(Source: LeoWolfert/Shutterstock.com)
Containerization technologies such as Docker let or lets companies deploy services and applications much faster than using traditional processes. Instead of deploying and configuring a full-featured operating system and your desired application you can simply download and launch a Docker image of that application and often begin using it in minutes. Docker is portable, which means you can run the same image on workstations running Linux, Windows, or Mac. For example, DevOps engineers typically create and test a new service via a Docker image on their own Mac or Windows workstation before uploading it to its destination in production. They can count on similar behavior whether the image is running on their workstation or in a production environment hosted from a cloud service provider.
After you have downloaded and installed Docker, you can use it right away. Using the Docker commands, you can specify a registry (a collection of software in the form of Docker images) and then download the Docker image of a specific application and launch it. The Docker image is a very small, purpose-built file that typically includes only the bare minimum files to enable the application. For example, instead of using the Ubuntu Linux distribution, an image might be built using a distribution with a smaller footprint, such as Alpine-Linux. Typically, only the essentials are included, which makes the image much smaller. This also has the desirable side effect of likely being more secure because less code and packages often results in a smaller surface area for attackers to exploit.
Larger environments will often use orchestration software such as Kubernetes to manage their container environment. Kubernetes helps manage the scaling and deployment of containers based on defined business logic. Service mesh and microservice architectures also play important roles in designing and supporting scalable cloud-based applications. A service mesh coordinates network traffic between different services and can act as a load balancer between services. A service mesh can also provide additional security capabilities such as encryption and authentication between interconnected services. Deploying applications as microservices in containers means that each service (for example, a user account management service and a shopping cart service) is built and hosted independently. Coupled with Kubernetes and a service mesh, a company can rapidly spin up or destroy containers depending on real-time demand of their application.
Protecting these technologies relies on similar security principles as securing traditional networks and services but does require a slightly different approach and technologies that understand how containers operate. Let’s review the tools and processes to secure and manage these new technologies and prevent gaps in your container defenses.
Containers are deployed using images that are read-only files which define the behavior of the container. Often you will download an image from an external registry (like docker hub) or more advanced users will create their own. Images are typically based on a very lightweight footprint operating system top of which is installed a specific application (such as Nginx or MySQL). Before deploying a container, ensure the image is secure by scanning it for vulnerabilities using a container- and image-aware vulnerability scanner. When you detect a vulnerability in an image, update the image and redeploy the containers. Using a traditional vulnerability scanner (such as Nessus) might not work well in containerized environments because the target containers can come and go as load changes and IP addresses are often re-used in a service mesh or overlay network architecture. In other words, the results of scanning a network range can differ day to day and correlating findings could be difficult.
Containerized architectures rely on new technologies and it remains important to inventory these objects and their dependencies to secure them appropriately. This is not necessarily different in principle than taking a traditional inventory of your IT resources that include servers, applications, and network configurations such as subnets and access control lists. However, the constructs between a traditional IT environment and a containerized environment often differ. Important objects to inventory in a containerized environment include which images are used, the containers running, nodes running Docker that host the images, all the services and applications running in the environment, and network groups that restrict access to these objects.
Understanding the container image build file is important to securing the container. The image build file describes all the software used in the image and on the container. Often these image build files are based on other image build files and it is important to know these layered dependencies. Consider deploying only trusted images from a private registry to ensure that you have full control over the deployment cycle. Inspect the image build file to look for and remove secrets and unwanted or vulnerable software. Look for tools that are able to measure a baseline of acceptable performance across your containers and able to alert on variance from these norms. Some container security products will define models of expected runtime behavior and alert on variance from these models, such as whether a container communicates with a new host or installs a new package that the model has not seen before.
Logging events and collecting important telemetry across your containerized environment helps spot anomalous behavior. Look for container-aware tooling that can inspect network connections to your containers. Because of the ephemeral and dynamic nature of your containers traditional approaches such as static rules based on IP address might not work as well. Logging activity is an important component of runtime protection. Look to software that can measure what normal operation looks like as a baseline and then alerts on variants including what happened immediately before and after the event. Many container security solutions analyze and present log-data forensics views useful to follow up on possible incidents.
Containers are quickly becoming a popular standard in cloud computing. They are relatively quick and easy to introduce into an environment, but traditional security tools and processes might not recognize these technologies. Be sure to understand how containers work so that when they come to your environment you'll be prepared and avoid a black hole in your environment that could bring you unwanted risk.
Jeff Fellinge has over 25 years’ experience in a variety of disciplines ranging from Mechanical Engineering to Information Security. Jeff led information security programs for a large cloud provider to reduce risk and improve security control effectiveness at some of the world’s largest datacenters. He enjoys researching and evaluating technologies that improve business and infrastructure security and also owns and operates a small metal fabrication workshop.
