A CISO’s Guide to Container Security: Understanding Vulnerabilities & Best Practices
Written By: Aditya Gujar
Share this post
Many companies hit the accelerator on their digital transformations in 2020, introducing new apps and services to enable remote work, improve supply chains, and handle other disruptions caused by the pandemic.
Many of those apps were deployed in containers. In a recent Portworx survey, one-third of respondents said that more than 60 percent of their new apps in the past year were containerized. Containers offer many advantages over traditional virtualization. However, they also introduce significant security risks. Without a strategy to mitigate containerization security risks, companies may experience problems that interfere with operations, impact revenue, and hurt the bottom line. With a solid strategy, CISOs can ensure that their companies get the most business benefits out of containerization while minimizing the risks that come with it.
Rewards – and Risks – of Containers
IT departments are embracing containers for several reasons. They are smaller, faster, and more portable than virtual machines — requiring fewer system resources, taking up less physical space on the server, and starting in just seconds rather than the minutes VMs require to boot up. Containers with various applications can run on the same server without conflicts, again saving resources and reducing need for IT hardware.
Containers are by design “cloud-enabled,” and so are easy to move on or off premises, to run apps in private, public, or multi-cloud platforms. These features result in increased agility and efficiency in developing and deploying apps, which enables companies to create and deliver new products and applications to their customers faster and at lower costs than ever before. In short, containerization has become a key to modern, cloud-based IT strategies that speed innovation and create substantial competitive advantage.
But IT managers are worried about container security. In a 2020 survey of 400 IT professionals by Stackworx, 90 percent admitted their organization had a container-related security incident in the previous 12 months. In fact, 44 percent said they had delayed putting apps into production because of security concerns about containers or Kubernetes. Their very agility and portability create container security vulnerabilities, specifically:
The proliferation of containers expands the number of attack surfaces for cybercriminals.
The availability of containers in repositories can lead IT to (mistakenly) assume a container’s validity and security.
The multiple layers of the stack — orchestration, containerization platform, individual containers — present more chances for misconfiguration and other lapses in security measures.
The Stackworx survey found that misconfiguration of containers was common, and hackers lookfor misconfigured containers to exploit. In January 2021, criminals breached improperly configured Docker containers — IT had failed to password-protect their management API ports. The hackers installed crypto-mining software and stole Amazon Web Services server credentials. This instance illustrates not only the problem of misconfiguration but also the failure to effectively isolate containers. Although platforms like Kubernetes offer network segmentation features, IT does not always use them. The result: the entire IT infrastructure of a business is put at risk.
In addition, established enterprises in the midst of digital transformations may try to containerize decades-old legacy applications, many of which were designed before cloud existed and some of which still run on mainframes. These can be mission-critical, revenue-producing systems, so transitioning them to containers carries an especially high security risk. There may be architectural patterns that are not cloud-friendly. There could also be a lack of institutional knowledge about how the applications work because they were designed so long ago.
Container Security Best Practices
A sound security strategy should cover the entire container life cycle, including development, operations, testing, and security in a fast, iterative, and continuous integration and development pipeline. Given how fast containers and the cloud operate, DevOps and security teams must come together to introduce security as early as possible. Indeed, container security should ensure sourcing known trusted images, managing access, integrating regular security and penetration testing, and continuously protecting the underlying infrastructure. Key features of an effective strategy include:
Verification of containers. Require that the IT department verify the security of containers, even those from well-known, trusted sources. (Regularly scan to detect insecure Docker files/images.) Hackers have been known to create malicious containers and place them in known repositories.
Use network segmentation to isolate elements of your IT infrastructure and prevent a container breach from proliferating.
Document each container, including source, function, and location. Because of their portability and ease of use, as well as the speed at which containerization is proliferating, IT departments can easily lose track of containers. That can be a nightmare if there is a breach.
Institute procedures that routinely lock down each level of the environment, including operating system, containers, and orchestration software. Regularly patch and update at every level.
Maintain good security practices regarding access — configure accounts based on least-privilege principles.
Require regular penetration tests
While instituting an effective containerization security strategy is crucial, CISOs may need to “sell” security to the C-Suite. In fact, inadequate investment in container security was a top concern in the Stackworx survey. CISOs should emphasize to their CEOs and boards of directors the importance of IT security — including containerization security as the company speeds up its digital transformation. They should highlight the cost of a breach in money, time, and reputational damage. IBM Security estimated the average cost of a security breach in 2020 at $3.9 million. Numbers like that will help CISOs get more attention to, and more budget for, containerization security.
If you’re interested in learning more about operating smoothly in the cloud or would like to speak to an advisor about your containerization strategy, you can learn more or schedule a meeting here.
Aditya is a senior security consultant with a deep specialization in application, network, and container security. His practice focuses on the testing of a wide range of targets including the cloud, containers, and applications.