X

How safe are your containers?

Shutterstock

It’s often our biggest strength that is also our greatest weakness, and so it is in the case of containers. While containerization allows for the “elastic” deployment of software, it also makes for an inconsistent surface to monitor for irregularities and a much bigger territory to defend. A lot of the risk involved with using containers stems from the actual advantages they’ve been built around, for example their ability to be spun up or down instantly make them almost impossible to traditionally assess for risk. Containers share operating systems and use only the bare minimum resources needed to run applications, which is why, led by Docker, they are such hot property right now. A common concern however, is the fact that containers share the same OS without a hypervisor. Another common concern is that some platforms like Docker allow users to pull prebuilt images from public repositories, which can expose networks to a number of threats and vulnerabilities.

According to Forrester Research, 31 percent of enterprise IT organizations had deployed containers as part of their cloud operations. We can’t hear enough about containers and how they’re the next big thing and the future of application deployment and so on and so forth. What we also hear about a lot is that storage and security are the two main concerns for enterprises looking to shift to containers, and as far as security goes, it’s still very much a work in progress. As container adoption proceeds at the current pace, a lot of challenges with regards to security are being addressed as and when they pop up.

Containers: New technology needs new security

The whole buzz behind containers can largely be credited to the remarkable improvement in performance when containers, microservices architecture, and DevOps come together in that winning combination like the one Netflix has going on. The problem is that unlike VMs that are relatively easy to secure because they normally exist for a couple of weeks and can be periodically scanned, containers are a whole different ball game and can exist for a few minutes or even a few seconds.

The short lifespan associated with containers, along with the ability to instantly be created or destroyed, are two more key benefits that backfire in terms of security because they cause a lack of visibility. This is why containers can’t be effectively scanned with traditional scanning tools. New tools and resources are slowly being developed with many open source projects, and startups, cloud vendors, and Docker itself stepping up to the challenge. Today, we have a wide range of security tools that cater to every aspect of the container lifecycle. While the rapid adoption rate of container architecture and additional security resources being advertised have increased people’s faith with regards to how secure containers are, they may not be as secure as we would like to think.

Speed vs. security

With high adoption there’s always a rush to be the first man on the moon, and security is something that often comes as an afterthought once the summit has been crossed. A Linux kernel vulnerability called the “dirty cow” was discovered last year that grants access to Linux-based container deployment systems and was apparently hanging around for close to nine years. While a fix has been released and no major attacks on container deployments have occurred, it’s a really new technology and it’s important to assume that hackers will find a way because they always do.

People are expecting containers to take over and VMs to go extinct. A lot of organizations are investing in containers and once hooked, they usually expand pretty quick. This is when security often gives way to ambition until it’s too late or the time has come to fix a problem that could have or should have been avoided in the first place.

DevSecOps is the key

There is a lot of talk about how DevOps is outpacing security, so adding the “Sec” to “DevOps” is becoming a necessity. Organizations continue to struggle with containers because traditional security approaches aren’t built around security from the ground up, which is where DevSecOps comes into play. Organizations need to change their approach to security by integrating vulnerability scanning right into the heart of the DevOps cycle. In this way each container can be scanned throughout the stages of its short life to ensure a hundred percent detection of vulnerabilities.

Making sure that Sec keeps up with DevOps is an idea that’s slowly catching on. A lot of DevOps teams are integrating security into their workflows from the ground up. Being actively involved in networking and infrastructure security is part of that task, and it’s a task that’s only going to get bigger if not done right. Since containers are still young and are only going to grow in numbers and popularity, it’s crucial that security isn’t siloed away and that organizations recognize and address the need for a new security approach, which is to make security very much a part of every process.

Think like your opponent

A great way to test for vulnerabilities is to think like a hacker, and in some cases even hack yourself. That’s what Netflix does with software that actually goes into their system and randomly shuts off critical systems and functions so everyone is always prepared for such an eventuality. This is also popular among developers as a way to test code and make sure that all services can function and survive independent of each other.

It’s important to adapt to your enemies’ fighting style. Since containers like to come and go quickly, to protect them it’s important to have security solutions that can keep up with them in the first place. In the case of network defense, a platform that uses SDN can use more powerful tools to secure a system like Calico, for example. SDNs also make it possible to segment the network traffic into different users, teams, applications, and environments, which makes for much better overall security and threat identification.

Eat, breathe, and sleep security

The very ephemeral nature of containers make them the ultimate unit of deployment, but that is also exactly what’s challenging our traditional security practices. It’s no longer about running scans every time a reminder goes off, but rather about actively looking for ways that your own system can be breached at every stage of your workflow. Making security everyone’s business not only makes sure that everyone is educated about security, but also equips everyone for a breach eventuality as well. A simple mistake like opening a webpage controlled by an attacker can be used to gain root access to the Linux VM through a technique called host rebinding. A well-informed employee would realize the error and be able to alert the necessary teams to react before much damage has been done.

Containers are a lot safer today than they were a year ago, and they’re getting safer by the minute. It’s important to remember, however, that hackers are getting better, too. It’s through constant diligence and making security a part of your life that high security levels are actually achieved. Additionally, when security is fun and interesting and challenging, each vulnerability is rejoiced as a learning experience, which is exactly the kind of attitude you need.

Photo credit: Shutterstock