Contents:
While containers and microservices keep gaining popularity among developers, it`s no wonder the interest in container security best practices has also grown. Container-based architecture comes with a series of advantages: portability, lightweight, easy maintenance, and scalability, but it also rises specific security challenges.
Compared to virtual machines, containers are more resource-efficient and agile. Unlike running apps directly on the OS, they offer better flexibility and security. Also, thanks to platforms like Kubernetes, they are really simple to manage.
The employment of containers in the business area did not only raise in the past 10 years but continued to grow. It is now clear to everybody that the benefits that containers offer outweigh the security risks they involve.
”Write once, run anywhere” is a dream come true for developers. But we all know how living your dream can be a risky business. So, before we get to that must-have best practices checklist for container security I`ve promised to reveal, let`s make a short detour. We need to get more familiar with your enemy and the potential threats he might bring.
Common Risk factors in Container Security
- Container Malware – Threat actors can deploy malicious software at various times throughout the container lifecycle. Containers are, after all, packaged software, and can be, like any software, infected with malware.
- Container Images – Always make sure you check the source of the image you decide to deploy. Threat actors can publish on Docker just as well as any legitimate developer and an infected container could spread malware to other containers too.
- Container Registries – Beware to store your container images safely. Public registries are a fast and easy solution, but private ones are, usually, safer. Always try to use a private container to store sensitive data.
- Container Runtime Environment – If you configure containers to run in privileged mode and give them access to sensitive data, this can create data leakage. Keep monitoring network traffic and cut off any insecure communication.
- Poorly guarded container privileges – Authentication and authorization basic security measures should not be neglected, yet it happens that they were overlooked. That allowed threat actors to gain access to sensitive information or even take control of the whole console.
- The pipeline as a target – If threat actors seize any CI/CD misconfigurations, be sure they will exploit any vulnerability that gives them access to the databases used throughout the pipeline.
After going over the most common risk factors that could impact a container system, it`s time to make sure you take the proper action to keep your containers protected from malware, data leakage, and DDoS attacks.
Container Security Best Practices Checklist
1. Secure your images
When you are not creating the image from zero and you decide to use base images from an external container registry, make sure the images you choose are safe and check image signatures. Use the open-source tool Notary to verify signatures.
Getting them from famous repositories like Docker Hub does not necessarily mean you`re safe. Anyone can upload images on Docker and threat actors know and use this technique to spread malware. Storage is equally important. Although it sure is more expensive and time-consuming, private storage saves you the risk of tampering, if you do it well.
When including an application within the container image reduce the attack surface by removing any items the app doesn`t need to work properly. You can remove the ”sed” and ”awk” binaries, for example. Container scanning for vulnerabilities is also a must.
2. Secure Registries
For starters, make sure your team only uses safe images. Use privileged access control measures if you work with a private registry to restrict interaction possibilities. Prevent any unauthorized parties to access or publish images in your registry.
But containers may become vulnerable due to a variety of factors, including software inside the container, interactions with the host OS and other containers, networking and storage setups, etc.
So, scan images for vulnerabilities continuously or at least periodically. Even if you carefully chose vulnerability-free images, they could at some point get infected and you`ll want to know as fast as possible when this happens.
3. Design immutable containers
Shell access to images, which developers often leave on so they may make fixes in production, can also be used by threat actors to inject malicious code. You can avoid this by creating immutable containers, that can’t be modified.
Patching, rebuilding the image, or redeploying the container are safer ways for your application update needs. You can always redeploy the previous image if you need to revert changes.
Keep in mind that due to the immutable nature of containers, data persistence is affected. Always make sure you avoid losing databases by using storing solutions outside the containers.
4. Apply the principle of least privilege
Reduce the attack surface by designing unconnected virtual networks for your containers, in order to enhance isolation. We strongly recommend you only permit connectivity between containers when there really is no other way around it.
As with many other cybersecurity topics, following the principle of least privilege is a must.
Communication security is gold, so treasure your privacy. Use Transport Layer Security (TLS) to encrypt the data you communicate and avoid hackers getting their hands on your passwords.
5. No privileged containers unless absolutely necessary!
Do not allow any of your containers to run in privileged mode unless you have no other choice. A privileged mode running container will have access to all components on the host. If it gets compromised, it will grant hackers access to the server.
6. Monitor Container Activity
The ”need for speed” does not only mean high productivity but also requires professional monitoring. With new images and versions being deployed constantly, things can get out of control rapidly. If anything goes wrong, you will want to know as soon as possible. This way you might have a chance to stop the infection before it spreads to all the other containers.
Monitoring containerized apps and microservices architectures involve gathering metrics and keeping tabs on their condition. Monitoring tools allow you to identify unusual behaviors and remediate the issue on-site.
Use container-native monitoring tools to keep a keen eye on the container engines, the workloads running in containers, the networking processes, and master nodes. DNS filtering allows you to seize any traffic spikes or weird traffic flows.
7. Ensure the security of the host OS
Use minimalist host operation systems, designed for running containers only. If all unnecessary functionality is removed, the attack surface will be much smaller than that of a ”normal” OS.
The usual good practices work here too: implement user authentication, set access roles, and specify permissions for binary file access. Use egress filtering to detect signs of malicious activity.
One more good idea is to run the container engine in kernel mode and the containers in user mode.
8. Use an orchestration platform
Orchestration platforms offer you automatized management of your container environment, with deployment, scaling, and networking included. They also come with native security capabilities, so using platforms like Kubernetes, Azure AKS, Google GKE, Amazon EKS, etc. can provide both role-based access control (RBAC) and secure API endpoints.
How Can Heimdal® Help Maintain a Healthy Container Environment?
Applying best practices in container security includes not only securing the host operating system, enforcing privilege access management, or scanning for vulnerabilities. Monitoring communication traffic is a vital step in securing containers. Working with systems that employ hundreds or thousands of containers makes the automatization of processes mandatory.
Heimdal® Threat Prevention detects emerging and hidden cyber threats, inhibits cyberattacks that standard antivirus software overlooks, and blocks data-leaking. It blocks malicious domains and prevents communication with cybercriminal infrastructure by scanning the traffic of your users in real-time.
Heimdal® DNS Security Solution
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Wrap Up
Container security might seem a complicated business, as risk factors are literally everywhere. With container environments bringing together thousands of items running apps at a tremendously fast pace keeping things can be overwhelming. So make sure you are ready to face the challenges that will arise by enforcing container security best practices and using professional security tools.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.