Cisco Tech Blog CiscoTech Blog Close
Home Contact

Understanding and Applying Container Security

Author

Understanding and Applying Container Security 🔗︎

In a microservices architecture, maintaining container security at all stages is a primordial requirement and needs to cover many facets.

  • ‘‘‘The container’s inner components’’’ – a container contains images, imported or custom-created, common tools, compilers and RIBs, framework, and app code. Each of these components’ vulnerabilities needs to be managed at every step of the container’s lifecycle to ensure container security.
  • ‘‘‘The container’s communication system’’’ – a container interacts with the host’s operating system and with other containers on the same host. The container security is at risk if misconfigurations open vulnerabilities in the communication network.
  • ‘‘‘The container’s host operating system’’’
  • ‘‘‘The container networking’’’ – containers communication intra and inter clusters and with other external sources.
  • Configuring ‘‘‘Container Storage Interface’’’ to maintain security without impeding access
  • ‘‘‘The container’s security at run time’’’
  • ‘‘‘The container orchestration system’’’ consisting of escalated privileges access to the container via a set of APIs.

To understand the complexity of securing containers, the first step is to understand what a container is.

What is a Container 🔗︎

A container is a virtual “box” containing a piece of software and its dependencies (e.g., libraries, system tools, code, registries, etc., and, most importantly, for container security, settings and policies.) Containers address several issues faced by developers when deploying applications. Thanks to their simple packaging, they accelerate application development and deployment, increase scalability, facilitate a generalization of management, reduce environmental dependencies, and support microservices. Microservices are critical to accelerate the integration of business demands in applications and provide the flexibility that enables the rapid integration of app updates. That flexibility is essential to rapidly adapt an app to evolving specifications emanating from an organization’s business side and provides fast reaction time ideal to optimize business adaptability to fluctuating market conditions and customers’ or users’ unfolding preferences. But this new eco-system means that DevOps and security teams now share the responsibility of ensuring container security.

Understanding the Elements of Container Security 🔗︎

Running an app in a containerized environment implies a complete rethinking of the former security perimeter defending monolithic applications. Without this security perimeter, what are the threats to container environments?

Threats to Container Build Environment 🔗︎

When building a container, whether with an original or an imported image, DevOps need to ensure that:

  • No malicious or unintentional source code changes are taking place
  • The automation of the container building system is free of alteration
  • Configuration for the runtime deployment and access privileges are free of errors that might expose credentials
  • All runtime codes have been scanned

Threats during Runtime 🔗︎

Communication between containers and between containers and external data sources, vendors, operating system, etc., are fraught with risks, and navigating between the need for flexibility and the need for tightening container security policies requires comprehensive mapping of the access rights to the operating system and host resources, as well of continuous monitoring to catch existing and emerging vulnerabilities.

Threats to the Operating System Security 🔗︎

A single misconfigured container can jeopardize the entire OS. Managing access privilege is a key factor in tightening container security and shielding the OS from unwanted exploits introduced when managing the container’s access to subsets of resources.

Threats from Orchestration Manager Misconfiguration 🔗︎

As the container technology evolved, orchestration managers, such as the now undisputed market leader Kubernetes, emerged to tackle communication between containers, and between containers, OS, and external resources.

Kubernetes orchestration manager bundles containers in pods, themselves organized in clusters interacting in an on-premise, cloud, multi cloud or hybrid environment. Ensuring container security requires taking into account all the moving parts of a container lifecycle, from build stage to connectivity during deployment and runtime.

Applying Comprehensive Security for Containers 🔗︎

Given the built-in intricate complexity of orchestration managers, opting for a container security solution is the most effective option. A comprehensive container security solution covers all the elements needed to configure and monitor the security for containers and provides an easy interface enabling rapid detection and mitigation of emerging vulnerabilities before they can be leveraged by malicious actors. A typical Kubernetes environment will have several clusters (e.g., dev, testing, prod, finance …) distributed across environments. The first step to managing communication between these environments effectively is to have a clear picture of the communication between these components, both architecturally and in detail.

Comprehensive Kubernetes Visibility Comprehensive Kubernetes Visibility

Container vulnerability management Container vulnerability management

What defines whether a connection is established or not is defined by rules and policies that must be configured at every level and every stage, for example, configuring pod policies (aka PSP). These indicate whether the right security profile is associated with the container to enable connection or deployment.

Container Security Policy Advisor Container Security Policy Advisor

Especially in a hyper-connected containerized environment, monitoring each workload, connection, event, and namespace at all times is an essential aspect of ensuring container security. Ideally, monitoring tools provide an at-a-glance evaluation of each component’s risk, including the presence and severity of identified threats and vulnerabilities, whether at deployment or runtime.

Runtime Deployments Runtime Deployments

For each element, an in-depth analysis of the detected risk coupled with immediate access to remediation tools complete the components of an optimal container security solution.

Runtime Deployments Runtime Deployments

New Policy Connection Rule New Policy Connection Rule

Cisco Cloud Native Security Solution bakes in container security from in the CI/CD build process, at deployment and runtime, in every pod, cluster, and environment, including service mesh security.

Read more about: 🔗︎

[[https://www.portshift.io/blog/k8shield-mitre-attck-framework/|Protection from Multiple Attack Vectors]] [[https://www.portshift.io/blog/can-you-detect-kubernetes-runtime-vulnerabilities/|Detecting Runtime Vulnerabilities]] [[https://www.portshift.io/blog/kubernetes-multi-cluster-service-mesh/|Securing a multi-cluster service mesh]] Or check our guide on how to Implement Kubernetes Security