be implemented by default. A whitelist based approach is recommended, so users/applications will have least privileges by default.
• Security Operations: The Container platform should be constantly monitored to ensure applications do not misbehave. Typically, the monitoring solution should keep track of resource consumption at node, application and container levels and should be able to automatically construct acceptable profiles/patterns. Any deviation from these patterns should be dealt with by appropriate actions. The container platform also generates events for various actions performed within the platform (both manual and automatic actions). These events should be captured and analyzed by the monitoring solution. The Logging solution should be capable of collecting, storing and correlating logs from different containers running in the container platform. Logs are a valuable source of fine-grained insight into what’s going on inside the container platform. These logs should be analyzed using ML based analytics engines. Such analytics engines are nowadays part of the logging solution itself. Auditing solution ensures the Container platform and the operations performed in it, comply to accepted organizational policies.

Conclusion:

Undoubtedly, Containers are highly secure constructs. Over the years, the security posture of containers has increased tremendously. If you understand your security requirements and concerns well, and use the right security controls, tools and solutions, you can rest assured to have built a highly secure container platform.