A Sneak Peak of what you can expect in this blog.
- Why we need containerization and the history behind it
- Understanding the Security Challenges in Containerization
- Top 5 Known Risks and possible Solutions
- Best Practices – Recommended by NIST
Why we need containerization and the history behind it
Before looking into the container security, let’s see the history behind the container technology and why it’s popular among the IT organizations.
- To develop & deploy any application like YouTube, Spotify, Quora they need to host it to a public server like Amazon Web Services(AWS) which provides cloud hosting services with their ‘data centers’.
- But these web best online video hosting platforms & services, not able to cope up with heavy OS usage like Windows, Linux or MacOS.
- Next, virtualization concept was soon adopted by many companies where each application has its own virtual machine that isolates and organizes multiple applications on the same hardware.
- But, there were many pitfalls when using a virtualization like memory wastage, ie., even if your application is only 500 MB, the VM may be allocated upto 1 GB size, where the rest of the size cannot be allocated to new VM and thus wasted. Several other disadvantages like slow to boot, size and difficulty in integrating with other tools made it lose its glory.
Containers, on the other hand, is currently the hot technology that is seen widely in several deployments. These are basically ready applications, a running instance of the Docker image. Docker image is a blueprint or a template that helps to create multiple Docker containers. These helps to deploy the applications with same configurations quickly.
That is, whenever a developer builds an application he need not worry about the testing or production environment, as these will be deployed without any version mismatch or loss of time. Also, there exists few in-built free docker images like Ubuntu in the Docker Hub. Docker Engine, is the most popular container engine in today’s time.
Understanding the Security Challenges in Containerization
As and when a new technology is introduced, new challenges also becomes an inevitable part in order to implement them successfully. Likewise, Container security also comes with its own risks which we will be covering in this section briefly and some of the strategies that will help to solve them.
“According to Tripwire Study conducted in 2018, at least 87% of the global organizations have deployed containerization, out of which 60% of them faced container security breaches”
Top 5 Known Risks and Possible Solutions
Challenge 1: Unsecured network traffic & uncontrollable communication between Containers
As Communication between the containers is a key benefit to quickly deploy any applications on the fly, there is a high risk of security issues as well while implementing inter-communication of containers.
Because as the number of containers & microservices can scale up to large numbers in a dynamic environment, eventually it leads to an uncontrollable chaos from unpredictable attacks. It increases the risk of disclosing too much of unwanted data to other containers.
Implementing Kubernetes – a container orchestration and management devops tools helps to streamline the network control. For example, Kubernetes follows a Pod-Pod communication in which the containers are aligned to Pods with certain network policies & determine which communication paths are absolutely necessary for the application to function. Also encrypting the Docker registries with TLS security protocol will help to protect the network traffic.
Challenge 2: Using Unverified Images
Images are useful to reuse the components and build the containers quickly without having the necessity to build a docker image from scratch. But, no image is fool-proof from vulnerabilities and need to be scanned and checked regularly.
Downloading the container images from trusted sources is the best approach. Each image should go through vulnerability scans with certain image policies. For instance, if an image is not gone through a scan for more than 60 days, then it should be deleted right away. Also, each container image should have a digital signatures for all the data sent and received from Docker registries remotely.
Challenge 3: Privileged Flag – a friend or foe to Container Security!
Just like a premium customer who has a lot of advantages and easily gets access to many features of a product, similarly a container with a privileged flag has all the functionalities equal to a host system. This automatically poses a huge threat when a container with privileged flag is hacked, then the destruction due to it would be immense.
Eradicating the privileged flag concept completely is the best bet. This will ensure there is no room for attackers to gain access to any of the host devices. But, the Devops developers can use additional security by using CAP ADD and CAP DROP functions to fine tune the container security.
Challenge 4: Isolating the Docker Containers is a crucial step
To increase the security of a docker container, isolating the applications, between a host and the applications are extremely important step to ensure the host access is restricted from unverified users. But, more often these containers are not properly isolated from the host due to many misconfigurations that takes place at various levels.
Keeping the Host’s network namespace and Host’s process namespace confidentially prevents from any kind of malicious attacks. If the host network name is shared then there may be a risk of shutting down the entire Docker host.
Challenge 5: Difficulty to monitor the Container activities while its up and running
In any given dynamic container environment, monitoring closely the container processes within hours or minutes is highly impossible. Using multiple containers at the same time, identifying which container is running and analyzing which processes are aligned to that container is a tedious job.
Restricting the number of process is one way to mitigate this risk. Docker provides two functions , as discussed earlier in this section, CAP ADD – where the linux adds the capabilities that are only necessary for a container to run and CAP DROP – where the Linux deletes the capabilities that are not required to run the process or unnecessary capabilities. Also, you can set PID limits that restricts the number of containers to run at a time.
Container security Tools
Here’s a list of security toolset which helps to implement the containerization technology into any business model seamlessly.
- Anchore tool are used to analyze the container images and evaluate them using custom policies.
- Dagda tool can be used to scan for vulnerabilities and other malwares in docker containers.
- Grafaes tool which is developed by IBM and Google, helps to create your own container security scanning projects. Shopify uses it to manage 500,000 container images.
- Many Devops services use specific tools like Cilium to monitor the network connectivity.
Best Practices – Recommended by NIST
One of the divisions of the US Department of Commerce, National Institute of Standards and Technology has come up with container security standards and best practices for embracing a secured containerization process.
- Make sure that Containers use images only from a trusted container registries and the access to these registries should be encrypted with proper authorization and credentials.
- Container orchestration tools like Kubernetes, follows certain methods to make sure that single orchestration manages multiple applications effectively. Hence, NIST suggests to configure the orchestration in such a way that it separates the low-sensitive workloads from the high-sensitivity workloads so that accessing the sensitive data can be prevented at large level.
- End-end encryption should be practised between the cluster nodes with authorized access among the cluster members.
- Orchestrator must introduce nodes to the cluster in a secure way and remove the ones which are compromised to protect the cluster security.
As predicted by Gartner, by 2020 almost 50% of the organization will be using Docker containerization technology. Hence before winding up there are key takeaways from this blog, which you find in the below checklist to ensure that your business uses a safe containerization technology to have a successful Devops implementation.
Keep this list handy and cross check while deploying a container security solution for your application.
- Are the Docker images not scanned for more than 60 days?
- Are any of the containers running under privileged flags?
- Did you find any high-vulnerability images? If so, in which container they reside?
- Are there any Pod which do not comply to the network policies and permits all communication without any restrictions?
- Are the docker images we are using are coming from a trusted source?
- Name the clusters, namespace and nodes in Docker and Kubernetes which do not follow CIS benchmarks