Containerization is a high priority for a variety of reasons; Accessibility, Robustness and furthermore Security. Take a gander at the containerization focus; separate environments per transaction, limited life span of a container, visibility of container requirements at run-time, reuse of hardened base images, and continuous testing and validation prior to production environment. Simply put, in order to implement this properly, and an organization must embed security by design from the start, but also carry this through into the run-time of the containers.
Consider the current visibility you have within your organization, is the network flat or has the network been logically separated through solutions such as: VLANs, firewalls, trust zones, subnets, and routing rules? Are there firewalls implemented between and on end devices, limiting services/applications from communicating without prior validation, does deep packet inspection happen between trusted zones, on devices, and/or as data leaves the network? Has the network been designed to consider containers? The most likely scenario is, a few of these options exist, but in varying degrees of maturity.
While Denial-of-Service (DoS) attack aren’t hacking, they can cause an incident and impact the technology infrastructure, possible loss of availability of assets, when say the host running your containers goes down. Further still, can a malicious actor use this, as a way to manipulate a container to take more resources than it should, and ultimately impact the other containers sharing the same host?
We know security by design is embedded from the start, both implementing robust security focused solutions and a security mindset, some considerations technicians can begin with are looking at:
- Reuse: Secured/hardened base images that have been validated against use and stress tested, build code to be reused, which requires not hard coding in secrets.
- Reduce: Access that a container can gain when at run-time, do they require that authority? Can you set a cap of resources and time to live?
- Remove: Unneeded packages, no longer required infrastructure (i.e. images no longer being used, transactions no longer going to be run and containers no longer going to be called), and always validate the integrity of third-party scripts that are being referenced.
As already we have mentioned before, without visibility within your security infrastructure and without awareness of the transactions, containerization can be a massive black hole of security concerns. This is because at the speed of containers called and then killed, it is almost impossible without a baseline and automated monitoring that the operations teams would be able to keep up with the environment and possible incidents.
That said, however, what are some aspects to consider that organizations should put in layering controls in order to maximize their security posture with the velocity of containerizations?
Containerization: Containers And Their Runtime Security Challenges
Security Of Your Containers: Visibility
Traditionally networks were looked at as hard exterior and soft interior, because the malicious actors are on the outside right? While we know the majority of breaches are coming from external actors, 70% is according to the 2020 Verizon Data Breach Investigation Report; the reality remains a focus on “deterring them out” will only mean when they do “get in” there’s little in the way of mitigating their attack.
Imagine an incident where stolen credentials are used, which inevitably might not just mean that the malicious actor has gained access, they use an authenticated account to do so. What about when a phishing email is sent, and seemingly legitimate actions mean an insider is actually assisting that external malicious actor, say by providing them remote access – then, while not the traditional view of an “insider attack”, it is nevertheless making use of legitimate accounts to do something unexpected.
When it comes to containerization, short lived environments, still need to be protected, and to undertake this, we need to understand what is expected i.e. the baseline, compared to what is currently happening. This can be executed through things like trust zones, limited communications like firewalls, deep packet inspection to validate what is going on.
Security Of Your Containers: Effective Alerting
When we comprehend what is happening, we can then ‘alert’ on the unexpected. There are solutions out there, such as PathSolutions’ TotalView, additional to the configured alerts includes a menu called Gremlins – which identified unusual activity for that interface at that time. That’s how we should be considering a holistic security program, identify known signatures of malicious actors/attacks, identify ‘normal’ i.e. baseline of typical activities and alerting on anomalous, highlight/investigate the gremlins.
Security Of Your Containers: Training And Expertise
Any time an innovative solution is implemented, it is vital the operations teams have provided training. Adapting the concept of how infrastructure works, from persistent to short-lived environments, is a major change that not only requires security controls and training, it requires reviewing the life-cycle approach and architecture.
As you can imagine, there are different skill sets involved here. Considering your team trained up by experts, such as certification programs and technology focused, i.e. Kubernetes? Review Kubernetes Security white papers, conduct training and make use of existing bench-marking resources, using Docker? Take Docker specific security training. Another gigantic layer to this is having a mentorship program to ensure team members maintain people to seek help.
Containerization: Layered Controls, Even The Seeming Minuscule
One issue we have realized working within the security industry is quite a silly belief that nothing less than perfection is beneficial – reality is, the majority of attacks are opportunistic. To avoid being breached means embedding secure foundations, and working on continuous improvement to be more difficult than the next company or target.
While it is precise to say something like a vulnerability scanner isn’t absolutely sublime, this and other controls designed to provide holistic coverage within your environment will enhance the program.
Also implement security policies and groups for automated application to containers, and automate as much as possible on the security side to keep up with requirements. Just because containers are short lived, doesn’t mean their impact is – making use of logging and monitoring, with an appropriate retention policy is another significant part of the security posture.